99377 lines
2.8 MiB
99377 lines
2.8 MiB
diff --git a/abrt.fc b/abrt.fc
|
|
index 1a93dc5..40dda9e 100644
|
|
--- a/abrt.fc
|
|
+++ b/abrt.fc
|
|
@@ -1,31 +1,41 @@
|
|
-/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
|
-/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
|
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
|
|
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
|
|
|
|
-/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
|
|
-/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
|
|
-/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
|
|
-/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
|
|
+/usr/lib/systemd/system/abrt.* -- gen_context(system_u:object_r:abrt_unit_file_t,s0)
|
|
+
|
|
+/usr/bin/abrt-dump-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
|
|
+/usr/bin/abrt-uefioops-oops -- gen_context(system_u:object_r:abrt_dump_oops_exec_t,s0)
|
|
+/usr/bin/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
|
|
+/usr/bin/abrt-retrace-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
|
|
+/usr/bin/abrt-watch-log -- gen_context(system_u:object_r:abrt_watch_log_exec_t,s0)
|
|
+/usr/bin/retrace-server-worker -- gen_context(system_u:object_r:abrt_retrace_worker_exec_t,s0)
|
|
+/usr/bin/coredump2packages -- gen_context(system_u:object_r:abrt_retrace_coredump_exec_t,s0)
|
|
+
|
|
+/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
|
+/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
|
+/usr/sbin/abrt-harvest.* -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
|
+/usr/sbin/abrt-install-ccpp-hook -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
|
+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
|
|
|
|
-/usr/libexec/abrt-pyhook-helper -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
|
|
/usr/libexec/abrt-handle-event -- gen_context(system_u:object_r:abrt_handle_event_exec_t,s0)
|
|
-/usr/libexec/abrt-hook-python -- gen_context(system_u:object_r:abrt_helper_exec_t,s0)
|
|
|
|
-/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
|
-/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
|
|
-/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
|
|
+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
|
|
+/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
|
|
+/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
|
|
+/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
|
|
+
|
|
+/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
|
|
+
|
|
+/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
|
|
+/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
|
|
+/var/run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0)
|
|
+/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
|
|
+
|
|
+/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
|
|
+/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
|
|
+/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
|
|
|
|
-/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
|
|
-/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
|
|
-/var/cache/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
|
|
-/var/cache/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_cache_t,s0)
|
|
+/var/tmp/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
|
|
|
|
-/var/log/abrt-logger.* -- gen_context(system_u:object_r:abrt_var_log_t,s0)
|
|
|
|
-/var/run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0)
|
|
-/var/run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0)
|
|
-/var/run/abrtd?\.socket -s gen_context(system_u:object_r:abrt_var_run_t,s0)
|
|
-/var/run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
|
|
|
|
-/var/spool/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
|
|
-/var/spool/abrt-retrace(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
|
|
-/var/spool/retrace-server(/.*)? gen_context(system_u:object_r:abrt_retrace_spool_t,s0)
|
|
diff --git a/abrt.if b/abrt.if
|
|
index 058d908..9d57403 100644
|
|
--- a/abrt.if
|
|
+++ b/abrt.if
|
|
@@ -1,4 +1,26 @@
|
|
-## <summary>Automated bug-reporting tool.</summary>
|
|
+## <summary>ABRT - automated bug-reporting tool</summary>
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## ABRT daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`abrt_basic_types_template',`
|
|
+ gen_require(`
|
|
+ attribute abrt_domain;
|
|
+ ')
|
|
+
|
|
+ type $1_t, abrt_domain;
|
|
+ type $1_exec_t;
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+')
|
|
|
|
######################################
|
|
## <summary>
|
|
@@ -40,7 +62,7 @@ interface(`abrt_exec',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send null signals to abrt.
|
|
+## Send a null signal to abrt.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -58,7 +80,7 @@ interface(`abrt_signull',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read process state of abrt.
|
|
+## Allow the domain to read abrt state files in /proc.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -71,12 +93,13 @@ interface(`abrt_read_state',`
|
|
type abrt_t;
|
|
')
|
|
|
|
+ kernel_search_proc($1)
|
|
ps_process_pattern($1, abrt_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to abrt over an unix stream socket.
|
|
+## Connect to abrt over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -116,8 +139,7 @@ interface(`abrt_dbus_chat',`
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Execute abrt-helper in the abrt
|
|
-## helper domain.
|
|
+## Execute abrt-helper in the abrt-helper domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -130,15 +152,13 @@ interface(`abrt_domtrans_helper',`
|
|
type abrt_helper_t, abrt_helper_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, abrt_helper_exec_t, abrt_helper_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute abrt helper in the abrt
|
|
-## helper domain, and allow the
|
|
-## specified role the abrt helper domain.
|
|
+## Execute abrt helper in the abrt_helper domain, and
|
|
+## allow the specified role the abrt_helper domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -163,8 +183,26 @@ interface(`abrt_run_helper',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## abrt cache files.
|
|
+## Read abrt cache
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`abrt_read_cache',`
|
|
+ gen_require(`
|
|
+ type abrt_var_cache_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
|
|
+ read_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append abrt cache
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -172,15 +210,37 @@ interface(`abrt_run_helper',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`abrt_cache_manage',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.')
|
|
- abrt_manage_cache($1)
|
|
+interface(`abrt_append_cache',`
|
|
+ gen_require(`
|
|
+ type abrt_var_cache_t;
|
|
+ ')
|
|
+
|
|
+
|
|
+ allow $1 abrt_var_cache_t:file append_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## abrt cache content.
|
|
+## Read/Write inherited abrt cache
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`abrt_rw_inherited_cache',`
|
|
+ gen_require(`
|
|
+ type abrt_var_cache_t;
|
|
+ ')
|
|
+
|
|
+
|
|
+ allow $1 abrt_var_cache_t:file rw_inherited_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage abrt cache
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -193,7 +253,6 @@ interface(`abrt_manage_cache',`
|
|
type abrt_var_cache_t;
|
|
')
|
|
|
|
- files_search_var($1)
|
|
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
|
|
manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
|
|
manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t)
|
|
@@ -201,7 +260,7 @@ interface(`abrt_manage_cache',`
|
|
|
|
####################################
|
|
## <summary>
|
|
-## Read abrt configuration files.
|
|
+## Read abrt configuration file.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -220,7 +279,7 @@ interface(`abrt_read_config',`
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Read abrt log files.
|
|
+## Read abrt logs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -258,8 +317,7 @@ interface(`abrt_read_pid_files',`
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## abrt PID files.
|
|
+## Create, read, write, and delete abrt PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -276,10 +334,51 @@ interface(`abrt_manage_pid_files',`
|
|
manage_files_pattern($1, abrt_var_run_t, abrt_var_run_t)
|
|
')
|
|
|
|
+########################################
|
|
+## <summary>
|
|
+## Read and write abrt fifo files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`abrt_rw_fifo_file',`
|
|
+ gen_require(`
|
|
+ type abrt_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 abrt_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute abrt server in the abrt domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`abrt_systemctl',`
|
|
+ gen_require(`
|
|
+ type abrt_t;
|
|
+ type abrt_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 abrt_unit_file_t:file manage_file_perms;
|
|
+ allow $1 abrt_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, abrt_t)
|
|
+')
|
|
+
|
|
#####################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an abrt environment,
|
|
+## All of the rules required to administrate
|
|
+## an abrt environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -288,39 +387,172 @@ interface(`abrt_manage_pid_files',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the abrt domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`abrt_admin',`
|
|
gen_require(`
|
|
- attribute abrt_domain;
|
|
- type abrt_t, abrt_etc_t, abrt_initrc_exec_t;
|
|
- type abrt_var_cache_t, abrt_var_log_t, abrt_retrace_cache_t;
|
|
- type abrt_var_run_t, abrt_tmp_t, abrt_retrace_spool_t;
|
|
+ type abrt_t, abrt_etc_t;
|
|
+ type abrt_var_cache_t, abrt_var_log_t;
|
|
+ type abrt_var_run_t, abrt_tmp_t;
|
|
+ type abrt_initrc_exec_t;
|
|
+ type abrt_unit_file_t;
|
|
')
|
|
|
|
- allow $1 abrt_domain:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, abrt_domain)
|
|
+ allow $1 abrt_t:process { signal_perms };
|
|
+ ps_process_pattern($1, abrt_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 abrt_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, abrt_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 abrt_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_etc($1)
|
|
+ files_list_etc($1)
|
|
admin_pattern($1, abrt_etc_t)
|
|
|
|
- logging_search_logs($1)
|
|
+ logging_list_logs($1)
|
|
admin_pattern($1, abrt_var_log_t)
|
|
|
|
- files_search_var($1)
|
|
- admin_pattern($1, { abrt_retrace_cache_t abrt_var_cache_t abrt_retrace_spool_t })
|
|
+ files_list_var($1)
|
|
+ admin_pattern($1, abrt_var_cache_t)
|
|
|
|
- files_search_pids($1)
|
|
+ files_list_pids($1)
|
|
admin_pattern($1, abrt_var_run_t)
|
|
|
|
- files_search_tmp($1)
|
|
+ files_list_tmp($1)
|
|
admin_pattern($1, abrt_tmp_t)
|
|
+
|
|
+ abrt_systemctl($1)
|
|
+ admin_pattern($1, abrt_unit_file_t)
|
|
+ allow $1 abrt_unit_file_t:service all_service_perms;
|
|
+')
|
|
+
|
|
+####################################
|
|
+## <summary>
|
|
+## Execute abrt-retrace in the abrt-retrace domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`abrt_domtrans_retrace_worker',`
|
|
+ gen_require(`
|
|
+ type abrt_retrace_worker_t, abrt_retrace_worker_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, abrt_retrace_worker_exec_t, abrt_retrace_worker_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Manage abrt retrace server cache
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`abrt_manage_spool_retrace',`
|
|
+ gen_require(`
|
|
+ type abrt_retrace_spool_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
|
|
+ manage_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
|
|
+ manage_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Read abrt retrace server cache
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`abrt_read_spool_retrace',`
|
|
+ gen_require(`
|
|
+ type abrt_retrace_spool_t;
|
|
+ ')
|
|
+
|
|
+ list_dirs_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
|
|
+ read_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
|
|
+ read_lnk_files_pattern($1, abrt_retrace_spool_t, abrt_retrace_spool_t)
|
|
+')
|
|
+
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Read abrt retrace server cache
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`abrt_read_cache_retrace',`
|
|
+ gen_require(`
|
|
+ type abrt_retrace_cache_t;
|
|
+ ')
|
|
+
|
|
+ list_dirs_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
|
|
+ read_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
|
|
+ read_lnk_files_pattern($1, abrt_retrace_cache_t, abrt_retrace_cache_t)
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Do not audit attempts to write abrt sock files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`abrt_dontaudit_write_sock_file',`
|
|
+ gen_require(`
|
|
+ type abrt_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 abrt_t:sock_file write;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to abrt named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`abrt_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type abrt_tmp_t;
|
|
+ type abrt_etc_t;
|
|
+ type abrt_var_cache_t;
|
|
+ type abrt_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_tmp_filetrans($1, abrt_tmp_t, dir, "abrt")
|
|
+ files_etc_filetrans($1, abrt_etc_t, dir, "abrt")
|
|
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt")
|
|
+ files_var_filetrans($1, abrt_var_cache_t, dir, "abrt-dix")
|
|
+ files_pid_filetrans($1, abrt_var_run_t, dir, "abrt")
|
|
+')
|
|
+
|
|
diff --git a/abrt.te b/abrt.te
|
|
index eb50f07..6ba0357 100644
|
|
--- a/abrt.te
|
|
+++ b/abrt.te
|
|
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether ABRT can modify
|
|
-## public files used for public file
|
|
-## transfer services.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow ABRT to modify public files
|
|
+## used for public file transfer services.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(abrt_anon_write, false)
|
|
|
|
@@ -37,13 +36,15 @@ attribute abrt_domain;
|
|
attribute_role abrt_helper_roles;
|
|
roleattribute system_r abrt_helper_roles;
|
|
|
|
-type abrt_t, abrt_domain;
|
|
-type abrt_exec_t;
|
|
+abrt_basic_types_template(abrt)
|
|
init_daemon_domain(abrt_t, abrt_exec_t)
|
|
|
|
type abrt_initrc_exec_t;
|
|
init_script_file(abrt_initrc_exec_t)
|
|
|
|
+type abrt_unit_file_t;
|
|
+systemd_unit_file(abrt_unit_file_t)
|
|
+
|
|
type abrt_etc_t;
|
|
files_config_file(abrt_etc_t)
|
|
|
|
@@ -55,69 +56,75 @@ files_tmp_file(abrt_tmp_t)
|
|
|
|
type abrt_var_cache_t;
|
|
files_type(abrt_var_cache_t)
|
|
+files_tmp_file(abrt_var_cache_t)
|
|
+userdom_user_tmp_content(abrt_var_cache_t)
|
|
|
|
type abrt_var_run_t;
|
|
files_pid_file(abrt_var_run_t)
|
|
|
|
-type abrt_dump_oops_t, abrt_domain;
|
|
-type abrt_dump_oops_exec_t;
|
|
+abrt_basic_types_template(abrt_dump_oops)
|
|
init_system_domain(abrt_dump_oops_t, abrt_dump_oops_exec_t)
|
|
|
|
-type abrt_handle_event_t, abrt_domain;
|
|
-type abrt_handle_event_exec_t;
|
|
-domain_type(abrt_handle_event_t)
|
|
-domain_entry_file(abrt_handle_event_t, abrt_handle_event_exec_t)
|
|
+abrt_basic_types_template(abrt_handle_event)
|
|
+application_domain(abrt_handle_event_t, abrt_handle_event_exec_t)
|
|
role system_r types abrt_handle_event_t;
|
|
|
|
-type abrt_helper_t, abrt_domain;
|
|
-type abrt_helper_exec_t;
|
|
+# type needed to allow all domains
|
|
+# to handle /var/cache/abrt
|
|
+# type needed to allow all domains
|
|
+# to handle /var/cache/abrt
|
|
+abrt_basic_types_template(abrt_helper)
|
|
application_domain(abrt_helper_t, abrt_helper_exec_t)
|
|
role abrt_helper_roles types abrt_helper_t;
|
|
|
|
-type abrt_retrace_coredump_t, abrt_domain;
|
|
-type abrt_retrace_coredump_exec_t;
|
|
-domain_type(abrt_retrace_coredump_t)
|
|
-domain_entry_file(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
|
|
-role system_r types abrt_retrace_coredump_t;
|
|
-
|
|
-type abrt_retrace_worker_t, abrt_domain;
|
|
-type abrt_retrace_worker_exec_t;
|
|
-domain_type(abrt_retrace_worker_t)
|
|
-domain_entry_file(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
|
|
+abrt_basic_types_template(abrt_retrace_worker)
|
|
+application_domain(abrt_retrace_worker_t, abrt_retrace_worker_exec_t)
|
|
role system_r types abrt_retrace_worker_t;
|
|
|
|
+abrt_basic_types_template(abrt_retrace_coredump)
|
|
+application_domain(abrt_retrace_coredump_t, abrt_retrace_coredump_exec_t)
|
|
+role system_r types abrt_retrace_coredump_t;
|
|
+
|
|
type abrt_retrace_cache_t;
|
|
files_type(abrt_retrace_cache_t)
|
|
|
|
type abrt_retrace_spool_t;
|
|
-files_type(abrt_retrace_spool_t)
|
|
+files_spool_file(abrt_retrace_spool_t)
|
|
|
|
-type abrt_watch_log_t, abrt_domain;
|
|
-type abrt_watch_log_exec_t;
|
|
+abrt_basic_types_template(abrt_watch_log)
|
|
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
|
|
|
|
-type abrt_upload_watch_t, abrt_domain;
|
|
-type abrt_upload_watch_exec_t;
|
|
+abrt_basic_types_template(abrt_upload_watch)
|
|
init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
|
|
|
|
+type abrt_upload_watch_tmp_t;
|
|
+files_tmp_file(abrt_upload_watch_tmp_t)
|
|
+
|
|
+
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# abrt local policy
|
|
#
|
|
|
|
-allow abrt_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice };
|
|
-dontaudit abrt_t self:capability sys_rawio;
|
|
+allow abrt_t self:capability { chown dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
|
|
+dontaudit abrt_t self:capability { sys_rawio sys_ptrace };
|
|
allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };
|
|
+
|
|
allow abrt_t self:fifo_file rw_fifo_file_perms;
|
|
-allow abrt_t self:tcp_socket { accept listen };
|
|
+allow abrt_t self:tcp_socket create_stream_socket_perms;
|
|
+allow abrt_t self:udp_socket create_socket_perms;
|
|
+allow abrt_t self:unix_dgram_socket create_socket_perms;
|
|
+allow abrt_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
-allow abrt_t abrt_etc_t:dir list_dir_perms;
|
|
+# abrt etc files
|
|
+list_dirs_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
|
|
rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t)
|
|
|
|
+# log file
|
|
manage_files_pattern(abrt_t, abrt_var_log_t, abrt_var_log_t)
|
|
logging_log_filetrans(abrt_t, abrt_var_log_t, file)
|
|
|
|
@@ -125,23 +132,29 @@ manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
|
manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
|
manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t)
|
|
files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir })
|
|
+can_exec(abrt_t, abrt_tmp_t)
|
|
|
|
+# abrt var/cache files
|
|
manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
|
manage_dirs_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
|
manage_lnk_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t)
|
|
files_var_filetrans(abrt_t, abrt_var_cache_t, { file dir })
|
|
files_spool_filetrans(abrt_t, abrt_var_cache_t, dir)
|
|
+files_tmp_filetrans(abrt_t, abrt_var_cache_t, dir, "abrt")
|
|
|
|
+# abrt pid files
|
|
manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
|
manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
|
manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
|
manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t)
|
|
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir sock_file })
|
|
|
|
-can_exec(abrt_t, abrt_tmp_t)
|
|
+manage_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
|
+manage_dirs_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
|
+manage_lnk_files_pattern(abrt_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
|
|
|
kernel_read_ring_buffer(abrt_t)
|
|
-kernel_read_system_state(abrt_t)
|
|
+kernel_read_network_state(abrt_t)
|
|
kernel_request_load_module(abrt_t)
|
|
kernel_rw_kernel_sysctl(abrt_t)
|
|
|
|
@@ -150,16 +163,14 @@ corecmd_exec_shell(abrt_t)
|
|
corecmd_read_all_executables(abrt_t)
|
|
|
|
corenet_all_recvfrom_netlabel(abrt_t)
|
|
-corenet_all_recvfrom_unlabeled(abrt_t)
|
|
corenet_tcp_sendrecv_generic_if(abrt_t)
|
|
corenet_tcp_sendrecv_generic_node(abrt_t)
|
|
-corenet_tcp_sendrecv_all_ports(abrt_t)
|
|
+corenet_tcp_sendrecv_generic_port(abrt_t)
|
|
corenet_tcp_bind_generic_node(abrt_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(abrt_t)
|
|
corenet_tcp_connect_http_port(abrt_t)
|
|
corenet_tcp_connect_ftp_port(abrt_t)
|
|
corenet_tcp_connect_all_ports(abrt_t)
|
|
+corenet_sendrecv_http_client_packets(abrt_t)
|
|
|
|
dev_getattr_all_chr_files(abrt_t)
|
|
dev_getattr_all_blk_files(abrt_t)
|
|
@@ -176,29 +187,37 @@ files_getattr_all_files(abrt_t)
|
|
files_read_config_files(abrt_t)
|
|
files_read_etc_runtime_files(abrt_t)
|
|
files_read_var_symlinks(abrt_t)
|
|
-files_read_usr_files(abrt_t)
|
|
+files_read_var_lib_files(abrt_t)
|
|
+files_read_generic_tmp_files(abrt_t)
|
|
files_read_kernel_modules(abrt_t)
|
|
+files_dontaudit_list_default(abrt_t)
|
|
files_dontaudit_read_default_files(abrt_t)
|
|
files_dontaudit_read_all_symlinks(abrt_t)
|
|
files_dontaudit_getattr_all_sockets(abrt_t)
|
|
files_list_mnt(abrt_t)
|
|
+fs_list_all(abrt_t)
|
|
|
|
+fs_list_inotifyfs(abrt_t)
|
|
fs_getattr_all_fs(abrt_t)
|
|
fs_getattr_all_dirs(abrt_t)
|
|
-fs_list_inotifyfs(abrt_t)
|
|
fs_read_fusefs_files(abrt_t)
|
|
fs_read_noxattr_fs_files(abrt_t)
|
|
fs_read_nfs_files(abrt_t)
|
|
fs_read_nfs_symlinks(abrt_t)
|
|
fs_search_all(abrt_t)
|
|
|
|
+logging_read_generic_logs(abrt_t)
|
|
+logging_send_syslog_msg(abrt_t)
|
|
+
|
|
auth_use_nsswitch(abrt_t)
|
|
|
|
-logging_read_generic_logs(abrt_t)
|
|
+init_read_utmp(abrt_t)
|
|
|
|
+miscfiles_read_generic_certs(abrt_t)
|
|
miscfiles_read_public_files(abrt_t)
|
|
|
|
userdom_dontaudit_read_user_home_content_files(abrt_t)
|
|
+userdom_dontaudit_read_admin_home_files(abrt_t)
|
|
|
|
tunable_policy(`abrt_anon_write',`
|
|
miscfiles_manage_public_files(abrt_t)
|
|
@@ -206,15 +225,11 @@ tunable_policy(`abrt_anon_write',`
|
|
|
|
optional_policy(`
|
|
apache_list_modules(abrt_t)
|
|
- apache_read_module_files(abrt_t)
|
|
+ apache_read_modules(abrt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_domain(abrt_t, abrt_exec_t)
|
|
-
|
|
- optional_policy(`
|
|
- policykit_dbus_chat(abrt_t)
|
|
- ')
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -222,6 +237,16 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ kdump_read_crash(abrt_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mozilla_plugin_dontaudit_rw_tmp_files(abrt_t)
|
|
+ mozilla_plugin_read_rw_files(abrt_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ policykit_dbus_chat(abrt_t)
|
|
policykit_domtrans_auth(abrt_t)
|
|
policykit_read_lib(abrt_t)
|
|
policykit_read_reload(abrt_t)
|
|
@@ -233,6 +258,7 @@ optional_policy(`
|
|
corecmd_exec_all_executables(abrt_t)
|
|
')
|
|
|
|
+# to install debuginfo packages
|
|
optional_policy(`
|
|
rpm_exec(abrt_t)
|
|
rpm_dontaudit_manage_db(abrt_t)
|
|
@@ -243,6 +269,7 @@ optional_policy(`
|
|
rpm_signull(abrt_t)
|
|
')
|
|
|
|
+# to run mailx plugin
|
|
optional_policy(`
|
|
sendmail_domtrans(abrt_t)
|
|
')
|
|
@@ -253,9 +280,17 @@ optional_policy(`
|
|
sosreport_delete_tmp_files(abrt_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ sssd_stream_connect(abrt_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_read_log(abrt_t)
|
|
+')
|
|
+
|
|
#######################################
|
|
#
|
|
-# Handle-event local policy
|
|
+# abrt-handle-event local policy
|
|
#
|
|
|
|
allow abrt_handle_event_t self:fifo_file rw_fifo_file_perms;
|
|
@@ -266,9 +301,13 @@ tunable_policy(`abrt_handle_event',`
|
|
can_exec(abrt_t, abrt_handle_event_exec_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ unconfined_domain(abrt_handle_event_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
-# Helper local policy
|
|
+# abrt--helper local policy
|
|
#
|
|
|
|
allow abrt_helper_t self:capability { chown setgid sys_nice };
|
|
@@ -281,6 +320,7 @@ manage_dirs_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
|
manage_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
|
manage_lnk_files_pattern(abrt_helper_t, abrt_var_cache_t, abrt_var_cache_t)
|
|
files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir })
|
|
+files_tmp_filetrans(abrt_helper_t, abrt_var_cache_t, dir, "abrt")
|
|
|
|
read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
|
read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t)
|
|
@@ -289,15 +329,20 @@ corecmd_read_all_executables(abrt_helper_t)
|
|
|
|
domain_read_all_domains_state(abrt_helper_t)
|
|
|
|
+files_dontaudit_all_non_security_leaks(abrt_helper_t)
|
|
+
|
|
fs_list_inotifyfs(abrt_helper_t)
|
|
fs_getattr_all_fs(abrt_helper_t)
|
|
|
|
auth_use_nsswitch(abrt_helper_t)
|
|
|
|
+logging_send_syslog_msg(abrt_helper_t)
|
|
+
|
|
term_dontaudit_use_all_ttys(abrt_helper_t)
|
|
term_dontaudit_use_all_ptys(abrt_helper_t)
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
+ domain_dontaudit_leaks(abrt_helper_t)
|
|
userdom_dontaudit_read_user_home_content_files(abrt_helper_t)
|
|
userdom_dontaudit_read_user_tmp_files(abrt_helper_t)
|
|
dev_dontaudit_read_all_blk_files(abrt_helper_t)
|
|
@@ -305,11 +350,25 @@ ifdef(`hide_broken_symptoms',`
|
|
dev_dontaudit_write_all_chr_files(abrt_helper_t)
|
|
dev_dontaudit_write_all_blk_files(abrt_helper_t)
|
|
fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ rpm_dontaudit_leaks(abrt_helper_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+ifdef(`hide_broken_symptoms',`
|
|
+ gen_require(`
|
|
+ attribute domain;
|
|
+ ')
|
|
+
|
|
+ allow abrt_t self:capability sys_resource;
|
|
+ allow abrt_t domain:file write;
|
|
+ allow abrt_t domain:process setrlimit;
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
-# Retrace coredump policy
|
|
+# abrt retrace coredump policy
|
|
#
|
|
|
|
allow abrt_retrace_coredump_t self:fifo_file rw_fifo_file_perms;
|
|
@@ -327,10 +386,12 @@ corecmd_exec_shell(abrt_retrace_coredump_t)
|
|
|
|
dev_read_urand(abrt_retrace_coredump_t)
|
|
|
|
-files_read_usr_files(abrt_retrace_coredump_t)
|
|
+
|
|
+logging_send_syslog_msg(abrt_retrace_coredump_t)
|
|
|
|
sysnet_dns_name_resolve(abrt_retrace_coredump_t)
|
|
|
|
+# to install debuginfo packages
|
|
optional_policy(`
|
|
rpm_exec(abrt_retrace_coredump_t)
|
|
rpm_dontaudit_manage_db(abrt_retrace_coredump_t)
|
|
@@ -343,10 +404,11 @@ optional_policy(`
|
|
|
|
#######################################
|
|
#
|
|
-# Retrace worker policy
|
|
+# abrt retrace worker policy
|
|
#
|
|
|
|
-allow abrt_retrace_worker_t self:capability setuid;
|
|
+allow abrt_retrace_worker_t self:capability { setuid };
|
|
+
|
|
allow abrt_retrace_worker_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
domtrans_pattern(abrt_retrace_worker_t, abrt_retrace_coredump_exec_t, abrt_retrace_coredump_t)
|
|
@@ -365,38 +427,48 @@ corecmd_exec_shell(abrt_retrace_worker_t)
|
|
|
|
dev_read_urand(abrt_retrace_worker_t)
|
|
|
|
-files_read_usr_files(abrt_retrace_worker_t)
|
|
+
|
|
+logging_send_syslog_msg(abrt_retrace_worker_t)
|
|
|
|
sysnet_dns_name_resolve(abrt_retrace_worker_t)
|
|
|
|
+optional_policy(`
|
|
+ mock_domtrans(abrt_retrace_worker_t)
|
|
+ mock_manage_lib_files(abrt_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
-# Dump oops local policy
|
|
+# abrt_dump_oops local policy
|
|
#
|
|
|
|
allow abrt_dump_oops_t self:capability dac_override;
|
|
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
|
|
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
|
|
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
files_search_spool(abrt_dump_oops_t)
|
|
manage_dirs_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
|
|
manage_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
|
|
manage_lnk_files_pattern(abrt_dump_oops_t, abrt_var_cache_t, abrt_var_cache_t)
|
|
files_var_filetrans(abrt_dump_oops_t, abrt_var_cache_t, { file dir })
|
|
+files_tmp_filetrans(abrt_dump_oops_t, abrt_var_cache_t, dir, "abrt")
|
|
|
|
read_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
|
|
read_lnk_files_pattern(abrt_dump_oops_t, abrt_var_run_t, abrt_var_run_t)
|
|
|
|
read_files_pattern(abrt_dump_oops_t, abrt_etc_t, abrt_etc_t)
|
|
|
|
+kernel_read_debugfs(abrt_dump_oops_t)
|
|
kernel_read_kernel_sysctls(abrt_dump_oops_t)
|
|
kernel_read_ring_buffer(abrt_dump_oops_t)
|
|
|
|
domain_use_interactive_fds(abrt_dump_oops_t)
|
|
|
|
fs_list_inotifyfs(abrt_dump_oops_t)
|
|
+fs_list_pstorefs(abrt_dump_oops_t)
|
|
|
|
logging_read_generic_logs(abrt_dump_oops_t)
|
|
+logging_send_syslog_msg(abrt_dump_oops_t)
|
|
|
|
#######################################
|
|
#
|
|
@@ -404,7 +476,7 @@ logging_read_generic_logs(abrt_dump_oops_t)
|
|
#
|
|
|
|
allow abrt_watch_log_t self:fifo_file rw_fifo_file_perms;
|
|
-allow abrt_watch_log_t self:unix_stream_socket { accept listen };
|
|
+allow abrt_watch_log_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
read_files_pattern(abrt_watch_log_t, abrt_etc_t, abrt_etc_t)
|
|
|
|
@@ -413,16 +485,42 @@ domtrans_pattern(abrt_watch_log_t, abrt_dump_oops_exec_t, abrt_dump_oops_t)
|
|
corecmd_exec_bin(abrt_watch_log_t)
|
|
|
|
logging_read_all_logs(abrt_watch_log_t)
|
|
+logging_send_syslog_msg(abrt_watch_log_t)
|
|
+
|
|
+tunable_policy(`abrt_upload_watch_anon_write',`
|
|
+ miscfiles_manage_public_files(abrt_upload_watch_t)
|
|
+')
|
|
|
|
#######################################
|
|
#
|
|
# Upload watch local policy
|
|
#
|
|
|
|
+allow abrt_upload_watch_t self:capability dac_override;
|
|
+
|
|
+manage_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
|
+manage_dirs_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
|
+manage_lnk_files_pattern(abrt_upload_watch_t, abrt_upload_watch_tmp_t, abrt_upload_watch_tmp_t)
|
|
+files_tmp_filetrans(abrt_upload_watch_t, abrt_upload_watch_tmp_t, {file dir})
|
|
+
|
|
+read_files_pattern(abrt_upload_watch_t, abrt_etc_t, abrt_etc_t)
|
|
+
|
|
+manage_dirs_pattern(abrt_upload_watch_t, abrt_var_cache_t, abrt_var_cache_t)
|
|
+
|
|
corecmd_exec_bin(abrt_upload_watch_t)
|
|
|
|
+dev_read_urand(abrt_upload_watch_t)
|
|
+
|
|
+files_search_spool(abrt_upload_watch_t)
|
|
+
|
|
+auth_read_passwd(abrt_upload_watch_t)
|
|
+
|
|
tunable_policy(`abrt_upload_watch_anon_write',`
|
|
- miscfiles_manage_public_files(abrt_upload_watch_t)
|
|
+ miscfiles_manage_public_files(abrt_upload_watch_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(abrt_upload_watch_t)
|
|
')
|
|
|
|
#######################################
|
|
@@ -430,10 +528,7 @@ tunable_policy(`abrt_upload_watch_anon_write',`
|
|
# Global local policy
|
|
#
|
|
|
|
-kernel_read_system_state(abrt_domain)
|
|
+allow abrt_domain abrt_var_run_t:sock_file write_sock_file_perms;
|
|
+allow abrt_domain abrt_var_run_t:unix_stream_socket connectto;
|
|
|
|
files_read_etc_files(abrt_domain)
|
|
-
|
|
-logging_send_syslog_msg(abrt_domain)
|
|
-
|
|
-miscfiles_read_localization(abrt_domain)
|
|
diff --git a/accountsd.fc b/accountsd.fc
|
|
index f9d8d7a..0682710 100644
|
|
--- a/accountsd.fc
|
|
+++ b/accountsd.fc
|
|
@@ -1,3 +1,5 @@
|
|
+/usr/lib/systemd/system/accountsd.* -- gen_context(system_u:object_r:accountsd_unit_file_t,s0)
|
|
+
|
|
/usr/libexec/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
|
|
|
|
/usr/lib/accountsservice/accounts-daemon -- gen_context(system_u:object_r:accountsd_exec_t,s0)
|
|
diff --git a/accountsd.if b/accountsd.if
|
|
index bd5ec9a..a5ed692 100644
|
|
--- a/accountsd.if
|
|
+++ b/accountsd.if
|
|
@@ -126,23 +126,50 @@ interface(`accountsd_manage_lib_files',`
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`accountsd_systemctl',`
|
|
+ gen_require(`
|
|
+ type accountsd_t;
|
|
+ type accountsd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 accountsd_unit_file_t:file read_file_perms;
|
|
+ allow $1 accountsd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, accountsd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an accountsd environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`accountsd_admin',`
|
|
gen_require(`
|
|
type accountsd_t;
|
|
+ type accountsd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 accountsd_t:process { ptrace signal_perms };
|
|
+ allow $1 accountsd_t:process signal_perms;
|
|
ps_process_pattern($1, accountsd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 accountsd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
accountsd_manage_lib_files($1)
|
|
+
|
|
+ accountsd_systemctl($1)
|
|
+ admin_pattern($1, accountsd_unit_file_t)
|
|
+ allow $1 accountsd_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/accountsd.te b/accountsd.te
|
|
index 3593510..b6a0f70 100644
|
|
--- a/accountsd.te
|
|
+++ b/accountsd.te
|
|
@@ -4,6 +4,10 @@ gen_require(`
|
|
class passwd all_passwd_perms;
|
|
')
|
|
|
|
+gen_require(`
|
|
+ class passwd { passwd chfn chsh rootok crontab };
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
# Declarations
|
|
@@ -11,11 +15,15 @@ gen_require(`
|
|
|
|
type accountsd_t;
|
|
type accountsd_exec_t;
|
|
-dbus_system_domain(accountsd_t, accountsd_exec_t)
|
|
+init_daemon_domain(accountsd_t, accountsd_exec_t)
|
|
+role system_r types accountsd_t;
|
|
|
|
type accountsd_var_lib_t;
|
|
files_type(accountsd_var_lib_t)
|
|
|
|
+type accountsd_unit_file_t;
|
|
+systemd_unit_file(accountsd_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -38,7 +46,6 @@ corecmd_exec_bin(accountsd_t)
|
|
dev_read_sysfs(accountsd_t)
|
|
|
|
files_read_mnt_files(accountsd_t)
|
|
-files_read_usr_files(accountsd_t)
|
|
|
|
fs_getattr_xattr_fs(accountsd_t)
|
|
fs_list_inotifyfs(accountsd_t)
|
|
@@ -48,7 +55,7 @@ auth_use_nsswitch(accountsd_t)
|
|
auth_read_login_records(accountsd_t)
|
|
auth_read_shadow(accountsd_t)
|
|
|
|
-miscfiles_read_localization(accountsd_t)
|
|
+init_dbus_chat(accountsd_t)
|
|
|
|
logging_list_logs(accountsd_t)
|
|
logging_send_syslog_msg(accountsd_t)
|
|
@@ -66,9 +73,16 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ dbus_system_domain(accountsd_t, accountsd_exec_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
policykit_dbus_chat(accountsd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_read_xdm_tmp_files(accountsd_t)
|
|
+ xserver_read_state_xdm(accountsd_t)
|
|
+ xserver_dbus_chat_xdm(accountsd_t)
|
|
+ xserver_manage_xdm_etc_files(accountsd_t)
|
|
')
|
|
diff --git a/acct.if b/acct.if
|
|
index 81280d0..bc4038b 100644
|
|
--- a/acct.if
|
|
+++ b/acct.if
|
|
@@ -83,6 +83,24 @@ interface(`acct_manage_data',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Dontaudit Attempts to list acct_data directory
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`acct_dontaudit_list_data',`
|
|
+ gen_require(`
|
|
+ type acct_data_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 acct_data_t:dir list_dir_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an acct environment.
|
|
## </summary>
|
|
@@ -103,9 +121,13 @@ interface(`acct_admin',`
|
|
type acct_t, acct_initrc_exec_t, acct_data_t;
|
|
')
|
|
|
|
- allow $1 acct_t:process { ptrace signal_perms };
|
|
+ allow $1 acct_t:process { signal_perms };
|
|
ps_process_pattern($1, acct_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 acct_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, acct_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 acct_initrc_exec_t system_r;
|
|
diff --git a/acct.te b/acct.te
|
|
index 8b9ad83..f4f2486 100644
|
|
--- a/acct.te
|
|
+++ b/acct.te
|
|
@@ -40,8 +40,6 @@ corecmd_exec_shell(acct_t)
|
|
dev_read_sysfs(acct_t)
|
|
dev_read_urand(acct_t)
|
|
|
|
-domain_use_interactive_fds(acct_t)
|
|
-
|
|
fs_search_auto_mountpoints(acct_t)
|
|
fs_getattr_xattr_fs(acct_t)
|
|
|
|
@@ -49,7 +47,6 @@ term_dontaudit_use_console(acct_t)
|
|
term_dontaudit_use_generic_ptys(acct_t)
|
|
|
|
files_read_etc_runtime_files(acct_t)
|
|
-files_list_usr(acct_t)
|
|
|
|
auth_use_nsswitch(acct_t)
|
|
|
|
@@ -59,8 +56,6 @@ init_exec_script_files(acct_t)
|
|
|
|
logging_send_syslog_msg(acct_t)
|
|
|
|
-miscfiles_read_localization(acct_t)
|
|
-
|
|
userdom_dontaudit_search_user_home_dirs(acct_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(acct_t)
|
|
|
|
diff --git a/ada.te b/ada.te
|
|
index 8d42c97..2377f8f 100644
|
|
--- a/ada.te
|
|
+++ b/ada.te
|
|
@@ -20,7 +20,7 @@ role ada_roles types ada_t;
|
|
|
|
allow ada_t self:process { execstack execmem };
|
|
|
|
-userdom_use_user_terminals(ada_t)
|
|
+userdom_use_inherited_user_terminals(ada_t)
|
|
|
|
optional_policy(`
|
|
unconfined_domain(ada_t)
|
|
diff --git a/afs.if b/afs.if
|
|
index 3b41be6..97d99f9 100644
|
|
--- a/afs.if
|
|
+++ b/afs.if
|
|
@@ -40,6 +40,24 @@ interface(`afs_rw_udp_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Read AFS config data
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`afs_read_config',`
|
|
+ gen_require(`
|
|
+ type afs_config_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, afs_config_t, afs_config_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Read and write afs cache files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -95,13 +113,17 @@ interface(`afs_initrc_domtrans',`
|
|
interface(`afs_admin',`
|
|
gen_require(`
|
|
attribute afs_domain;
|
|
- type afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
|
|
+ type afs_t, afs_initrc_exec_t, afs_dbdir_t, afs_pt_db_t;
|
|
type afs_ka_db_t, afs_vl_db_t, afs_config_t;
|
|
type afs_logfile_t, afs_cache_t, afs_files_t;
|
|
')
|
|
|
|
- allow $1 afs_domain:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, afs_domain)
|
|
+ allow $1 afs_t:process signal_perms;
|
|
+ ps_process_pattern($1, afs_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 afs_t:process ptrace;
|
|
+ ')
|
|
|
|
afs_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/afs.te b/afs.te
|
|
index 90ce637..2e9f5d9 100644
|
|
--- a/afs.te
|
|
+++ b/afs.te
|
|
@@ -83,8 +83,16 @@ files_var_filetrans(afs_t, afs_cache_t, { file dir })
|
|
|
|
kernel_rw_afs_state(afs_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(afs_t)
|
|
+corenet_tcp_sendrecv_generic_if(afs_t)
|
|
+corenet_udp_sendrecv_generic_if(afs_t)
|
|
+corenet_tcp_sendrecv_generic_node(afs_t)
|
|
+corenet_udp_sendrecv_generic_node(afs_t)
|
|
+corenet_tcp_sendrecv_all_ports(afs_t)
|
|
+corenet_udp_sendrecv_all_ports(afs_t)
|
|
+corenet_udp_bind_generic_node(afs_t)
|
|
+
|
|
files_mounton_mnt(afs_t)
|
|
-files_read_usr_files(afs_t)
|
|
files_rw_etc_runtime_files(afs_t)
|
|
|
|
fs_getattr_xattr_fs(afs_t)
|
|
@@ -93,6 +101,12 @@ fs_read_nfs_symlinks(afs_t)
|
|
|
|
logging_send_syslog_msg(afs_t)
|
|
|
|
+sysnet_dns_name_resolve(afs_t)
|
|
+
|
|
+ifdef(`hide_broken_symptoms',`
|
|
+ kernel_rw_unlabeled_files(afs_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
# AFS bossserver local policy
|
|
@@ -125,7 +139,6 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
|
|
|
|
kernel_read_kernel_sysctls(afs_bosserver_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(afs_bosserver_t)
|
|
corenet_all_recvfrom_netlabel(afs_bosserver_t)
|
|
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
|
|
corenet_udp_sendrecv_generic_node(afs_bosserver_t)
|
|
@@ -136,7 +149,6 @@ corenet_sendrecv_afs_bos_server_packets(afs_bosserver_t)
|
|
corenet_udp_sendrecv_afs_bos_port(afs_bosserver_t)
|
|
|
|
files_list_home(afs_bosserver_t)
|
|
-files_read_usr_files(afs_bosserver_t)
|
|
|
|
seutil_read_config(afs_bosserver_t)
|
|
|
|
@@ -151,9 +163,6 @@ allow afs_fsserver_t self:process { setsched signal_perms };
|
|
allow afs_fsserver_t self:fifo_file rw_fifo_file_perms;
|
|
allow afs_fsserver_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
-read_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
|
|
-allow afs_fsserver_t afs_config_t:dir list_dir_perms;
|
|
-
|
|
manage_dirs_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
|
|
manage_files_pattern(afs_fsserver_t, afs_config_t, afs_config_t)
|
|
|
|
@@ -175,12 +184,14 @@ kernel_read_kernel_sysctls(afs_fsserver_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(afs_fsserver_t)
|
|
corenet_all_recvfrom_netlabel(afs_fsserver_t)
|
|
+corenet_tcp_bind_generic_node(afs_fsserver_t)
|
|
+corenet_udp_bind_generic_node(afs_fsserver_t)
|
|
corenet_tcp_sendrecv_generic_if(afs_fsserver_t)
|
|
corenet_udp_sendrecv_generic_if(afs_fsserver_t)
|
|
corenet_tcp_sendrecv_generic_node(afs_fsserver_t)
|
|
corenet_udp_sendrecv_generic_node(afs_fsserver_t)
|
|
-corenet_tcp_bind_generic_node(afs_fsserver_t)
|
|
-corenet_udp_bind_generic_node(afs_fsserver_t)
|
|
+corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
|
|
+corenet_udp_sendrecv_all_ports(afs_fsserver_t)
|
|
|
|
corenet_sendrecv_afs_fs_server_packets(afs_fsserver_t)
|
|
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
|
|
@@ -190,7 +201,6 @@ corenet_udp_sendrecv_afs_fs_port(afs_fsserver_t)
|
|
|
|
files_read_etc_runtime_files(afs_fsserver_t)
|
|
files_list_home(afs_fsserver_t)
|
|
-files_read_usr_files(afs_fsserver_t)
|
|
files_list_pids(afs_fsserver_t)
|
|
files_dontaudit_search_mnt(afs_fsserver_t)
|
|
|
|
@@ -224,7 +234,6 @@ manage_files_pattern(afs_kaserver_t, afs_logfile_t, afs_logfile_t)
|
|
|
|
kernel_read_kernel_sysctls(afs_kaserver_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(afs_kaserver_t)
|
|
corenet_all_recvfrom_netlabel(afs_kaserver_t)
|
|
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
|
|
corenet_udp_sendrecv_generic_node(afs_kaserver_t)
|
|
@@ -239,7 +248,6 @@ corenet_udp_bind_kerberos_port(afs_kaserver_t)
|
|
corenet_udp_sendrecv_kerberos_port(afs_kaserver_t)
|
|
|
|
files_list_home(afs_kaserver_t)
|
|
-files_read_usr_files(afs_kaserver_t)
|
|
|
|
seutil_read_config(afs_kaserver_t)
|
|
|
|
@@ -253,16 +261,12 @@ userdom_dontaudit_use_user_terminals(afs_kaserver_t)
|
|
allow afs_ptserver_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow afs_ptserver_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
-read_files_pattern(afs_ptserver_t, afs_config_t, afs_config_t)
|
|
-allow afs_ptserver_t afs_config_t:dir list_dir_perms;
|
|
-
|
|
manage_dirs_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
|
|
manage_files_pattern(afs_ptserver_t, afs_logfile_t, afs_logfile_t)
|
|
|
|
manage_files_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t)
|
|
filetrans_pattern(afs_ptserver_t, afs_dbdir_t, afs_pt_db_t, file)
|
|
|
|
-corenet_all_recvfrom_unlabeled(afs_ptserver_t)
|
|
corenet_all_recvfrom_netlabel(afs_ptserver_t)
|
|
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
|
|
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
|
|
@@ -274,6 +278,8 @@ corenet_udp_bind_generic_node(afs_ptserver_t)
|
|
corenet_udp_bind_afs_pt_port(afs_ptserver_t)
|
|
corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
|
|
|
|
+sysnet_read_config(afs_ptserver_t)
|
|
+
|
|
userdom_dontaudit_use_user_terminals(afs_ptserver_t)
|
|
|
|
########################################
|
|
@@ -284,16 +290,12 @@ userdom_dontaudit_use_user_terminals(afs_ptserver_t)
|
|
allow afs_vlserver_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow afs_vlserver_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
-read_files_pattern(afs_vlserver_t, afs_config_t, afs_config_t)
|
|
-allow afs_vlserver_t afs_config_t:dir list_dir_perms;
|
|
-
|
|
manage_dirs_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
|
|
manage_files_pattern(afs_vlserver_t, afs_logfile_t, afs_logfile_t)
|
|
|
|
manage_files_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t)
|
|
filetrans_pattern(afs_vlserver_t, afs_dbdir_t, afs_vl_db_t, file)
|
|
|
|
-corenet_all_recvfrom_unlabeled(afs_vlserver_t)
|
|
corenet_all_recvfrom_netlabel(afs_vlserver_t)
|
|
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
|
|
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
|
|
@@ -314,8 +316,8 @@ userdom_dontaudit_use_user_terminals(afs_vlserver_t)
|
|
|
|
allow afs_domain self:udp_socket create_socket_perms;
|
|
|
|
-files_read_etc_files(afs_domain)
|
|
-
|
|
-miscfiles_read_localization(afs_domain)
|
|
+read_files_pattern(afs_domain, afs_config_t, afs_config_t)
|
|
+allow afs_domain afs_config_t:dir list_dir_perms;
|
|
|
|
sysnet_read_config(afs_domain)
|
|
+
|
|
diff --git a/aiccu.if b/aiccu.if
|
|
index 3b5dcb9..fbe187f 100644
|
|
--- a/aiccu.if
|
|
+++ b/aiccu.if
|
|
@@ -79,9 +79,13 @@ interface(`aiccu_admin',`
|
|
type aiccu_var_run_t;
|
|
')
|
|
|
|
- allow $1 aiccu_t:process { ptrace signal_perms };
|
|
+ allow $1 aiccu_t:process signal_perms;
|
|
ps_process_pattern($1, aiccu_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 aiccu_t:process ptrace;
|
|
+ ')
|
|
+
|
|
aiccu_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 aiccu_initrc_exec_t system_r;
|
|
diff --git a/aiccu.te b/aiccu.te
|
|
index 5d2b90e..f1cf098 100644
|
|
--- a/aiccu.te
|
|
+++ b/aiccu.te
|
|
@@ -48,7 +48,6 @@ corenet_all_recvfrom_unlabeled(aiccu_t)
|
|
corenet_tcp_bind_generic_node(aiccu_t)
|
|
corenet_tcp_sendrecv_generic_if(aiccu_t)
|
|
corenet_tcp_sendrecv_generic_node(aiccu_t)
|
|
-
|
|
corenet_sendrecv_sixxsconfig_client_packets(aiccu_t)
|
|
corenet_tcp_connect_sixxsconfig_port(aiccu_t)
|
|
corenet_tcp_sendrecv_sixxsconfig_port(aiccu_t)
|
|
@@ -60,11 +59,10 @@ domain_use_interactive_fds(aiccu_t)
|
|
dev_read_rand(aiccu_t)
|
|
dev_read_urand(aiccu_t)
|
|
|
|
-files_read_etc_files(aiccu_t)
|
|
|
|
-logging_send_syslog_msg(aiccu_t)
|
|
+auth_read_passwd(aiccu_t)
|
|
|
|
-miscfiles_read_localization(aiccu_t)
|
|
+logging_send_syslog_msg(aiccu_t)
|
|
|
|
optional_policy(`
|
|
modutils_domtrans_insmod(aiccu_t)
|
|
diff --git a/aide.if b/aide.if
|
|
index 01cbb67..94a4a24 100644
|
|
--- a/aide.if
|
|
+++ b/aide.if
|
|
@@ -67,9 +67,13 @@ interface(`aide_admin',`
|
|
type aide_t, aide_db_t, aide_log_t;
|
|
')
|
|
|
|
- allow $1 aide_t:process { ptrace signal_perms };
|
|
+ allow $1 aide_t:process signal_perms;
|
|
ps_process_pattern($1, aide_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 aide_t:process ptrace;
|
|
+ ')
|
|
+
|
|
aide_run($1, $2)
|
|
|
|
files_list_etc($1)
|
|
diff --git a/aide.te b/aide.te
|
|
index 03831e6..cfc9115 100644
|
|
--- a/aide.te
|
|
+++ b/aide.te
|
|
@@ -10,6 +10,7 @@ attribute_role aide_roles;
|
|
type aide_t;
|
|
type aide_exec_t;
|
|
application_domain(aide_t, aide_exec_t)
|
|
+cron_system_entry(aide_t, aide_exec_t)
|
|
role aide_roles types aide_t;
|
|
|
|
type aide_log_t;
|
|
@@ -23,22 +24,30 @@ files_type(aide_db_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow aide_t self:capability { dac_override fowner };
|
|
+allow aide_t self:capability { dac_override fowner ipc_lock sys_admin };
|
|
|
|
manage_files_pattern(aide_t, aide_db_t, aide_db_t)
|
|
+files_var_lib_filetrans(aide_t, aide_db_t, { dir file })
|
|
|
|
-create_files_pattern(aide_t, aide_log_t, aide_log_t)
|
|
-append_files_pattern(aide_t, aide_log_t, aide_log_t)
|
|
-setattr_files_pattern(aide_t, aide_log_t, aide_log_t)
|
|
+manage_files_pattern(aide_t, aide_log_t, aide_log_t)
|
|
logging_log_filetrans(aide_t, aide_log_t, file)
|
|
|
|
files_read_all_files(aide_t)
|
|
files_read_all_symlinks(aide_t)
|
|
+files_getattr_all_pipes(aide_t)
|
|
+files_getattr_all_sockets(aide_t)
|
|
+
|
|
+mls_file_read_to_clearance(aide_t)
|
|
+mls_file_write_to_clearance(aide_t)
|
|
|
|
logging_send_audit_msgs(aide_t)
|
|
logging_send_syslog_msg(aide_t)
|
|
|
|
-userdom_use_user_terminals(aide_t)
|
|
+userdom_use_inherited_user_terminals(aide_t)
|
|
+
|
|
+optional_policy(`
|
|
+ prelink_domtrans(aide_t)
|
|
+')
|
|
|
|
optional_policy(`
|
|
seutil_use_newrole_fds(aide_t)
|
|
diff --git a/aisexec.if b/aisexec.if
|
|
index a2997fa..861cebd 100644
|
|
--- a/aisexec.if
|
|
+++ b/aisexec.if
|
|
@@ -83,9 +83,13 @@ interface(`aisexecd_admin',`
|
|
type aisexec_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 aisexec_t:process { ptrace signal_perms };
|
|
+ allow $1 aisexec_t:process signal_perms;
|
|
ps_process_pattern($1, aisexec_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 aisexec_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, aisexec_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 aisexec_initrc_exec_t system_r;
|
|
diff --git a/aisexec.te b/aisexec.te
|
|
index 4e4f063..808e067 100644
|
|
--- a/aisexec.te
|
|
+++ b/aisexec.te
|
|
@@ -63,6 +63,7 @@ files_pid_filetrans(aisexec_t, aisexec_var_run_t, { file sock_file })
|
|
kernel_read_system_state(aisexec_t)
|
|
|
|
corecmd_exec_bin(aisexec_t)
|
|
+corecmd_exec_shell(aisexec_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(aisexec_t)
|
|
corenet_all_recvfrom_netlabel(aisexec_t)
|
|
@@ -95,8 +96,6 @@ init_rw_script_tmp_files(aisexec_t)
|
|
|
|
logging_send_syslog_msg(aisexec_t)
|
|
|
|
-miscfiles_read_localization(aisexec_t)
|
|
-
|
|
userdom_rw_unpriv_user_semaphores(aisexec_t)
|
|
userdom_rw_unpriv_user_shared_mem(aisexec_t)
|
|
|
|
@@ -105,6 +104,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ corosync_domtrans(aisexec_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ # to communication with RHCS
|
|
rhcs_rw_dlm_controld_semaphores(aisexec_t)
|
|
|
|
rhcs_rw_fenced_semaphores(aisexec_t)
|
|
diff --git a/ajaxterm.fc b/ajaxterm.fc
|
|
new file mode 100644
|
|
index 0000000..aeb1888
|
|
--- /dev/null
|
|
+++ b/ajaxterm.fc
|
|
@@ -0,0 +1,6 @@
|
|
+
|
|
+/etc/rc\.d/init\.d/ajaxterm -- gen_context(system_u:object_r:ajaxterm_initrc_exec_t,s0)
|
|
+
|
|
+/usr/share/ajaxterm/ajaxterm\.py -- gen_context(system_u:object_r:ajaxterm_exec_t,s0)
|
|
+
|
|
+/var/run/ajaxterm\.pid -- gen_context(system_u:object_r:ajaxterm_var_run_t,s0)
|
|
diff --git a/ajaxterm.if b/ajaxterm.if
|
|
new file mode 100644
|
|
index 0000000..7abe946
|
|
--- /dev/null
|
|
+++ b/ajaxterm.if
|
|
@@ -0,0 +1,90 @@
|
|
+## <summary>policy for ajaxterm</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run ajaxterm.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ajaxterm_domtrans',`
|
|
+ gen_require(`
|
|
+ type ajaxterm_t, ajaxterm_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, ajaxterm_exec_t, ajaxterm_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute ajaxterm server in the ajaxterm domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ajaxterm_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type ajaxterm_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, ajaxterm_initrc_exec_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read and write the ajaxterm pty type.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ajaxterm_rw_ptys',`
|
|
+ gen_require(`
|
|
+ type ajaxterm_devpts_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 ajaxterm_devpts_t:chr_file rw_inherited_term_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an ajaxterm environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`ajaxterm_admin',`
|
|
+ gen_require(`
|
|
+ type ajaxterm_t, ajaxterm_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 ajaxterm_t:process signal_perms;
|
|
+ ps_process_pattern($1, ajaxterm_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ajaxterm_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ ajaxterm_initrc_domtrans($1)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 ajaxterm_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
+')
|
|
diff --git a/ajaxterm.te b/ajaxterm.te
|
|
new file mode 100644
|
|
index 0000000..a95a4ad
|
|
--- /dev/null
|
|
+++ b/ajaxterm.te
|
|
@@ -0,0 +1,60 @@
|
|
+policy_module(ajaxterm, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type ajaxterm_t;
|
|
+type ajaxterm_exec_t;
|
|
+init_daemon_domain(ajaxterm_t, ajaxterm_exec_t)
|
|
+
|
|
+type ajaxterm_initrc_exec_t;
|
|
+init_script_file(ajaxterm_initrc_exec_t)
|
|
+
|
|
+type ajaxterm_var_run_t;
|
|
+files_pid_file(ajaxterm_var_run_t)
|
|
+
|
|
+type ajaxterm_devpts_t;
|
|
+term_login_pty(ajaxterm_devpts_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# ajaxterm local policy
|
|
+#
|
|
+allow ajaxterm_t self:capability setuid;
|
|
+allow ajaxterm_t self:process { setpgid signal };
|
|
+allow ajaxterm_t self:fifo_file rw_fifo_file_perms;
|
|
+allow ajaxterm_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow ajaxterm_t self:tcp_socket create_stream_socket_perms;
|
|
+
|
|
+allow ajaxterm_t ajaxterm_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms relabelfrom };
|
|
+term_create_pty(ajaxterm_t, ajaxterm_devpts_t)
|
|
+
|
|
+manage_dirs_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
|
|
+manage_files_pattern(ajaxterm_t, ajaxterm_var_run_t, ajaxterm_var_run_t)
|
|
+files_pid_filetrans(ajaxterm_t, ajaxterm_var_run_t, { file dir })
|
|
+
|
|
+kernel_read_system_state(ajaxterm_t)
|
|
+
|
|
+corecmd_exec_bin(ajaxterm_t)
|
|
+
|
|
+corenet_tcp_bind_generic_node(ajaxterm_t)
|
|
+corenet_tcp_bind_oa_system_port(ajaxterm_t)
|
|
+
|
|
+dev_read_urand(ajaxterm_t)
|
|
+
|
|
+domain_use_interactive_fds(ajaxterm_t)
|
|
+
|
|
+
|
|
+sysnet_dns_name_resolve(ajaxterm_t)
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# SSH component local policy
|
|
+#
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_basic_client_template(ajaxterm, ajaxterm_t, system_r)
|
|
+')
|
|
+
|
|
diff --git a/alsa.fc b/alsa.fc
|
|
index 33d9d31..03a150d 100644
|
|
--- a/alsa.fc
|
|
+++ b/alsa.fc
|
|
@@ -23,4 +23,8 @@ ifdef(`distro_debian',`
|
|
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
|
|
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
|
|
|
|
-/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
|
|
+/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/alsa.* -- gen_context(system_u:object_r:alsa_unit_file_t,s0)
|
|
+
|
|
+/var/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_var_run_t,s0)
|
|
diff --git a/alsa.if b/alsa.if
|
|
index ca8d8cf..2cc5ce6 100644
|
|
--- a/alsa.if
|
|
+++ b/alsa.if
|
|
@@ -168,6 +168,7 @@ interface(`alsa_manage_home_files',`
|
|
|
|
userdom_search_user_home_dirs($1)
|
|
allow $1 alsa_home_t:file manage_file_perms;
|
|
+ alsa_filetrans_home_content($1)
|
|
')
|
|
|
|
########################################
|
|
@@ -210,51 +211,87 @@ interface(`alsa_relabel_home_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create objects in user home
|
|
-## directories with the generic alsa
|
|
-## home type.
|
|
+## Read Alsa lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
+#
|
|
+interface(`alsa_read_lib',`
|
|
+ gen_require(`
|
|
+ type alsa_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to alsa named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Class of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="name" optional="true">
|
|
+#
|
|
+interface(`alsa_filetrans_home_content',`
|
|
+ gen_require(`
|
|
+ type alsa_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, alsa_home_t, file, ".asoundrc")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to alsa named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`alsa_home_filetrans_alsa_home',`
|
|
+interface(`alsa_filetrans_named_content',`
|
|
gen_require(`
|
|
type alsa_home_t;
|
|
+ type alsa_etc_rw_t;
|
|
+ type alsa_var_lib_t;
|
|
')
|
|
|
|
- userdom_user_home_dir_filetrans($1, alsa_home_t, $2, $3)
|
|
+ files_etc_filetrans($1, alsa_etc_rw_t, file, "asound.state")
|
|
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "pcm")
|
|
+ files_etc_filetrans($1, alsa_etc_rw_t, dir, "asound")
|
|
+ files_usr_filetrans($1, alsa_etc_rw_t, file, "alsa.conf")
|
|
+ files_usr_filetrans($1, alsa_etc_rw_t, dir, "pcm")
|
|
+ files_var_lib_filetrans($1, alsa_var_lib_t, dir, "alsa")
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read Alsa lib files.
|
|
+## Execute alsa server in the alsa domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`alsa_read_lib',`
|
|
+interface(`alsa_systemctl',`
|
|
gen_require(`
|
|
- type alsa_var_lib_t;
|
|
+ type alsa_t;
|
|
+ type alsa_unit_file_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
- read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 alsa_unit_file_t:file read_file_perms;
|
|
+ allow $1 alsa_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, alsa_t)
|
|
')
|
|
|
|
#########################################
|
|
diff --git a/alsa.te b/alsa.te
|
|
index 4b153f1..2403849 100644
|
|
--- a/alsa.te
|
|
+++ b/alsa.te
|
|
@@ -24,16 +24,23 @@ files_tmpfs_file(alsa_tmpfs_t)
|
|
type alsa_var_lib_t;
|
|
files_type(alsa_var_lib_t)
|
|
|
|
+type alsa_var_run_t;
|
|
+files_pid_file(alsa_var_run_t)
|
|
+
|
|
type alsa_home_t;
|
|
userdom_user_home_content(alsa_home_t)
|
|
|
|
+type alsa_unit_file_t;
|
|
+systemd_unit_file(alsa_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
-allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
|
|
-dontaudit alsa_t self:capability sys_admin;
|
|
+allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner sys_nice };
|
|
+dontaudit alsa_t self:capability { sys_tty_config sys_admin };
|
|
+allow alsa_t self:process { getsched setsched signal_perms };
|
|
allow alsa_t self:sem create_sem_perms;
|
|
allow alsa_t self:shm create_shm_perms;
|
|
allow alsa_t self:unix_stream_socket { accept listen };
|
|
@@ -57,6 +64,11 @@ fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
|
|
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
|
|
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
|
|
|
|
+manage_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
|
|
+manage_dirs_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
|
|
+manage_lnk_files_pattern(alsa_t, alsa_var_run_t, alsa_var_run_t)
|
|
+files_pid_filetrans(alsa_t, alsa_var_run_t, { file dir })
|
|
+
|
|
kernel_read_system_state(alsa_t)
|
|
|
|
corecmd_exec_bin(alsa_t)
|
|
@@ -67,7 +79,6 @@ dev_read_sysfs(alsa_t)
|
|
dev_read_urand(alsa_t)
|
|
dev_write_sound(alsa_t)
|
|
|
|
-files_read_usr_files(alsa_t)
|
|
files_search_var_lib(alsa_t)
|
|
|
|
term_dontaudit_use_console(alsa_t)
|
|
@@ -80,8 +91,6 @@ init_use_fds(alsa_t)
|
|
|
|
logging_send_syslog_msg(alsa_t)
|
|
|
|
-miscfiles_read_localization(alsa_t)
|
|
-
|
|
userdom_manage_unpriv_user_semaphores(alsa_t)
|
|
userdom_manage_unpriv_user_shared_mem(alsa_t)
|
|
userdom_search_user_home_dirs(alsa_t)
|
|
diff --git a/amanda.fc b/amanda.fc
|
|
index 7f4dfbc..e5c9f45 100644
|
|
--- a/amanda.fc
|
|
+++ b/amanda.fc
|
|
@@ -1,5 +1,6 @@
|
|
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
|
|
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
|
|
+/etc/amanda/DailySet1(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
|
|
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
|
|
/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
|
|
# empty m4 string so the index macro is not invoked
|
|
@@ -13,6 +14,8 @@
|
|
/usr/lib/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
|
/usr/lib/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/amanda.* -- gen_context(system_u:object_r:amanda_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
|
|
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
|
|
|
|
diff --git a/amanda.te b/amanda.te
|
|
index 519051c..52f2c41 100644
|
|
--- a/amanda.te
|
|
+++ b/amanda.te
|
|
@@ -9,11 +9,14 @@ attribute_role amanda_recover_roles;
|
|
roleattribute system_r amanda_recover_roles;
|
|
|
|
type amanda_t;
|
|
+type amanda_exec_t;
|
|
type amanda_inetd_exec_t;
|
|
-inetd_service_domain(amanda_t, amanda_inetd_exec_t)
|
|
+application_executable_file(amanda_exec_t)
|
|
+init_daemon_domain(amanda_t, amanda_inetd_exec_t)
|
|
+role system_r types amanda_t;
|
|
|
|
-type amanda_exec_t;
|
|
-domain_entry_file(amanda_t, amanda_exec_t)
|
|
+type amanda_unit_file_t;
|
|
+systemd_unit_file(amanda_unit_file_t)
|
|
|
|
type amanda_log_t;
|
|
logging_log_file(amanda_log_t)
|
|
@@ -60,7 +63,7 @@ optional_policy(`
|
|
#
|
|
|
|
allow amanda_t self:capability { chown dac_override setuid kill };
|
|
-allow amanda_t self:process { setpgid signal };
|
|
+allow amanda_t self:process { getsched setsched setpgid signal };
|
|
allow amanda_t self:fifo_file rw_fifo_file_perms;
|
|
allow amanda_t self:unix_stream_socket { accept listen };
|
|
allow amanda_t self:tcp_socket { accept listen };
|
|
@@ -71,6 +74,7 @@ allow amanda_t amanda_config_t:file read_file_perms;
|
|
|
|
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
|
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
|
+manage_lnk_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
|
|
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
|
|
|
|
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
|
|
@@ -100,13 +104,14 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
|
|
corecmd_exec_shell(amanda_t)
|
|
corecmd_exec_bin(amanda_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(amanda_t)
|
|
corenet_all_recvfrom_netlabel(amanda_t)
|
|
corenet_tcp_sendrecv_generic_if(amanda_t)
|
|
corenet_tcp_sendrecv_generic_node(amanda_t)
|
|
corenet_tcp_sendrecv_all_ports(amanda_t)
|
|
corenet_tcp_bind_generic_node(amanda_t)
|
|
|
|
+corenet_tcp_bind_amanda_port(amanda_t)
|
|
+
|
|
corenet_sendrecv_all_server_packets(amanda_t)
|
|
corenet_tcp_bind_all_rpc_ports(amanda_t)
|
|
corenet_tcp_bind_generic_port(amanda_t)
|
|
@@ -114,6 +119,7 @@ corenet_dontaudit_tcp_bind_all_ports(amanda_t)
|
|
|
|
dev_getattr_all_blk_files(amanda_t)
|
|
dev_getattr_all_chr_files(amanda_t)
|
|
+dev_read_urand(amanda_t)
|
|
|
|
files_read_etc_runtime_files(amanda_t)
|
|
files_list_all(amanda_t)
|
|
@@ -170,7 +176,6 @@ kernel_read_system_state(amanda_recover_t)
|
|
corecmd_exec_shell(amanda_recover_t)
|
|
corecmd_exec_bin(amanda_recover_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(amanda_recover_t)
|
|
corenet_all_recvfrom_netlabel(amanda_recover_t)
|
|
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
|
|
corenet_udp_sendrecv_generic_if(amanda_recover_t)
|
|
@@ -195,12 +200,16 @@ files_search_tmp(amanda_recover_t)
|
|
|
|
auth_use_nsswitch(amanda_recover_t)
|
|
|
|
-fstools_domtrans(amanda_t)
|
|
-fstools_signal(amanda_t)
|
|
-
|
|
logging_search_logs(amanda_recover_t)
|
|
|
|
-miscfiles_read_localization(amanda_recover_t)
|
|
-
|
|
-userdom_use_user_terminals(amanda_recover_t)
|
|
+userdom_use_inherited_user_terminals(amanda_recover_t)
|
|
userdom_search_user_home_content(amanda_recover_t)
|
|
+
|
|
+optional_policy(`
|
|
+ inetd_service_domain(amanda_t, amanda_inetd_exec_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ fstools_domtrans(amanda_t)
|
|
+ fstools_signal(amanda_t)
|
|
+')
|
|
diff --git a/amavis.fc b/amavis.fc
|
|
index 17689a7..8aa6849 100644
|
|
--- a/amavis.fc
|
|
+++ b/amavis.fc
|
|
@@ -12,8 +12,6 @@ ifdef(`distro_debian',`
|
|
/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
|
|
')
|
|
|
|
-/var/opt/f-secure(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
|
|
-
|
|
/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
|
|
|
|
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
|
|
diff --git a/amavis.if b/amavis.if
|
|
index 60d4f8c..18ef077 100644
|
|
--- a/amavis.if
|
|
+++ b/amavis.if
|
|
@@ -54,6 +54,7 @@ interface(`amavis_read_spool_files',`
|
|
|
|
files_search_spool($1)
|
|
read_files_pattern($1, amavis_spool_t, amavis_spool_t)
|
|
+ allow $1 amavis_spool_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -153,6 +154,26 @@ interface(`amavis_read_lib_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Read and write amavis lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`amavis_rw_lib_files',`
|
|
+ gen_require(`
|
|
+ type amavis_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ rw_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
|
|
+ allow $1 amavis_var_lib_t:dir list_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Create, read, write, and delete
|
|
## amavis lib files.
|
|
## </summary>
|
|
@@ -234,9 +255,13 @@ interface(`amavis_admin',`
|
|
type amavis_etc_t, amavis_quarantine_t, amavis_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 amavis_t:process { ptrace signal_perms };
|
|
+ allow $1 amavis_t:process signal_perms;
|
|
ps_process_pattern($1, amavis_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 amavis_t:process ptrace;
|
|
+ ')
|
|
+
|
|
amavis_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 amavis_initrc_exec_t system_r;
|
|
diff --git a/amavis.te b/amavis.te
|
|
index 91fa72a..0b1afd6 100644
|
|
--- a/amavis.te
|
|
+++ b/amavis.te
|
|
@@ -39,7 +39,7 @@ type amavis_quarantine_t;
|
|
files_type(amavis_quarantine_t)
|
|
|
|
type amavis_spool_t;
|
|
-files_type(amavis_spool_t)
|
|
+files_spool_file(amavis_spool_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -67,9 +67,12 @@ manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
|
|
manage_sock_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
|
|
filetrans_pattern(amavis_t, amavis_spool_t, amavis_var_run_t, sock_file)
|
|
|
|
+# tmp files
|
|
+manage_dirs_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
|
|
manage_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
|
|
+manage_sock_files_pattern(amavis_t, amavis_tmp_t, amavis_tmp_t)
|
|
allow amavis_t amavis_tmp_t:dir setattr_dir_perms;
|
|
-files_tmp_filetrans(amavis_t, amavis_tmp_t, file)
|
|
+files_tmp_filetrans(amavis_t, amavis_tmp_t, { file dir sock_file } )
|
|
|
|
manage_dirs_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
|
|
manage_files_pattern(amavis_t, amavis_var_lib_t, amavis_var_lib_t)
|
|
@@ -95,7 +98,6 @@ kernel_dontaudit_read_proc_symlinks(amavis_t)
|
|
corecmd_exec_bin(amavis_t)
|
|
corecmd_exec_shell(amavis_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(amavis_t)
|
|
corenet_all_recvfrom_netlabel(amavis_t)
|
|
corenet_tcp_sendrecv_generic_if(amavis_t)
|
|
corenet_udp_sendrecv_generic_if(amavis_t)
|
|
@@ -118,6 +120,7 @@ corenet_dontaudit_udp_bind_all_ports(amavis_t)
|
|
|
|
corenet_sendrecv_razor_client_packets(amavis_t)
|
|
corenet_tcp_connect_razor_port(amavis_t)
|
|
+corenet_tcp_connect_agentx_port(amavis_t)
|
|
|
|
dev_read_rand(amavis_t)
|
|
dev_read_sysfs(amavis_t)
|
|
@@ -127,7 +130,6 @@ domain_use_interactive_fds(amavis_t)
|
|
domain_dontaudit_read_all_domains_state(amavis_t)
|
|
|
|
files_read_etc_runtime_files(amavis_t)
|
|
-files_read_usr_files(amavis_t)
|
|
files_search_spool(amavis_t)
|
|
|
|
fs_getattr_xattr_fs(amavis_t)
|
|
@@ -141,14 +143,20 @@ init_stream_connect_script(amavis_t)
|
|
|
|
logging_send_syslog_msg(amavis_t)
|
|
|
|
-miscfiles_read_localization(amavis_t)
|
|
+miscfiles_read_generic_certs(amavis_t)
|
|
+
|
|
+sysnet_use_ldap(amavis_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(amavis_t)
|
|
|
|
tunable_policy(`amavis_use_jit',`
|
|
- allow amavis_t self:process execmem;
|
|
+ allow amavis_t self:process execmem;
|
|
',`
|
|
- dontaudit amavis_t self:process execmem;
|
|
+ dontaudit amavis_t self:process execmem;
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ antivirus_domain_template(amavis_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -173,6 +181,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ nslcd_stream_connect(amavis_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
postfix_read_config(amavis_t)
|
|
postfix_list_spool(amavis_t)
|
|
')
|
|
diff --git a/amtu.te b/amtu.te
|
|
index 16d0d66..60abfd0 100644
|
|
--- a/amtu.te
|
|
+++ b/amtu.te
|
|
@@ -24,11 +24,10 @@ kernel_read_system_state(amtu_t)
|
|
|
|
files_manage_boot_files(amtu_t)
|
|
files_read_etc_runtime_files(amtu_t)
|
|
-files_read_etc_files(amtu_t)
|
|
|
|
logging_send_audit_msgs(amtu_t)
|
|
|
|
-userdom_use_user_terminals(amtu_t)
|
|
+userdom_use_inherited_user_terminals(amtu_t)
|
|
|
|
optional_policy(`
|
|
nscd_dontaudit_search_pid(amtu_t)
|
|
diff --git a/anaconda.te b/anaconda.te
|
|
index aa44abf..16a6342 100644
|
|
--- a/anaconda.te
|
|
+++ b/anaconda.te
|
|
@@ -4,6 +4,10 @@ gen_require(`
|
|
class passwd all_passwd_perms;
|
|
')
|
|
|
|
+gen_require(`
|
|
+ class passwd { passwd chfn chsh rootok crontab };
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
# Declarations
|
|
@@ -34,8 +38,9 @@ modutils_domtrans_insmod(anaconda_t)
|
|
modutils_domtrans_depmod(anaconda_t)
|
|
|
|
seutil_domtrans_semanage(anaconda_t)
|
|
+seutil_domtrans_setsebool(anaconda_t)
|
|
|
|
-userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
|
|
+userdom_filetrans_home_content(anaconda_t)
|
|
|
|
optional_policy(`
|
|
rpm_domtrans(anaconda_t)
|
|
diff --git a/antivirus.fc b/antivirus.fc
|
|
new file mode 100644
|
|
index 0000000..e44bff0
|
|
--- /dev/null
|
|
+++ b/antivirus.fc
|
|
@@ -0,0 +1,43 @@
|
|
+/etc/amavis(d)?\.conf -- gen_context(system_u:object_r:antivirus_conf_t,s0)
|
|
+/etc/amavisd(/.*)? gen_context(system_u:object_r:antivirus_conf_t,s0)
|
|
+
|
|
+/etc/rc\.d/init\.d/amavis -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/amavisd-snmp -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/clamd.* -- gen_context(system_u:object_r:antivirus_initrc_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:antivirus_unit_file_t,s0)
|
|
+
|
|
+/usr/lib/AntiVir/antivir -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
|
+
|
|
+/usr/sbin/amavisd.* -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
|
+/usr/bin/clamscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
|
+/usr/bin/clamdscan -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
|
+/usr/bin/freshclam -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
|
+
|
|
+/usr/sbin/clamd -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
|
+/usr/sbin/clamav-milter -- gen_context(system_u:object_r:antivirus_exec_t,s0)
|
|
+
|
|
+/var/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
|
|
+
|
|
+
|
|
+/var/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
|
|
+/var/lib/amavis(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
|
|
+/var/lib/clamav(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
|
|
+/var/lib/clamd.* gen_context(system_u:object_r:antivirus_db_t,s0)
|
|
+/var/opt/f-secure(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
|
|
+/var/spool/amavisd(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
|
|
+/var/virusmails(/.*)? gen_context(system_u:object_r:antivirus_db_t,s0)
|
|
+
|
|
+/var/log/amavisd\.log.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
|
|
+/var/log/clamav.* gen_context(system_u:object_r:antivirus_log_t,s0)
|
|
+/var/log/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
|
|
+/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:antivirus_log_t,s0)
|
|
+/var/log/clamd.* gen_context(system_u:object_r:antivirus_log_t,s0)
|
|
+
|
|
+/var/run/amavis(d)?(/.*)? gen_context(system_u:object_r:antivirus_var_run_t,s0)
|
|
+/var/run/amavisd-snmp-subagent\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
|
|
+
|
|
+/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:antivirus_var_run_t,s0)
|
|
+/var/run/clamav.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
|
|
+/var/run/clamd.* gen_context(system_u:object_r:antivirus_var_run_t,s0)
|
|
+
|
|
diff --git a/antivirus.if b/antivirus.if
|
|
new file mode 100644
|
|
index 0000000..df5b3be
|
|
--- /dev/null
|
|
+++ b/antivirus.if
|
|
@@ -0,0 +1,322 @@
|
|
+## <summary>SELinux policy for antivirus programs - amavis, clamd, freshclam and clamscan</summary>
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## antivirus domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_domain_template',`
|
|
+ gen_require(`
|
|
+ attribute antivirus_domain;
|
|
+ ')
|
|
+
|
|
+ typeattribute $1 antivirus_domain;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run antivirus program.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_domtrans',`
|
|
+ gen_require(`
|
|
+ type antivirus_t, antivirus_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, antivirus_exec_t, antivirus_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute antivirus program without a transition.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_exec',`
|
|
+ gen_require(`
|
|
+ type antivirus_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, antivirus_exec_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Connect to run antivirus program.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_stream_connect',`
|
|
+ gen_require(`
|
|
+ type antivirus_t, antivirus_db_t, antivirus_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, antivirus_var_run_t, antivirus_var_run_t, antivirus_t)
|
|
+ stream_connect_pattern($1, antivirus_db_t, antivirus_db_t, antivirus_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow the specified domain to append
|
|
+## to antivirus log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_append_log',`
|
|
+ gen_require(`
|
|
+ type antivirus_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ allow $1 antivirus_log_t:dir list_dir_perms;
|
|
+ append_files_pattern($1, antivirus_log_t, antivirus_log_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read antivirus configuration files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_read_config',`
|
|
+ gen_require(`
|
|
+ type antivirus_conf_t;
|
|
+ ')
|
|
+
|
|
+ files_search_etc($1)
|
|
+ allow $1 antivirus_conf_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Search antivirus db content directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_search_db',`
|
|
+ gen_require(`
|
|
+ type antivirus_db_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ files_search_spool($1)
|
|
+ allow $1 antivirus_db_t:dir search_dir_perms;
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Read antivirus db content directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_read_db',`
|
|
+ gen_require(`
|
|
+ type antivirus_db_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ files_search_spool($1)
|
|
+ read_files_pattern($1, antivirus_db_t, antivirus_db_t)
|
|
+ read_lnk_files_pattern($1, antivirus_db_t, antivirus_db_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Read and write antivirus db content directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_rw_db',`
|
|
+ gen_require(`
|
|
+ type antivirus_db_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ files_search_spool($1)
|
|
+ write_files_pattern($1, antivirus_db_t, antivirus_db_t)
|
|
+')
|
|
+
|
|
+####################################
|
|
+## <summary>
|
|
+## Manage antivirus db content directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_manage_db',`
|
|
+ gen_require(`
|
|
+ type antivirus_db_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ files_search_spool($1)
|
|
+ manage_files_pattern($1, antivirus_db_t, antivirus_db_t)
|
|
+ manage_dirs_pattern($1, antivirus_db_t, antivirus_db_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Manage antivirus pid content.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_manage_pid',`
|
|
+ gen_require(`
|
|
+ type antivirus_var_run_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
|
|
+ manage_files_pattern($1, antivirus_var_run_t, antivirus_var_run_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Read antivirus state files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_read_state_clamd',`
|
|
+ gen_require(`
|
|
+ type antivirus_t;
|
|
+ ')
|
|
+
|
|
+ kernel_search_proc($1)
|
|
+ ps_process_pattern($1, antivirus_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Execute antivirus server in the antivirus domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`antivirus_systemctl',`
|
|
+ gen_require(`
|
|
+ type antivirus_t;
|
|
+ type antivirus_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 antivirus_unit_file_t:file read_file_perms;
|
|
+ allow $1 antivirus_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, antivirus_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an antivirus programs environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed to manage the clamav domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`antivirus_admin',`
|
|
+ gen_require(`
|
|
+ attribute antivirus_domain;
|
|
+ type antivirus_t, antivirus_conf_t, antivirus_tmp_t;
|
|
+ type antivirus_log_t, antivirus_db_t, antivirus_var_run_t;
|
|
+ type antivirus_initrc_exec_t, antivirus_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 antivirus_t:process signal_perms;
|
|
+ ps_process_pattern($1, antivirus_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 antivirus_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, antivirus_initrc_exec_t)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 antivirus_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
+
|
|
+ antivirus_systemctl($1)
|
|
+ admin_pattern($1, antivirus_unit_file_t)
|
|
+ allow $1 antivirus_unit_file_t:service all_service_perms;
|
|
+
|
|
+ files_list_etc($1)
|
|
+ admin_pattern($1, antivirus_conf_t)
|
|
+
|
|
+ files_list_var_lib($1)
|
|
+ admin_pattern($1, antivirus_db_t)
|
|
+
|
|
+ logging_list_logs($1)
|
|
+ admin_pattern($1, antivirus_log_t)
|
|
+
|
|
+ files_list_pids($1)
|
|
+ admin_pattern($1, antivirus_var_run_t)
|
|
+
|
|
+ files_list_tmp($1)
|
|
+ admin_pattern($1, antivirus_tmp_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/antivirus.te b/antivirus.te
|
|
new file mode 100644
|
|
index 0000000..8ba9c95
|
|
--- /dev/null
|
|
+++ b/antivirus.te
|
|
@@ -0,0 +1,274 @@
|
|
+policy_module(antivirus, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow antivirus programs to read non security files on a system
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(antivirus_can_scan_system, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Determine whether can antivirus programs use JIT compiler.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(antivirus_use_jit, false)
|
|
+
|
|
+attribute antivirus_domain;
|
|
+
|
|
+type antivirus_t;
|
|
+type antivirus_exec_t;
|
|
+typeattribute antivirus_t antivirus_domain;
|
|
+typealias antivirus_t alias { amavis_t clamd_t clamscan_t freshclam_t } ;
|
|
+typealias antivirus_exec_t alias { amavis_exec_t clamd_exec_t clamscan_exec_t freshclam_exec_t };
|
|
+init_daemon_domain(antivirus_t, antivirus_exec_t)
|
|
+
|
|
+type antivirus_initrc_exec_t;
|
|
+typealias antivirus_initrc_exec_t alias { clamd_initrc_exec_t amavis_initrc_exec_t };
|
|
+init_script_file(antivirus_initrc_exec_t)
|
|
+
|
|
+type antivirus_unit_file_t;
|
|
+typealias antivirus_unit_file_t alias { clamd_unit_file_t };
|
|
+systemd_unit_file(antivirus_unit_file_t)
|
|
+
|
|
+type antivirus_conf_t;
|
|
+typealias antivirus_conf_t alias { clamd_etc_t };
|
|
+files_config_file(antivirus_conf_t)
|
|
+
|
|
+type antivirus_var_run_t;
|
|
+typealias antivirus_var_run_t alias { amavis_var_run_t clamd_var_run_t clamd_sock_t };
|
|
+files_pid_file(antivirus_var_run_t)
|
|
+
|
|
+type antivirus_log_t;
|
|
+typealias antivirus_log_t alias { amavis_var_log_t clamd_var_log_t freshclam_var_log_t };
|
|
+logging_log_file(antivirus_log_t)
|
|
+
|
|
+type antivirus_db_t;
|
|
+typealias antivirus_db_t alias { amavis_var_lib_t amavis_quarantine_t amavis_spool_t clamd_var_lib_t };
|
|
+files_type(antivirus_db_t)
|
|
+
|
|
+type antivirus_home_t;
|
|
+userdom_user_home_content(antivirus_home_t)
|
|
+
|
|
+type antivirus_tmp_t;
|
|
+typealias antivirus_tmp_t alias { amavis_tmp_t clamd_tmp_t clamscan_tmp_t };
|
|
+files_tmp_file(antivirus_tmp_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# antivirus domain local policy
|
|
+#
|
|
+
|
|
+allow antivirus_domain self:capability { dac_override chown kill setgid setuid };
|
|
+dontaudit antivirus_domain self:capability sys_tty_config;
|
|
+allow antivirus_domain self:process signal_perms;
|
|
+
|
|
+allow antivirus_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow antivirus_domain self:unix_stream_socket { accept connectto listen };
|
|
+allow antivirus_domain self:tcp_socket { listen accept };
|
|
+
|
|
+allow antivirus_domain antivirus_conf_t:dir list_dir_perms;
|
|
+read_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
|
|
+read_lnk_files_pattern(antivirus_domain, antivirus_conf_t, antivirus_conf_t)
|
|
+
|
|
+manage_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
|
|
+manage_dirs_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
|
|
+manage_lnk_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
|
|
+manage_sock_files_pattern(antivirus_domain, antivirus_db_t, antivirus_db_t)
|
|
+
|
|
+manage_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
|
|
+manage_dirs_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
|
|
+manage_lnk_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
|
|
+manage_sock_files_pattern(antivirus_domain, antivirus_home_t, antivirus_home_t)
|
|
+
|
|
+manage_dirs_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
|
+manage_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
|
+manage_sock_files_pattern(antivirus_domain, antivirus_tmp_t, antivirus_tmp_t)
|
|
+files_tmp_filetrans(antivirus_domain, antivirus_tmp_t, { file dir sock_file } )
|
|
+
|
|
+manage_dirs_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
|
|
+manage_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
|
|
+manage_sock_files_pattern(antivirus_domain, antivirus_log_t, antivirus_log_t)
|
|
+logging_log_filetrans(antivirus_domain, antivirus_log_t, { sock_file file dir })
|
|
+
|
|
+manage_dirs_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
|
|
+manage_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
|
|
+manage_sock_files_pattern(antivirus_domain, antivirus_var_run_t, antivirus_var_run_t)
|
|
+files_pid_filetrans(antivirus_domain, antivirus_var_run_t, {file})
|
|
+
|
|
+can_exec(antivirus_domain, antivirus_exec_t)
|
|
+
|
|
+kernel_read_network_state(antivirus_t)
|
|
+kernel_read_net_sysctls(antivirus_t)
|
|
+kernel_read_kernel_sysctls(antivirus_domain)
|
|
+kernel_read_sysctl(antivirus_domain)
|
|
+kernel_read_system_state(antivirus_t)
|
|
+
|
|
+corecmd_exec_bin(antivirus_domain)
|
|
+corecmd_exec_shell(antivirus_domain)
|
|
+
|
|
+corenet_all_recvfrom_netlabel(antivirus_t)
|
|
+corenet_tcp_sendrecv_generic_if(antivirus_t)
|
|
+corenet_udp_sendrecv_generic_if(antivirus_t)
|
|
+corenet_tcp_sendrecv_generic_node(antivirus_domain)
|
|
+corenet_udp_sendrecv_generic_node(antivirus_domain)
|
|
+corenet_tcp_sendrecv_all_ports(antivirus_domain)
|
|
+corenet_udp_sendrecv_all_ports(antivirus_domain)
|
|
+corenet_tcp_bind_generic_node(antivirus_domain)
|
|
+corenet_udp_bind_generic_node(antivirus_domain)
|
|
+
|
|
+corenet_sendrecv_amavisd_send_client_packets(antivirus_domain)
|
|
+corenet_tcp_connect_amavisd_send_port(antivirus_domain)
|
|
+
|
|
+corenet_sendrecv_amavisd_recv_server_packets(antivirus_domain)
|
|
+corenet_tcp_bind_amavisd_recv_port(antivirus_domain)
|
|
+
|
|
+corenet_sendrecv_generic_server_packets(antivirus_domain)
|
|
+corenet_udp_bind_generic_port(antivirus_domain)
|
|
+corenet_dontaudit_udp_bind_all_ports(antivirus_domain)
|
|
+
|
|
+corenet_sendrecv_razor_client_packets(antivirus_domain)
|
|
+corenet_tcp_connect_razor_port(antivirus_domain)
|
|
+corenet_tcp_connect_agentx_port(antivirus_domain)
|
|
+
|
|
+corenet_tcp_connect_clamd_port(antivirus_domain)
|
|
+
|
|
+corenet_sendrecv_clamd_server_packets(antivirus_domain)
|
|
+corenet_tcp_bind_clamd_port(antivirus_domain)
|
|
+
|
|
+corenet_sendrecv_http_client_packets(antivirus_domain)
|
|
+corenet_tcp_connect_http_port(antivirus_domain)
|
|
+corenet_tcp_sendrecv_http_port(antivirus_domain)
|
|
+
|
|
+corenet_sendrecv_http_cache_client_packets(antivirus_domain)
|
|
+corenet_tcp_connect_http_cache_port(antivirus_domain)
|
|
+corenet_tcp_sendrecv_http_cache_port(antivirus_domain)
|
|
+
|
|
+#support for MySQL/PostgreSQL
|
|
+corenet_tcp_connect_mysqld_port(antivirus_domain)
|
|
+corenet_tcp_connect_postgresql_port(antivirus_domain)
|
|
+
|
|
+corenet_sendrecv_snmp_client_packets(antivirus_domain)
|
|
+corenet_tcp_connect_snmp_port(antivirus_domain)
|
|
+
|
|
+corenet_sendrecv_squid_client_packets(antivirus_domain)
|
|
+corenet_tcp_connect_squid_port(antivirus_domain)
|
|
+corenet_tcp_sendrecv_squid_port(antivirus_domain)
|
|
+
|
|
+dev_read_rand(antivirus_domain)
|
|
+dev_read_sysfs(antivirus_domain)
|
|
+dev_read_urand(antivirus_domain)
|
|
+
|
|
+domain_dontaudit_read_all_domains_state(antivirus_domain)
|
|
+
|
|
+files_read_etc_runtime_files(antivirus_domain)
|
|
+files_search_spool(antivirus_domain)
|
|
+
|
|
+fs_getattr_xattr_fs(antivirus_domain)
|
|
+
|
|
+auth_use_nsswitch(antivirus_t)
|
|
+auth_dontaudit_read_shadow(antivirus_domain)
|
|
+
|
|
+init_read_state(antivirus_domain)
|
|
+init_read_utmp(antivirus_domain)
|
|
+init_stream_connect_script(antivirus_domain)
|
|
+init_dontaudit_write_utmp(antivirus_domain)
|
|
+
|
|
+logging_send_syslog_msg(antivirus_t)
|
|
+
|
|
+miscfiles_read_generic_certs(antivirus_domain)
|
|
+
|
|
+sysnet_use_ldap(antivirus_domain)
|
|
+
|
|
+userdom_stream_connect(antivirus_domain)
|
|
+userdom_dontaudit_search_user_home_dirs(antivirus_domain)
|
|
+
|
|
+tunable_policy(`antivirus_can_scan_system',`
|
|
+ files_read_non_security_files(antivirus_domain)
|
|
+ #files_dontaudit_read_all_non_security_files(antivirus_domain)
|
|
+ files_dontaudit_read_security_files(antivirus_domain)
|
|
+ files_getattr_all_pipes(antivirus_domain)
|
|
+ files_getattr_all_sockets(antivirus_domain)
|
|
+ dev_getattr_all_blk_files(antivirus_domain)
|
|
+ dev_getattr_all_chr_files(antivirus_domain)
|
|
+')
|
|
+
|
|
+tunable_policy(`antivirus_use_jit',`
|
|
+ allow antivirus_domain self:process execmem;
|
|
+ allow antivirus_domain self:process execmem;
|
|
+',`
|
|
+ dontaudit antivirus_domain self:process execmem;
|
|
+ dontaudit antivirus_domain self:process execmem;
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ apache_read_sys_content(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ antivirus_systemctl(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ cron_system_entry(antivirus_t, antivirus_exec_t)
|
|
+ cron_use_fds(antivirus_domain)
|
|
+ cron_use_system_job_fds(antivirus_domain)
|
|
+ cron_rw_pipes(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dcc_domtrans_client(antivirus_domain)
|
|
+ dcc_stream_connect_dccifd(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ exim_read_spool_files(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mta_read_config(antivirus_domain)
|
|
+ mta_read_queue(antivirus_domain)
|
|
+ mta_send_mail(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nslcd_stream_connect(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_stream_connect(antivirus_domain)
|
|
+ corenet_tcp_connect_mysqld_port(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ postfix_read_config(antivirus_domain)
|
|
+ postfix_list_spool(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ pyzor_domtrans(antivirus_domain)
|
|
+ pyzor_signal(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ razor_domtrans(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ snmp_manage_var_lib_dirs(antivirus_domain)
|
|
+ snmp_manage_var_lib_files(antivirus_domain)
|
|
+ snmp_stream_connect(antivirus_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ spamd_stream_connect(clamd_t)
|
|
+ spamassassin_exec(antivirus_domain)
|
|
+ spamassassin_exec_client(antivirus_domain)
|
|
+ spamassassin_read_lib_files(antivirus_domain)
|
|
+ spamassassin_read_pid_files(antivirus_domain)
|
|
+')
|
|
diff --git a/apache.fc b/apache.fc
|
|
index 7caefc3..ddfe9a9 100644
|
|
--- a/apache.fc
|
|
+++ b/apache.fc
|
|
@@ -1,162 +1,189 @@
|
|
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
|
-HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
|
|
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
|
+HOME_DIR/((www)|(web)|(public_html))/cgi-bin(/.+)? gen_context(system_u:object_r:httpd_user_script_exec_t,s0)
|
|
HOME_DIR/((www)|(web)|(public_html))(/.*)?/\.htaccess -- gen_context(system_u:object_r:httpd_user_htaccess_t,s0)
|
|
HOME_DIR/((www)|(web)|(public_html))(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_user_ra_content_t,s0)
|
|
|
|
-/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
-/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
-/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
-/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
-/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
|
|
-/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
|
|
-/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
-/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
-/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-
|
|
-/etc/rc\.d/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
|
|
+/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
+/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
+/etc/cherokee(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
+/etc/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/etc/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/etc/horde(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/etc/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/etc/httpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
+/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0)
|
|
+/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
+/etc/init\.d/cherokee -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
|
|
+/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
+/etc/mock/koji(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/etc/nginx(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
|
|
/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0)
|
|
|
|
-/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
|
|
-/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
|
|
+/etc/WebCalendar(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/etc/zabbix/web(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/etc/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
|
|
-/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
+/opt/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
+/usr/lib/systemd/system/httpd.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/jetty.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/php-fpm.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/nginx.* -- gen_context(system_u:object_r:httpd_unit_file_t,s0)
|
|
|
|
-/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
|
|
|
|
-/usr/.*\.cgi -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
+/srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/srv/([^/]*/)?www/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/srv/gallery2(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/srv/gallery2/smarty(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
|
|
-/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
|
|
-/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
+/usr/bin/htsslpass -- gen_context(system_u:object_r:httpd_helper_exec_t,s0)
|
|
+/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
|
|
-/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
-/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
-/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
-/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
|
-/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
|
-/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
-/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
-/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
+/usr/share/jetty/bin/jetty.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
|
|
-/usr/libexec/httpd-ssl-pass-dialog -- gen_context(system_u:object_r:httpd_passwd_exec_t,s0)
|
|
+/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
+/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
+/usr/lib/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
+/usr/lib/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
+/usr/lib/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
|
+/usr/lib/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
|
+/usr/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
+/usr/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
+/usr/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
|
|
|
|
-/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
+/usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
/usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
-/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
-/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
+/usr/sbin/cherokee -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
+/usr/sbin/httpd\.event -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
-/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
-/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
|
|
-/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
|
-
|
|
-ifdef(`distro_suse',`
|
|
-/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
+/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
+/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
+/usr/sbin/php-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
+/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
|
|
+/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
|
|
+
|
|
+ifdef(`distro_suse', `
|
|
+/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
')
|
|
|
|
-/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/usr/share/jetty/bin/jetty\.sh -- gen_context(system_u:object_r:httpd_exec_t,s0)
|
|
-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-
|
|
-/var/cache/apache2(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+/usr/share/drupal.* gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/usr/share/doc/ghc/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+
|
|
+/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
+/usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
+/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/usr/share/wordpress/wp-content/upgrade(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/usr/share/wordpress/wp-includes/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
+/usr/share/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+
|
|
+/var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+/var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+/var/cache/mod_.* gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+/var/cache/mod_gnutls(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+/var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+/var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+/var/cache/php-.* gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
/var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/rt3(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
-
|
|
-/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
-/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
-/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
-/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
-/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
-/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
-/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
+/var/cache/php-mmcache(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+/var/cache/rt(3|4)(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+/var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0)
|
|
+
|
|
+/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/var/lib/cherokee(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
+/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
+/var/lib/php(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
+/var/lib/dokuwiki(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/lib/drupal.* gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
+/var/lib/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
+/var/lib/moodle(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/lib/mod_security(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
+/var/lib/nginx(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
+/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/lib/php/wsdlcache(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+
|
|
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
|
|
-/var/lib/stickshift/.httpd.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
-/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-
|
|
-/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
-/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
-/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
-/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
|
-/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
-/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
-/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
-/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
-/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
-/var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/lib/openshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
+/var/lib/openshift/\.log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/lib/owncloud(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/lib/rt(3|4)/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
+/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
|
|
+/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/var/lib/z-push(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
|
+
|
|
+/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/log/cherokee(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/log/nginx(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/log/php-fpm(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
|
|
-/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+ifdef(`distro_debian', `
|
|
+/var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+')
|
|
|
|
-/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
-/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
-/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
-/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
-/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
-/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
-/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
-/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
-/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
|
|
-
|
|
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
|
|
-/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
|
-
|
|
-/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
|
|
-/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/run/nginx.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/run/php-fpm(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
|
|
+
|
|
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
|
|
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
|
+
|
|
+/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/www/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
+/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-/var/www/html/[^/]*/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
|
-/var/www/html/[^/]*/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
|
-/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/var/www/html/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
|
|
-/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
-/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
-/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
-/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
+/var/www/html(/.*)?/sites/default/settings\.php -- gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
|
+/var/www/html(/.*)?/sites/default/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
|
|
+/var/www/html/configuration\.php gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/www/html(/.*)?/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/www/icons(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+/var/www/miq/vmdb/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/www/moodledata(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/www/moodle/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/www/openshift/console/tmp(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
|
|
+/var/www/openshift/console/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/www/openshift/broker/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/www/openshift/console/httpd/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/www/openshift/broker/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/www/openshift/console/httpd/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/var/www/perl(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
+/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
|
|
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
|
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
|
+
|
|
+/var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
|
+/var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+/opt/dirsrv/var/run/dirsrv/dsgw/cookies(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
|
|
+
|
|
diff --git a/apache.if b/apache.if
|
|
index f6eb485..fac6fe5 100644
|
|
--- a/apache.if
|
|
+++ b/apache.if
|
|
@@ -1,9 +1,9 @@
|
|
-## <summary>Various web servers.</summary>
|
|
+## <summary>Apache web server</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create a set of derived types for
|
|
-## httpd web content.
|
|
+## Create a set of derived types for apache
|
|
+## web content.
|
|
## </summary>
|
|
## <param name="prefix">
|
|
## <summary>
|
|
@@ -13,118 +13,101 @@
|
|
#
|
|
template(`apache_content_template',`
|
|
gen_require(`
|
|
- attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
|
|
- attribute httpd_script_domains, httpd_htaccess_type;
|
|
- type httpd_t, httpd_suexec_t;
|
|
+ attribute httpd_exec_scripts, httpd_script_exec_type;
|
|
+ type httpd_t, httpd_suexec_t, httpd_log_t;
|
|
+ type httpd_sys_content_t;
|
|
+ attribute httpd_script_type, httpd_content_type;
|
|
')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
- ## <desc>
|
|
- ## <p>
|
|
- ## Determine whether the script domain can
|
|
- ## modify public files used for public file
|
|
- ## transfer services. Directories/Files must
|
|
- ## be labeled public_content_rw_t.
|
|
- ## </p>
|
|
- ## </desc>
|
|
- gen_tunable(allow_httpd_$1_script_anon_write, false)
|
|
-
|
|
- type httpd_$1_content_t, httpdcontent; # customizable
|
|
+ #This type is for webpages
|
|
+ type httpd_$1_content_t; # customizable;
|
|
+ typeattribute httpd_$1_content_t httpd_content_type;
|
|
typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
|
|
files_type(httpd_$1_content_t)
|
|
|
|
- type httpd_$1_htaccess_t, httpd_htaccess_type; # customizable;
|
|
+ # This type is used for .htaccess files
|
|
+ type httpd_$1_htaccess_t, httpd_content_type; # customizable;
|
|
+ typeattribute httpd_$1_htaccess_t httpd_content_type;
|
|
files_type(httpd_$1_htaccess_t)
|
|
|
|
- type httpd_$1_script_t, httpd_script_domains;
|
|
+ # Type that CGI scripts run as
|
|
+ type httpd_$1_script_t, httpd_script_type;
|
|
domain_type(httpd_$1_script_t)
|
|
role system_r types httpd_$1_script_t;
|
|
|
|
+ kernel_read_system_state(httpd_$1_script_t)
|
|
+
|
|
+ # This type is used for executable scripts files
|
|
type httpd_$1_script_exec_t, httpd_script_exec_type; # customizable;
|
|
- corecmd_shell_entry_type(httpd_$1_script_t)
|
|
+ typeattribute httpd_$1_script_exec_t httpd_content_type;
|
|
domain_entry_file(httpd_$1_script_t, httpd_$1_script_exec_t)
|
|
|
|
- type httpd_$1_rw_content_t, httpdcontent; # customizable
|
|
+ type httpd_$1_rw_content_t; # customizable
|
|
+ typeattribute httpd_$1_rw_content_t httpd_content_type;
|
|
typealias httpd_$1_rw_content_t alias { httpd_$1_script_rw_t httpd_$1_content_rw_t };
|
|
files_type(httpd_$1_rw_content_t)
|
|
|
|
- type httpd_$1_ra_content_t, httpdcontent; # customizable
|
|
+ type httpd_$1_ra_content_t, httpd_content_type; # customizable
|
|
+ typeattribute httpd_$1_ra_content_t httpd_content_type;
|
|
typealias httpd_$1_ra_content_t alias { httpd_$1_script_ra_t httpd_$1_content_ra_t };
|
|
files_type(httpd_$1_ra_content_t)
|
|
|
|
- ########################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
+ # Allow the script process to search the cgi directory, and users directory
|
|
+ allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
|
|
|
|
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
|
|
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
|
|
|
|
- allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
|
|
- allow httpd_$1_script_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
|
|
- allow httpd_$1_script_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
|
|
+ allow httpd_$1_script_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms };
|
|
+ read_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
+ append_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
+ create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
|
|
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:dir list_dir_perms;
|
|
- allow httpd_$1_script_t httpd_$1_content_t:file read_file_perms;
|
|
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
|
|
+ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
|
|
+ read_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
+ read_lnk_files_pattern(httpd_$1_script_t, httpd_$1_content_t, httpd_$1_content_t)
|
|
|
|
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
- files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
|
|
-
|
|
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
|
|
- allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
|
|
- allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
- tunable_policy(`allow_httpd_$1_script_anon_write',`
|
|
- miscfiles_manage_public_files(httpd_$1_script_t)
|
|
- ')
|
|
|
|
+ # Allow the web server to run scripts and serve pages
|
|
tunable_policy(`httpd_builtin_scripting',`
|
|
manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
- manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
- manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
+ rw_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
|
|
|
|
- allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
|
|
- allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
|
|
- allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
|
|
- ')
|
|
+ allow httpd_t httpd_$1_ra_content_t:dir { add_entry_dir_perms };
|
|
+ read_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
+ append_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
+ create_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
+ read_lnk_files_pattern(httpd_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)
|
|
|
|
- tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
|
|
- can_exec(httpd_t, httpd_$1_rw_content_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi',`
|
|
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
|
|
- domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
- ')
|
|
|
|
- tunable_policy(`httpd_enable_cgi && httpd_tmp_exec',`
|
|
- can_exec(httpd_$1_script_t, httpd_$1_rw_content_t)
|
|
- ')
|
|
+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
|
|
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file entrypoint;
|
|
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:dir manage_dir_perms;
|
|
- allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_ra_content_t }:file manage_file_perms;
|
|
- ')
|
|
+ # privileged users run the script:
|
|
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
+
|
|
+ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
|
|
|
|
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
|
- filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
|
|
+ # apache runs the script:
|
|
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
|
|
+ allow httpd_t httpd_$1_script_t:unix_dgram_socket sendto;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for apache.
|
|
+## Role access for apache
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
@@ -133,47 +116,61 @@ template(`apache_content_template',`
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`apache_role',`
|
|
gen_require(`
|
|
attribute httpdcontent;
|
|
- type httpd_user_content_t, httpd_user_htaccess_t;
|
|
- type httpd_user_script_t, httpd_user_script_exec_t;
|
|
- type httpd_user_ra_content_t, httpd_user_rw_content_t;
|
|
+ type httpd_user_content_t, httpd_user_htaccess_t, httpd_user_script_t;
|
|
+ type httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t;
|
|
')
|
|
|
|
role $1 types httpd_user_script_t;
|
|
|
|
- allow $2 httpd_user_htaccess_t:file { manage_file_perms relabel_file_perms };
|
|
-
|
|
- allow $2 httpd_user_content_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 httpd_user_content_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 httpd_user_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
-
|
|
- allow $2 httpd_user_ra_content_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 httpd_user_ra_content_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 httpd_user_ra_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
-
|
|
- allow $2 httpd_user_rw_content_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 httpd_user_rw_content_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 httpd_user_rw_content_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
-
|
|
- allow $2 httpd_user_script_exec_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 httpd_user_script_exec_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 httpd_user_script_exec_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
-
|
|
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "public_html")
|
|
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "web")
|
|
- userdom_user_home_dir_filetrans($2, httpd_user_content_t, dir, "www")
|
|
-
|
|
- filetrans_pattern($2, httpd_user_content_t, httpd_user_htaccess_t, file, ".htaccess")
|
|
- filetrans_pattern($2, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
|
|
- filetrans_pattern($2, httpd_user_content_t, httpd_user_ra_content_t, dir, "logs")
|
|
+ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
|
|
+
|
|
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+
|
|
+ manage_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
+ manage_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
+ manage_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
+ relabel_dirs_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
+ relabel_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
+ relabel_lnk_files_pattern($2, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
+
|
|
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
|
+
|
|
+ manage_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
+ manage_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
+ manage_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
+ relabel_dirs_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
+ relabel_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
+ relabel_lnk_files_pattern($2, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
+
|
|
+ manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
+ manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
+ manage_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
+ relabel_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
+ relabel_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
+ relabel_lnk_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
|
+
|
|
+ apache_exec_modules($2)
|
|
+ apache_filetrans_home_content($2)
|
|
|
|
tunable_policy(`httpd_enable_cgi',`
|
|
+ # If a user starts a script by hand it gets the proper context
|
|
domtrans_pattern($2, httpd_user_script_exec_t, httpd_user_script_t)
|
|
')
|
|
|
|
@@ -184,7 +181,7 @@ interface(`apache_role',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read user httpd script executable files.
|
|
+## Read httpd user scripts executables.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -204,7 +201,7 @@ interface(`apache_read_user_scripts',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read user httpd content.
|
|
+## Read user web content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -224,7 +221,7 @@ interface(`apache_read_user_content',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute httpd with a domain transition.
|
|
+## Transition to apache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -241,27 +238,47 @@ interface(`apache_domtrans',`
|
|
domtrans_pattern($1, httpd_exec_t, httpd_t)
|
|
')
|
|
|
|
-########################################
|
|
+######################################
|
|
## <summary>
|
|
-## Execute httpd server in the httpd domain.
|
|
+## Allow the specified domain to execute apache
|
|
+## in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`apache_initrc_domtrans',`
|
|
+interface(`apache_exec',`
|
|
gen_require(`
|
|
- type httpd_initrc_exec_t;
|
|
+ type httpd_exec_t;
|
|
')
|
|
|
|
- init_labeled_script_domtrans($1, httpd_initrc_exec_t)
|
|
+ can_exec($1, httpd_exec_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow the specified domain to execute apache suexec
|
|
+## in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apache_exec_suexec',`
|
|
+ gen_require(`
|
|
+ type httpd_suexec_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, httpd_suexec_exec_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Send generic signals to httpd.
|
|
+## Send a generic signal to apache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -279,7 +296,7 @@ interface(`apache_signal',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send null signals to httpd.
|
|
+## Send a null signal to apache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -297,7 +314,7 @@ interface(`apache_signull',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send child terminated signals to httpd.
|
|
+## Send a SIGCHLD signal to apache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -315,8 +332,7 @@ interface(`apache_sigchld',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Inherit and use file descriptors
|
|
-## from httpd.
|
|
+## Inherit and use file descriptors from Apache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -334,8 +350,8 @@ interface(`apache_use_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read and
|
|
-## write httpd unnamed pipes.
|
|
+## Do not audit attempts to read and write Apache
|
|
+## unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -348,13 +364,13 @@ interface(`apache_dontaudit_rw_fifo_file',`
|
|
type httpd_t;
|
|
')
|
|
|
|
- dontaudit $1 httpd_t:fifo_file rw_fifo_file_perms;
|
|
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read and
|
|
-## write httpd unix domain stream sockets.
|
|
+## Do not audit attempts to read and write Apache
|
|
+## unix domain stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -372,8 +388,8 @@ interface(`apache_dontaudit_rw_stream_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read and
|
|
-## write httpd TCP sockets.
|
|
+## Do not audit attempts to read and write Apache
|
|
+## TCP sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -391,8 +407,7 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## all httpd content.
|
|
+## Create, read, write, and delete all web content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -417,7 +432,8 @@ interface(`apache_manage_all_content',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Set attributes httpd cache directories.
|
|
+## Allow domain to set the attributes
|
|
+## of the APACHE cache directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -435,7 +451,8 @@ interface(`apache_setattr_cache_dirs',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## List httpd cache directories.
|
|
+## Allow the specified domain to list
|
|
+## Apache cache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -453,7 +470,8 @@ interface(`apache_list_cache',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write httpd cache files.
|
|
+## Allow the specified domain to read
|
|
+## and write Apache cache files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -471,7 +489,8 @@ interface(`apache_rw_cache_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Delete httpd cache directories.
|
|
+## Allow the specified domain to delete
|
|
+## Apache cache dirs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -489,7 +508,8 @@ interface(`apache_delete_cache_dirs',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Delete httpd cache files.
|
|
+## Allow the specified domain to delete
|
|
+## Apache cache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -507,49 +527,51 @@ interface(`apache_delete_cache_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read httpd configuration files.
|
|
+## Allow the specified domain to search
|
|
+## apache configuration dirs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`apache_read_config',`
|
|
+interface(`apache_search_config',`
|
|
gen_require(`
|
|
type httpd_config_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
- allow $1 httpd_config_t:dir list_dir_perms;
|
|
- read_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
- read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
+ allow $1 httpd_config_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search httpd configuration directories.
|
|
+## Allow the specified domain to read
|
|
+## apache configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
-interface(`apache_search_config',`
|
|
+interface(`apache_read_config',`
|
|
gen_require(`
|
|
type httpd_config_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
- allow $1 httpd_config_t:dir search_dir_perms;
|
|
+ allow $1 httpd_config_t:dir list_dir_perms;
|
|
+ read_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
+ read_lnk_files_pattern($1, httpd_config_t, httpd_config_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## httpd configuration files.
|
|
+## Allow the specified domain to manage
|
|
+## apache configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -570,8 +592,8 @@ interface(`apache_manage_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the Apache helper program
|
|
-## with a domain transition.
|
|
+## Execute the Apache helper program with
|
|
+## a domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -608,16 +630,38 @@ interface(`apache_domtrans_helper',`
|
|
#
|
|
interface(`apache_run_helper',`
|
|
gen_require(`
|
|
- attribute_role httpd_helper_roles;
|
|
+ type httpd_helper_t;
|
|
')
|
|
|
|
apache_domtrans_helper($1)
|
|
- roleattribute $2 httpd_helper_roles;
|
|
+ role $2 types httpd_helper_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read httpd log files.
|
|
+## dontaudit attempts to read
|
|
+## apache log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`apache_dontaudit_read_log',`
|
|
+ gen_require(`
|
|
+ type httpd_log_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 httpd_log_t:file read_file_perms;
|
|
+ dontaudit $1 httpd_log_t:lnk_file read_lnk_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read
|
|
+## apache log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -639,7 +683,8 @@ interface(`apache_read_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Append httpd log files.
|
|
+## Allow the specified domain to append
|
|
+## to apache log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -657,10 +702,29 @@ interface(`apache_append_log',`
|
|
append_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow the specified domain to write
|
|
+## to apache log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apache_write_log',`
|
|
+ gen_require(`
|
|
+ type httpd_log_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 httpd_log_t:file write;
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to append
|
|
-## httpd log files.
|
|
+## Do not audit attempts to append to the
|
|
+## Apache logs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -678,8 +742,8 @@ interface(`apache_dontaudit_append_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## httpd log files.
|
|
+## Allow the specified domain to manage
|
|
+## to apache log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -698,47 +762,49 @@ interface(`apache_manage_log',`
|
|
read_lnk_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Write apache log files.
|
|
+## Do not audit attempts to search Apache
|
|
+## module directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`apache_write_log',`
|
|
+interface(`apache_dontaudit_search_modules',`
|
|
gen_require(`
|
|
- type httpd_log_t;
|
|
+ type httpd_modules_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
- write_files_pattern($1, httpd_log_t, httpd_log_t)
|
|
+ dontaudit $1 httpd_modules_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to search
|
|
-## httpd module directories.
|
|
+## Allow the specified domain to read
|
|
+## the apache module directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain to not audit.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`apache_dontaudit_search_modules',`
|
|
+interface(`apache_read_modules',`
|
|
gen_require(`
|
|
type httpd_modules_t;
|
|
')
|
|
|
|
- dontaudit $1 httpd_modules_t:dir search_dir_perms;
|
|
+ read_files_pattern($1, httpd_modules_t, httpd_modules_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## List httpd module directories.
|
|
+## Allow the specified domain to list
|
|
+## the contents of the apache modules
|
|
+## directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -752,11 +818,13 @@ interface(`apache_list_modules',`
|
|
')
|
|
|
|
allow $1 httpd_modules_t:dir list_dir_perms;
|
|
+ read_lnk_files_pattern($1, httpd_modules_t, httpd_modules_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute httpd module files.
|
|
+## Allow the specified domain to execute
|
|
+## apache modules.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -776,46 +844,63 @@ interface(`apache_exec_modules',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read httpd module files.
|
|
+## Execute a domain transition to run httpd_rotatelogs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`apache_read_module_files',`
|
|
+interface(`apache_domtrans_rotatelogs',`
|
|
gen_require(`
|
|
- type httpd_modules_t;
|
|
+ type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
|
|
')
|
|
|
|
- libs_search_lib($1)
|
|
- read_files_pattern($1, httpd_modules_t, httpd_modules_t)
|
|
+ domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run httpd_rotatelogs.
|
|
+## Execute httpd_rotatelogs in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`apache_domtrans_rotatelogs',`
|
|
+interface(`apache_exec_rotatelogs',`
|
|
+ gen_require(`
|
|
+ type httpd_rotatelogs_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, httpd_rotatelogs_exec_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute httpd system scripts in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apache_exec_sys_script',`
|
|
gen_require(`
|
|
- type httpd_rotatelogs_t, httpd_rotatelogs_exec_t;
|
|
+ type httpd_sys_script_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
|
|
+ allow $1 httpd_sys_script_exec_t:dir search_dir_perms;
|
|
+ can_exec($1, httpd_sys_script_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## List httpd system content directories.
|
|
+## Allow the specified domain to list
|
|
+## apache system content files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -829,13 +914,14 @@ interface(`apache_list_sys_content',`
|
|
')
|
|
|
|
list_dirs_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
+ read_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
files_search_var($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## httpd system content files.
|
|
+## Allow the specified domain to manage
|
|
+## apache system content files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -844,6 +930,7 @@ interface(`apache_list_sys_content',`
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
+# Note that httpd_sys_content_t is found in /var, /etc, /srv and /usr
|
|
interface(`apache_manage_sys_content',`
|
|
gen_require(`
|
|
type httpd_sys_content_t;
|
|
@@ -855,32 +942,98 @@ interface(`apache_manage_sys_content',`
|
|
manage_lnk_files_pattern($1, httpd_sys_content_t, httpd_sys_content_t)
|
|
')
|
|
|
|
-########################################
|
|
+######################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## httpd system rw content.
|
|
+## Allow the specified domain to read
|
|
+## apache system content rw files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
-interface(`apache_manage_sys_rw_content',`
|
|
+interface(`apache_read_sys_content_rw_files',`
|
|
gen_require(`
|
|
type httpd_sys_rw_content_t;
|
|
')
|
|
|
|
- apache_search_sys_content($1)
|
|
+ read_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read
|
|
+## apache system content rw dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`apache_read_sys_content_rw_dirs',`
|
|
+ gen_require(`
|
|
+ type httpd_sys_rw_content_t;
|
|
+ ')
|
|
+
|
|
+ list_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow the specified domain to manage
|
|
+## apache system content rw files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`apache_manage_sys_content_rw',`
|
|
+ gen_require(`
|
|
+ type httpd_sys_rw_content_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute all httpd scripts in the
|
|
-## system script domain.
|
|
+## Allow the specified domain to delete
|
|
+## apache system content rw files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`apache_delete_sys_content_rw',`
|
|
+ gen_require(`
|
|
+ type httpd_sys_rw_content_t;
|
|
+ ')
|
|
+
|
|
+ files_search_tmp($1)
|
|
+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
+ delete_fifo_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
+ delete_sock_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute all web scripts in the system
|
|
+## script domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -888,10 +1041,17 @@ interface(`apache_manage_sys_rw_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
+# cjp: this interface specifically added to allow
|
|
+# sysadm_t to run scripts
|
|
interface(`apache_domtrans_sys_script',`
|
|
gen_require(`
|
|
attribute httpdcontent;
|
|
- type httpd_sys_script_t;
|
|
+ type httpd_sys_script_exec_t;
|
|
+ type httpd_sys_script_t, httpd_sys_content_t;
|
|
+ ')
|
|
+
|
|
+ tunable_policy(`httpd_enable_cgi',`
|
|
+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
@@ -901,9 +1061,8 @@ interface(`apache_domtrans_sys_script',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read and
|
|
-## write httpd system script unix
|
|
-## domain stream sockets.
|
|
+## Do not audit attempts to read and write Apache
|
|
+## system script unix domain stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -941,7 +1100,7 @@ interface(`apache_domtrans_all_scripts',`
|
|
########################################
|
|
## <summary>
|
|
## Execute all user scripts in the user
|
|
-## script domain. Add user script domains
|
|
+## script domain. Add user script domains
|
|
## to the specified role.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -954,6 +1113,7 @@ interface(`apache_domtrans_all_scripts',`
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
interface(`apache_run_all_scripts',`
|
|
gen_require(`
|
|
@@ -966,7 +1126,8 @@ interface(`apache_run_all_scripts',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read httpd squirrelmail data files.
|
|
+## Allow the specified domain to read
|
|
+## apache squirrelmail data.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -979,12 +1140,13 @@ interface(`apache_read_squirrelmail_data',`
|
|
type httpd_squirrelmail_t;
|
|
')
|
|
|
|
- allow $1 httpd_squirrelmail_t:file read_file_perms;
|
|
+ read_files_pattern($1, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Append httpd squirrelmail data files.
|
|
+## Allow the specified domain to append
|
|
+## apache squirrelmail data.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1002,7 +1164,7 @@ interface(`apache_append_squirrelmail_data',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search httpd system content.
|
|
+## Search apache system content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1015,13 +1177,12 @@ interface(`apache_search_sys_content',`
|
|
type httpd_sys_content_t;
|
|
')
|
|
|
|
- files_search_var($1)
|
|
allow $1 httpd_sys_content_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read httpd system content.
|
|
+## Read apache system content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1041,7 +1202,7 @@ interface(`apache_read_sys_content',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search httpd system CGI directories.
|
|
+## Search apache system CGI directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1059,8 +1220,7 @@ interface(`apache_search_sys_scripts',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete all
|
|
-## user httpd content.
|
|
+## Create, read, write, and delete all user web content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1071,18 +1231,21 @@ interface(`apache_search_sys_scripts',`
|
|
#
|
|
interface(`apache_manage_all_user_content',`
|
|
gen_require(`
|
|
- type httpd_user_content_t, httpd_user_content_rw_t, httpd_user_content_ra_t;
|
|
- type httpd_user_htaccess_t, httpd_user_script_exec_t;
|
|
+ attribute httpd_user_content_type, httpd_user_script_exec_type;
|
|
')
|
|
|
|
- manage_dirs_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
|
|
- manage_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t httpd_user_htaccess_t })
|
|
- manage_lnk_files_pattern($1, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t }, { httpd_user_content_t httpd_user_content_rw_t httpd_user_content_ra_t httpd_user_script_exec_t })
|
|
+ manage_dirs_pattern($1, httpd_user_content_type, httpd_user_content_type)
|
|
+ manage_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
|
|
+ manage_lnk_files_pattern($1, httpd_user_content_type, httpd_user_content_type)
|
|
+
|
|
+ manage_dirs_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
|
|
+ manage_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
|
|
+ manage_lnk_files_pattern($1, httpd_user_script_exec_type, httpd_user_script_exec_type)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search system script state directories.
|
|
+## Search system script state directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1100,7 +1263,8 @@ interface(`apache_search_sys_script_state',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read httpd tmp files.
|
|
+## Allow the specified domain to read
|
|
+## apache tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1117,10 +1281,29 @@ interface(`apache_read_tmp_files',`
|
|
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
|
|
')
|
|
|
|
+######################################
|
|
+## <summary>
|
|
+## Dontaudit attempts to read and write
|
|
+## apache tmp files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apache_dontaudit_rw_tmp_files',`
|
|
+ gen_require(`
|
|
+ type httpd_tmp_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 httpd_tmp_t:file { read write };
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to write
|
|
-## httpd tmp files.
|
|
+## Dontaudit attempts to write
|
|
+## apache tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1133,7 +1316,7 @@ interface(`apache_dontaudit_write_tmp_files',`
|
|
type httpd_tmp_t;
|
|
')
|
|
|
|
- dontaudit $1 httpd_tmp_t:file write_file_perms;
|
|
+ dontaudit $1 httpd_tmp_t:file write;
|
|
')
|
|
|
|
########################################
|
|
@@ -1142,6 +1325,9 @@ interface(`apache_dontaudit_write_tmp_files',`
|
|
## </summary>
|
|
## <desc>
|
|
## <p>
|
|
+## Execute CGI in the specified domain.
|
|
+## </p>
|
|
+## <p>
|
|
## This is an interface to support third party modules
|
|
## and its use is not allowed in upstream reference
|
|
## policy.
|
|
@@ -1171,8 +1357,30 @@ interface(`apache_cgi_domain',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an apache environment.
|
|
+## Execute httpd server in the httpd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apache_systemctl',`
|
|
+ gen_require(`
|
|
+ type httpd_t;
|
|
+ type httpd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 httpd_unit_file_t:file read_file_perms;
|
|
+ allow $1 httpd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, httpd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate an apache environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1189,18 +1397,19 @@ interface(`apache_cgi_domain',`
|
|
interface(`apache_admin',`
|
|
gen_require(`
|
|
attribute httpdcontent, httpd_script_exec_type;
|
|
- attribute httpd_script_domains, httpd_htaccess_type;
|
|
type httpd_t, httpd_config_t, httpd_log_t;
|
|
- type httpd_modules_t, httpd_lock_t, httpd_helper_t;
|
|
- type httpd_var_run_t, httpd_passwd_t, httpd_suexec_t;
|
|
- type httpd_suexec_tmp_t, httpd_tmp_t, httpd_rotatelogs_t;
|
|
- type httpd_initrc_exec_t, httpd_keytab_t;
|
|
+ type httpd_modules_t, httpd_lock_t, httpd_bool_t;
|
|
+ type httpd_var_run_t, httpd_php_tmp_t, httpd_initrc_exec_t;
|
|
+ type httpd_suexec_tmp_t, httpd_tmp_t;
|
|
+ type httpd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 { httpd_script_domains httpd_t httpd_helper_t }:process { ptrace signal_perms };
|
|
- allow $1 { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { httpd_script_domains httpd_t httpd_helper_t })
|
|
- ps_process_pattern($1, { httpd_rotatelogs_t httpd_suexec_t httpd_passwd_t })
|
|
+ allow $1 httpd_t:process signal_perms;
|
|
+ ps_process_pattern($1, httpd_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 httpd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, httpd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -1210,10 +1419,10 @@ interface(`apache_admin',`
|
|
apache_manage_all_content($1)
|
|
miscfiles_manage_public_files($1)
|
|
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, { httpd_keytab_t httpd_config_t })
|
|
+ files_list_etc($1)
|
|
+ admin_pattern($1, httpd_config_t)
|
|
|
|
- logging_search_logs($1)
|
|
+ logging_list_logs($1)
|
|
admin_pattern($1, httpd_log_t)
|
|
|
|
admin_pattern($1, httpd_modules_t)
|
|
@@ -1224,9 +1433,129 @@ interface(`apache_admin',`
|
|
admin_pattern($1, httpd_var_run_t)
|
|
files_pid_filetrans($1, httpd_var_run_t, file)
|
|
|
|
- admin_pattern($1, { httpdcontent httpd_script_exec_type httpd_htaccess_type })
|
|
- admin_pattern($1, { httpd_tmp_t httpd_suexec_tmp_t })
|
|
+ admin_pattern($1, httpdcontent)
|
|
+ admin_pattern($1, httpd_script_exec_type)
|
|
+
|
|
+ seutil_domtrans_setfiles($1)
|
|
+
|
|
+ files_list_tmp($1)
|
|
+ admin_pattern($1, httpd_tmp_t)
|
|
+ admin_pattern($1, httpd_php_tmp_t)
|
|
+ admin_pattern($1, httpd_suexec_tmp_t)
|
|
+
|
|
+ apache_systemctl($1)
|
|
+ admin_pattern($1, httpd_unit_file_t)
|
|
+ allow $1 httpd_unit_file_t:service all_service_perms;
|
|
+
|
|
+ apache_filetrans_named_content($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## dontaudit read and write an leaked file descriptors
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apache_dontaudit_leaks',`
|
|
+ gen_require(`
|
|
+ type httpd_t;
|
|
+ type httpd_tmp_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 httpd_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+ dontaudit $1 httpd_t:tcp_socket { read write };
|
|
+ dontaudit $1 httpd_t:unix_dgram_socket { read write };
|
|
+ dontaudit $1 httpd_t:unix_stream_socket { read write };
|
|
+ dontaudit $1 httpd_tmp_t:file { read write };
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to apache named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apache_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type httpd_sys_content_t, httpd_sys_rw_content_t;
|
|
+ type httpd_tmp_t;
|
|
+ ')
|
|
+
|
|
+
|
|
+ apache_filetrans_home_content($1)
|
|
+ filetrans_pattern($1, httpd_sys_content_t, httpd_sys_rw_content_t, file, "settings.php")
|
|
+ userdom_user_tmp_filetrans($1, httpd_tmp_t, dir, "apache")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow any httpd_exec_t to be an entrypoint of this domain
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`apache_entrypoint',`
|
|
+ gen_require(`
|
|
+ type httpd_exec_t;
|
|
+ ')
|
|
+ allow $1 httpd_exec_t:file entrypoint;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute a httpd_exec_t in the specified domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="target_domain">
|
|
+## <summary>
|
|
+## The type of the new process.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apache_exec_domtrans',`
|
|
+ gen_require(`
|
|
+ type httpd_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, httpd_exec_t, $2)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to apache home content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apache_filetrans_home_content',`
|
|
+ gen_require(`
|
|
+ type httpd_user_content_t, httpd_user_script_exec_t, httpd_user_htaccess_t;
|
|
+ type httpd_user_content_ra_t;
|
|
+ ')
|
|
|
|
- apache_run_all_scripts($1, $2)
|
|
- apache_run_helper($1, $2)
|
|
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "public_html")
|
|
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "www")
|
|
+ userdom_user_home_dir_filetrans($1, httpd_user_content_t, dir, "web")
|
|
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_script_exec_t, dir, "cgi-bin")
|
|
+ filetrans_pattern($1, httpd_user_content_t, httpd_user_content_ra_t, dir, "logs")
|
|
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
|
')
|
|
diff --git a/apache.te b/apache.te
|
|
index 6649962..0e09bca 100644
|
|
--- a/apache.te
|
|
+++ b/apache.te
|
|
@@ -5,280 +5,317 @@ policy_module(apache, 2.7.2)
|
|
# Declarations
|
|
#
|
|
|
|
+selinux_genbool(httpd_bool_t)
|
|
+
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can modify
|
|
-## public files used for public file
|
|
-## transfer services. Directories/Files must
|
|
-## be labeled public_content_rw_t.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow Apache to modify public files
|
|
+## used for public file transfer services. Directories/Files must
|
|
+## be labeled public_content_rw_t.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_httpd_anon_write, false)
|
|
+gen_tunable(httpd_anon_write, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can use mod_auth_pam.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow Apache to use mod_auth_pam
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_httpd_mod_auth_pam, false)
|
|
+gen_tunable(httpd_mod_auth_pam, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can use built in scripting.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow Apache to use mod_auth_ntlm_winbind
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_builtin_scripting, false)
|
|
+gen_tunable(httpd_mod_auth_ntlm_winbind, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can check spam.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd scripts and modules execmem/execstack
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_can_check_spam, false)
|
|
+gen_tunable(httpd_execmem, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd scripts and modules
|
|
-## can connect to the network using TCP.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd processes to manage IPA content
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(httpd_manage_ipa, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow httpd to use built in scripting (usually php)
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(httpd_builtin_scripting, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow HTTPD scripts and modules to connect to the network using TCP.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_connect, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd scripts and modules
|
|
-## can connect to cobbler over the network.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow HTTPD scripts and modules to connect to cobbler over the network.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_connect_cobbler, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether scripts and modules can
|
|
-## connect to databases over the network.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow HTTPD scripts and modules to server cobbler files.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_can_network_connect_db, false)
|
|
+gen_tunable(httpd_serve_cobbler_files, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can connect to
|
|
-## ldap over the network.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow HTTPD to connect to port 80 for graceful shutdown
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_can_network_connect_ldap, false)
|
|
+gen_tunable(httpd_graceful_shutdown, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can connect
|
|
-## to memcache server over the network.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow HTTPD scripts and modules to connect to databases over the network.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_can_network_connect_memcache, false)
|
|
+gen_tunable(httpd_can_network_connect_db, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can act as a relay.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd to connect to memcache server
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(httpd_can_network_memcache, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow httpd to act as a relay
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_can_network_relay, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd daemon can
|
|
-## connect to zabbix over the network.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow http daemon to connect to zabbix
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_can_network_connect_zabbix, false)
|
|
+gen_tunable(httpd_can_connect_zabbix, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can send mail.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow http daemon to connect to mythtv
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_can_sendmail, false)
|
|
+gen_tunable(httpd_can_connect_mythtv, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can communicate
|
|
-## with avahi service via dbus.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow http daemon to check spam
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_dbus_avahi, false)
|
|
+gen_tunable(httpd_can_check_spam, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine wether httpd can use support.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow http daemon to send mail
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_enable_cgi, false)
|
|
+gen_tunable(httpd_can_sendmail, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can act as a
|
|
-## FTP server by listening on the ftp port.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow Apache to communicate with avahi service via dbus
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_enable_ftp_server, false)
|
|
+gen_tunable(httpd_dbus_avahi, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can traverse
|
|
-## user home directories.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd cgi support
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_enable_homedirs, false)
|
|
+gen_tunable(httpd_enable_cgi, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd gpg can modify
|
|
-## public files used for public file
|
|
-## transfer services. Directories/Files must
|
|
-## be labeled public_content_rw_t.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd to act as a FTP server by
|
|
+## listening on the ftp port.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_gpg_anon_write, false)
|
|
+gen_tunable(httpd_enable_ftp_server, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can execute
|
|
-## its temporary content.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd to act as a FTP client
|
|
+## connecting to the ftp port and ephemeral ports
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_tmp_exec, false)
|
|
+gen_tunable(httpd_can_connect_ftp, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd scripts and
|
|
-## modules can use execmem and execstack.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd to connect to the ldap port
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_execmem, false)
|
|
+gen_tunable(httpd_can_connect_ldap, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can connect
|
|
-## to port 80 for graceful shutdown.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd to read home directories
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_graceful_shutdown, false)
|
|
+gen_tunable(httpd_enable_homedirs, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can
|
|
-## manage IPA content files.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd to read user content
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_manage_ipa, false)
|
|
+gen_tunable(httpd_read_user_content, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can use mod_auth_ntlm_winbind.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow Apache to run in stickshift mode, not transition to passenger
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_mod_auth_ntlm_winbind, false)
|
|
+gen_tunable(httpd_run_stickshift, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can read
|
|
-## generic user home content files.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow Apache to query NS records
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(httpd_read_user_content, false)
|
|
+gen_tunable(httpd_verify_dns, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can change
|
|
-## its resource limits.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd daemon to change its resource limits
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_setrlimit, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can run
|
|
-## SSI executables in the same domain
|
|
-## as system CGI scripts.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_ssi_exec, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can communicate
|
|
-## with the terminal. Needed for entering the
|
|
-## passphrase for certificates at the terminal.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow Apache to execute tmp content.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(httpd_tmp_exec, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Unify HTTPD to communicate with the terminal.
|
|
+## Needed for entering the passphrase for certificates at
|
|
+## the terminal.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_tty_comm, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can have full access
|
|
-## to its content types.
|
|
-## </p>
|
|
+## <p>
|
|
+## Unify HTTPD handling of all content files.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_unified, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can use
|
|
-## cifs file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd to access openstack ports
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(httpd_use_openstack, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow httpd to access cifs file systems
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_cifs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
-## Determine whether httpd can
|
|
-## use fuse file systems.
|
|
+## Allow httpd to access FUSE file systems
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_fusefs, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can use gpg.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd to run gpg
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_gpg, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether httpd can use
|
|
-## nfs file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow httpd to connect to sasl
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(httpd_use_sasl, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow httpd to access nfs file systems
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(httpd_use_nfs, false)
|
|
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(httpd_sys_script_anon_write, false)
|
|
+
|
|
attribute httpdcontent;
|
|
-attribute httpd_htaccess_type;
|
|
+attribute httpd_user_content_type;
|
|
+attribute httpd_content_type;
|
|
|
|
-# domains that can exec all scripts
|
|
+# domains that can exec all users scripts
|
|
attribute httpd_exec_scripts;
|
|
|
|
+attribute httpd_script_type;
|
|
attribute httpd_script_exec_type;
|
|
+attribute httpd_user_script_exec_type;
|
|
|
|
-# all script domains
|
|
+# user script domains
|
|
attribute httpd_script_domains;
|
|
|
|
-attribute_role httpd_helper_roles;
|
|
-roleattribute system_r httpd_helper_roles;
|
|
-
|
|
type httpd_t;
|
|
type httpd_exec_t;
|
|
+ifdef(`distro_redhat',`
|
|
+ typealias httpd_t alias phpfpm_t;
|
|
+ typealias httpd_exec_t alias phpfpm_exec_t;
|
|
+')
|
|
init_daemon_domain(httpd_t, httpd_exec_t)
|
|
+role system_r types httpd_t;
|
|
|
|
+# httpd_cache_t is the type given to the /var/cache/httpd
|
|
+# directory and the files under that directory
|
|
type httpd_cache_t;
|
|
files_type(httpd_cache_t)
|
|
|
|
+# httpd_config_t is the type given to the configuration files
|
|
type httpd_config_t;
|
|
files_config_file(httpd_config_t)
|
|
|
|
type httpd_helper_t;
|
|
type httpd_helper_exec_t;
|
|
-application_domain(httpd_helper_t, httpd_helper_exec_t)
|
|
-role httpd_helper_roles types httpd_helper_t;
|
|
+domain_type(httpd_helper_t)
|
|
+domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
|
|
+role system_r types httpd_helper_t;
|
|
|
|
type httpd_initrc_exec_t;
|
|
init_script_file(httpd_initrc_exec_t)
|
|
@@ -286,15 +323,35 @@ init_script_file(httpd_initrc_exec_t)
|
|
type httpd_keytab_t;
|
|
files_type(httpd_keytab_t)
|
|
|
|
+type httpd_unit_file_t;
|
|
+ifdef(`distro_redhat',`
|
|
+ typealias httpd_unit_file_t alias phpfpm_unit_file_t;
|
|
+')
|
|
+systemd_unit_file(httpd_unit_file_t)
|
|
+
|
|
type httpd_lock_t;
|
|
files_lock_file(httpd_lock_t)
|
|
|
|
type httpd_log_t;
|
|
+ifdef(`distro_redhat',`
|
|
+ typealias httpd_log_t alias phpfpm_log_t;
|
|
+')
|
|
logging_log_file(httpd_log_t)
|
|
|
|
+# httpd_modules_t is the type given to module files (libraries)
|
|
+# that come with Apache /etc/httpd/modules and /usr/lib/apache
|
|
type httpd_modules_t;
|
|
files_type(httpd_modules_t)
|
|
|
|
+type httpd_php_t;
|
|
+type httpd_php_exec_t;
|
|
+domain_type(httpd_php_t)
|
|
+domain_entry_file(httpd_php_t, httpd_php_exec_t)
|
|
+role system_r types httpd_php_t;
|
|
+
|
|
+type httpd_php_tmp_t;
|
|
+files_tmp_file(httpd_php_tmp_t)
|
|
+
|
|
type httpd_rotatelogs_t;
|
|
type httpd_rotatelogs_exec_t;
|
|
init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
|
|
@@ -302,10 +359,8 @@ init_daemon_domain(httpd_rotatelogs_t, httpd_rotatelogs_exec_t)
|
|
type httpd_squirrelmail_t;
|
|
files_type(httpd_squirrelmail_t)
|
|
|
|
-type squirrelmail_spool_t;
|
|
-files_tmp_file(squirrelmail_spool_t)
|
|
-
|
|
-type httpd_suexec_t;
|
|
+# SUEXEC runs user scripts as their own user ID
|
|
+type httpd_suexec_t; #, daemon;
|
|
type httpd_suexec_exec_t;
|
|
domain_type(httpd_suexec_t)
|
|
domain_entry_file(httpd_suexec_t, httpd_suexec_exec_t)
|
|
@@ -314,9 +369,19 @@ role system_r types httpd_suexec_t;
|
|
type httpd_suexec_tmp_t;
|
|
files_tmp_file(httpd_suexec_tmp_t)
|
|
|
|
+# setup the system domain for system CGI scripts
|
|
apache_content_template(sys)
|
|
-corecmd_shell_entry_type(httpd_sys_script_t)
|
|
-typealias httpd_sys_content_t alias ntop_http_content_t;
|
|
+
|
|
+typeattribute httpd_sys_content_t httpdcontent; # customizable
|
|
+typeattribute httpd_sys_rw_content_t httpdcontent; # customizable
|
|
+typeattribute httpd_sys_ra_content_t httpdcontent; # customizable
|
|
+
|
|
+# Removal of fastcgi, will cause problems without the following
|
|
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
|
+typealias httpd_sys_content_t alias { httpd_fastcgi_content_t httpd_fastcgi_script_ro_t };
|
|
+typealias httpd_sys_rw_content_t alias { httpd_fastcgi_rw_content_t httpd_fastcgi_script_rw_t };
|
|
+typealias httpd_sys_ra_content_t alias httpd_fastcgi_script_ra_t;
|
|
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
|
|
|
|
type httpd_tmp_t;
|
|
files_tmp_file(httpd_tmp_t)
|
|
@@ -326,12 +391,19 @@ files_tmpfs_file(httpd_tmpfs_t)
|
|
|
|
apache_content_template(user)
|
|
ubac_constrained(httpd_user_script_t)
|
|
+
|
|
+typeattribute httpd_user_content_t httpdcontent;
|
|
+typeattribute httpd_user_rw_content_t httpdcontent;
|
|
+typeattribute httpd_user_ra_content_t httpdcontent;
|
|
+
|
|
userdom_user_home_content(httpd_user_content_t)
|
|
userdom_user_home_content(httpd_user_htaccess_t)
|
|
userdom_user_home_content(httpd_user_script_exec_t)
|
|
userdom_user_home_content(httpd_user_ra_content_t)
|
|
userdom_user_home_content(httpd_user_rw_content_t)
|
|
+typeattribute httpd_user_script_t httpd_script_domains;
|
|
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
|
|
+typealias httpd_user_content_t alias httpd_unconfined_content_t;
|
|
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
|
|
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
|
|
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
|
|
@@ -346,33 +418,40 @@ typealias httpd_user_rw_content_t alias { httpd_auditadm_script_rw_t httpd_secad
|
|
typealias httpd_user_ra_content_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
|
|
typealias httpd_user_ra_content_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
|
|
|
|
+# for apache2 memory mapped files
|
|
type httpd_var_lib_t;
|
|
files_type(httpd_var_lib_t)
|
|
|
|
type httpd_var_run_t;
|
|
+ifdef(`distro_redhat',`
|
|
+ typealias httpd_var_run_t alias phpfpm_var_run_t;
|
|
+')
|
|
files_pid_file(httpd_var_run_t)
|
|
|
|
-type httpd_passwd_t;
|
|
-type httpd_passwd_exec_t;
|
|
-domain_type(httpd_passwd_t)
|
|
-domain_entry_file(httpd_passwd_t, httpd_passwd_exec_t)
|
|
-role system_r types httpd_passwd_t;
|
|
+# Removal of fastcgi, will cause problems without the following
|
|
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
|
|
|
-type httpd_gpg_t;
|
|
-domain_type(httpd_gpg_t)
|
|
-role system_r types httpd_gpg_t;
|
|
+# File Type of squirrelmail attachments
|
|
+type squirrelmail_spool_t;
|
|
+files_tmp_file(squirrelmail_spool_t)
|
|
+files_spool_file(squirrelmail_spool_t)
|
|
|
|
optional_policy(`
|
|
prelink_object_file(httpd_modules_t)
|
|
')
|
|
|
|
+type httpd_passwd_t;
|
|
+type httpd_passwd_exec_t;
|
|
+application_domain(httpd_passwd_t, httpd_passwd_exec_t)
|
|
+role system_r types httpd_passwd_t;
|
|
+
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# Apache server local policy
|
|
#
|
|
|
|
allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
|
|
-dontaudit httpd_t self:capability net_admin;
|
|
+dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
|
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow httpd_t self:fd use;
|
|
allow httpd_t self:sock_file read_sock_file_perms;
|
|
@@ -381,30 +460,38 @@ allow httpd_t self:shm create_shm_perms;
|
|
allow httpd_t self:sem create_sem_perms;
|
|
allow httpd_t self:msgq create_msgq_perms;
|
|
allow httpd_t self:msg { send receive };
|
|
-allow httpd_t self:unix_dgram_socket sendto;
|
|
-allow httpd_t self:unix_stream_socket { accept connectto listen };
|
|
-allow httpd_t self:tcp_socket { accept listen };
|
|
+allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
+allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+allow httpd_t self:tcp_socket create_stream_socket_perms;
|
|
+allow httpd_t self:udp_socket create_socket_perms;
|
|
+dontaudit httpd_t self:netlink_audit_socket create_socket_perms;
|
|
|
|
+# Allow httpd_t to put files in /var/cache/httpd etc
|
|
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
|
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
|
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
|
|
-files_var_filetrans(httpd_t, httpd_cache_t, dir)
|
|
+files_var_filetrans(httpd_t, httpd_cache_t, { file dir })
|
|
|
|
+# Allow the httpd_t to read the web servers config files
|
|
allow httpd_t httpd_config_t:dir list_dir_perms;
|
|
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
|
|
read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
|
|
|
|
+can_exec(httpd_t, httpd_exec_t)
|
|
+
|
|
allow httpd_t httpd_keytab_t:file read_file_perms;
|
|
|
|
allow httpd_t httpd_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(httpd_t, httpd_lock_t, file)
|
|
|
|
-allow httpd_t httpd_log_t:dir setattr_dir_perms;
|
|
+allow httpd_t httpd_log_t:dir setattr;
|
|
create_dirs_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
create_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
append_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
read_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
read_lnk_files_pattern(httpd_t, httpd_log_t, httpd_log_t)
|
|
+# cjp: need to refine create interfaces to
|
|
+# cut this back to add_name only
|
|
logging_log_filetrans(httpd_t, httpd_log_t, file)
|
|
|
|
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
|
@@ -412,6 +499,8 @@ mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
|
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
|
read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
|
|
|
+apache_domtrans_rotatelogs(httpd_t)
|
|
+# Apache-httpd needs to be able to send signals to the log rotate procs.
|
|
allow httpd_t httpd_rotatelogs_t:process signal_perms;
|
|
|
|
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
|
@@ -420,6 +509,10 @@ manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
|
|
|
|
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
|
|
|
+allow httpd_t httpd_sys_content_t:dir list_dir_perms;
|
|
+read_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
|
|
+read_lnk_files_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_t)
|
|
+
|
|
allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
|
|
|
|
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
|
@@ -450,140 +543,167 @@ manage_dirs_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
manage_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
|
|
-can_exec(httpd_t, httpd_exec_t)
|
|
-
|
|
-domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
|
|
-domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
|
|
-domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
|
|
-domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
|
-
|
|
kernel_read_kernel_sysctls(httpd_t)
|
|
-kernel_read_network_state(httpd_t)
|
|
+# for modules that want to access /proc/meminfo
|
|
kernel_read_system_state(httpd_t)
|
|
+kernel_read_network_state(httpd_t)
|
|
kernel_search_network_sysctl(httpd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(httpd_t)
|
|
corenet_all_recvfrom_netlabel(httpd_t)
|
|
corenet_tcp_sendrecv_generic_if(httpd_t)
|
|
+corenet_udp_sendrecv_generic_if(httpd_t)
|
|
corenet_tcp_sendrecv_generic_node(httpd_t)
|
|
+corenet_udp_sendrecv_generic_node(httpd_t)
|
|
+corenet_tcp_sendrecv_all_ports(httpd_t)
|
|
+corenet_udp_sendrecv_all_ports(httpd_t)
|
|
corenet_tcp_bind_generic_node(httpd_t)
|
|
-
|
|
-corenet_sendrecv_http_server_packets(httpd_t)
|
|
+corenet_udp_bind_generic_node(httpd_t)
|
|
corenet_tcp_bind_http_port(httpd_t)
|
|
-corenet_tcp_sendrecv_http_port(httpd_t)
|
|
-
|
|
-corenet_sendrecv_http_cache_server_packets(httpd_t)
|
|
+corenet_udp_bind_http_port(httpd_t)
|
|
corenet_tcp_bind_http_cache_port(httpd_t)
|
|
-corenet_tcp_sendrecv_http_cache_port(httpd_t)
|
|
-
|
|
-corecmd_exec_bin(httpd_t)
|
|
-corecmd_exec_shell(httpd_t)
|
|
+corenet_tcp_bind_ntop_port(httpd_t)
|
|
+corenet_tcp_bind_jboss_management_port(httpd_t)
|
|
+corenet_tcp_bind_jboss_messaging_port(httpd_t)
|
|
+corenet_sendrecv_http_server_packets(httpd_t)
|
|
+corenet_tcp_bind_puppet_port(httpd_t)
|
|
+# Signal self for shutdown
|
|
+tunable_policy(`httpd_graceful_shutdown',`
|
|
+ corenet_tcp_connect_http_port(httpd_t)
|
|
+')
|
|
|
|
dev_read_sysfs(httpd_t)
|
|
dev_read_rand(httpd_t)
|
|
dev_read_urand(httpd_t)
|
|
dev_rw_crypto(httpd_t)
|
|
|
|
-domain_use_interactive_fds(httpd_t)
|
|
-
|
|
fs_getattr_all_fs(httpd_t)
|
|
fs_search_auto_mountpoints(httpd_t)
|
|
-
|
|
-fs_getattr_all_fs(httpd_t)
|
|
-fs_read_anon_inodefs_files(httpd_t)
|
|
fs_read_iso9660_files(httpd_t)
|
|
-fs_search_auto_mountpoints(httpd_t)
|
|
+fs_rw_anon_inodefs_files(httpd_t)
|
|
+fs_read_hugetlbfs_files(httpd_t)
|
|
+
|
|
+auth_use_nsswitch(httpd_t)
|
|
+
|
|
+application_exec_all(httpd_t)
|
|
+
|
|
+# execute perl
|
|
+corecmd_exec_bin(httpd_t)
|
|
+corecmd_exec_shell(httpd_t)
|
|
+
|
|
+domain_use_interactive_fds(httpd_t)
|
|
+domain_dontaudit_read_all_domains_state(httpd_t)
|
|
|
|
files_dontaudit_getattr_all_pids(httpd_t)
|
|
-files_read_usr_files(httpd_t)
|
|
+files_exec_usr_files(httpd_t)
|
|
files_list_mnt(httpd_t)
|
|
+files_read_mnt_symlinks(httpd_t)
|
|
files_search_spool(httpd_t)
|
|
files_read_var_symlinks(httpd_t)
|
|
files_read_var_lib_files(httpd_t)
|
|
files_search_home(httpd_t)
|
|
files_getattr_home_dir(httpd_t)
|
|
+# for modules that want to access /etc/mtab
|
|
files_read_etc_runtime_files(httpd_t)
|
|
+# Allow httpd_t to have access to files such as nisswitch.conf
|
|
+# for tomcat
|
|
files_read_var_lib_symlinks(httpd_t)
|
|
|
|
-auth_use_nsswitch(httpd_t)
|
|
+fs_search_auto_mountpoints(httpd_sys_script_t)
|
|
+# php uploads a file to /tmp and then execs programs to acton them
|
|
+manage_dirs_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
|
|
+manage_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
|
|
+manage_sock_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
|
|
+manage_fifo_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
|
|
+manage_lnk_files_pattern(httpd_sys_script_t, httpd_tmp_t, httpd_tmp_t)
|
|
+files_tmp_filetrans(httpd_sys_script_t, httpd_sys_rw_content_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
libs_read_lib_files(httpd_t)
|
|
|
|
+ifdef(`hide_broken_symptoms',`
|
|
+ libs_exec_lib_files(httpd_t)
|
|
+')
|
|
+
|
|
logging_send_syslog_msg(httpd_t)
|
|
|
|
-miscfiles_read_localization(httpd_t)
|
|
+init_dontaudit_read_utmp(httpd_t)
|
|
+
|
|
miscfiles_read_fonts(httpd_t)
|
|
miscfiles_read_public_files(httpd_t)
|
|
miscfiles_read_generic_certs(httpd_t)
|
|
miscfiles_read_tetex_data(httpd_t)
|
|
-
|
|
-seutil_dontaudit_search_config(httpd_t)
|
|
+miscfiles_dontaudit_access_check_cert(httpd_t)
|
|
|
|
userdom_use_unpriv_users_fds(httpd_t)
|
|
|
|
-ifdef(`TODO',`
|
|
- tunable_policy(`allow_httpd_mod_auth_pam',`
|
|
- auth_domtrans_chk_passwd(httpd_t)
|
|
+tunable_policy(`httpd_setrlimit',`
|
|
+ allow httpd_t self:process setrlimit;
|
|
+ allow httpd_t self:capability sys_resource;
|
|
+')
|
|
|
|
- logging_send_audit_msgs(httpd_t)
|
|
- ')
|
|
+tunable_policy(`httpd_anon_write',`
|
|
+ miscfiles_manage_public_files(httpd_t)
|
|
')
|
|
|
|
-ifdef(`hide_broken_symptoms',`
|
|
- libs_exec_lib_files(httpd_t)
|
|
+#
|
|
+# We need optionals to be able to be within booleans to make this work
|
|
+#
|
|
+tunable_policy(`httpd_mod_auth_pam',`
|
|
+ auth_domtrans_chkpwd(httpd_t)
|
|
+ logging_send_audit_msgs(httpd_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_httpd_anon_write',`
|
|
- miscfiles_manage_public_files(httpd_t)
|
|
+optional_policy(`
|
|
+ tunable_policy(`httpd_mod_auth_ntlm_winbind',`
|
|
+ samba_domtrans_winbind_helper(httpd_t)
|
|
+ ')
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_connect',`
|
|
- corenet_sendrecv_all_client_packets(httpd_t)
|
|
corenet_tcp_connect_all_ports(httpd_t)
|
|
- corenet_tcp_sendrecv_all_ports(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
- corenet_sendrecv_gds_db_client_packets(httpd_t)
|
|
corenet_tcp_connect_gds_db_port(httpd_t)
|
|
- corenet_tcp_sendrecv_gds_db_port(httpd_t)
|
|
- corenet_sendrecv_mssql_client_packets(httpd_t)
|
|
corenet_tcp_connect_mssql_port(httpd_t)
|
|
- corenet_tcp_sendrecv_mssql_port(httpd_t)
|
|
- corenet_sendrecv_oracledb_client_packets(httpd_t)
|
|
- corenet_tcp_connect_oracledb_port(httpd_t)
|
|
- corenet_tcp_sendrecv_oracledb_port(httpd_t)
|
|
+ corenet_sendrecv_mssql_client_packets(httpd_t)
|
|
+ corenet_tcp_connect_oracle_port(httpd_t)
|
|
+ corenet_sendrecv_oracle_client_packets(httpd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`httpd_can_network_memcache',`
|
|
+ corenet_tcp_connect_memcache_port(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_relay',`
|
|
- corenet_sendrecv_gopher_client_packets(httpd_t)
|
|
+ # allow httpd to work as a relay
|
|
corenet_tcp_connect_gopher_port(httpd_t)
|
|
- corenet_tcp_sendrecv_gopher_port(httpd_t)
|
|
- corenet_sendrecv_ftp_client_packets(httpd_t)
|
|
corenet_tcp_connect_ftp_port(httpd_t)
|
|
- corenet_tcp_sendrecv_ftp_port(httpd_t)
|
|
- corenet_sendrecv_http_client_packets(httpd_t)
|
|
corenet_tcp_connect_http_port(httpd_t)
|
|
- corenet_tcp_sendrecv_http_port(httpd_t)
|
|
- corenet_sendrecv_http_cache_client_packets(httpd_t)
|
|
corenet_tcp_connect_http_cache_port(httpd_t)
|
|
- corenet_tcp_sendrecv_http_cache_port(httpd_t)
|
|
- corenet_sendrecv_squid_client_packets(httpd_t)
|
|
corenet_tcp_connect_squid_port(httpd_t)
|
|
- corenet_tcp_sendrecv_squid_port(httpd_t)
|
|
+ corenet_tcp_connect_memcache_port(httpd_t)
|
|
+ corenet_sendrecv_gopher_client_packets(httpd_t)
|
|
+ corenet_sendrecv_ftp_client_packets(httpd_t)
|
|
+ corenet_sendrecv_http_client_packets(httpd_t)
|
|
+ corenet_sendrecv_http_cache_client_packets(httpd_t)
|
|
+ corenet_sendrecv_squid_client_packets(httpd_t)
|
|
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_builtin_scripting',`
|
|
- exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
|
|
+tunable_policy(`httpd_execmem',`
|
|
+ allow httpd_t self:process { execmem execstack };
|
|
+ allow httpd_sys_script_t self:process { execmem execstack };
|
|
+ allow httpd_suexec_t self:process { execmem execstack };
|
|
+')
|
|
|
|
- allow httpd_t httpdcontent:dir list_dir_perms;
|
|
- allow httpd_t httpdcontent:file read_file_perms;
|
|
- allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
|
|
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
+ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
|
|
+ filetrans_pattern(httpd_sys_script_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
|
|
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_enable_cgi',`
|
|
- allow httpd_t httpd_script_domains:process { signal sigkill sigstop };
|
|
- allow httpd_t httpd_script_exec_type:dir list_dir_perms;
|
|
+tunable_policy(`httpd_sys_script_anon_write',`
|
|
+ miscfiles_manage_public_files(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
|
|
@@ -594,28 +714,50 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
|
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
|
|
')
|
|
|
|
-# tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
|
|
-# fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
|
|
-# ')
|
|
+tunable_policy(`httpd_enable_cgi && httpd_use_fusefs',`
|
|
+ fs_fusefs_domtrans(httpd_t, httpd_sys_script_t)
|
|
+')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
|
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
|
|
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_rw_content_t, { file dir lnk_file })
|
|
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
|
|
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
|
|
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_rw_content_t)
|
|
|
|
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
|
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
|
- manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
|
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
|
- manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
|
+')
|
|
+
|
|
+tunable_policy(`httpd_can_connect_ftp',`
|
|
+ corenet_tcp_connect_ftp_port(httpd_t)
|
|
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`httpd_can_connect_ldap',`
|
|
+ corenet_tcp_connect_ldap_port(httpd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`httpd_can_connect_mythtv',`
|
|
+ corenet_tcp_connect_mythtv_port(httpd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`httpd_can_connect_zabbix',`
|
|
+ corenet_tcp_connect_zabbix_port(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_ftp_server',`
|
|
- corenet_sendrecv_ftp_server_packets(httpd_t)
|
|
corenet_tcp_bind_ftp_port(httpd_t)
|
|
- corenet_tcp_sendrecv_ftp_port(httpd_t)
|
|
+ corenet_tcp_bind_all_ephemeral_ports(httpd_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_enable_homedirs',`
|
|
- userdom_search_user_home_dirs(httpd_t)
|
|
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
|
|
+ can_exec(httpd_t, httpd_tmp_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
|
|
+ can_exec(httpd_sys_script_t, httpd_tmp_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
@@ -624,68 +766,44 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_read_nfs_symlinks(httpd_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
|
|
- fs_exec_nfs_files(httpd_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
+tunable_policy(`httpd_use_nfs',`
|
|
fs_list_auto_mountpoints(httpd_t)
|
|
- fs_read_cifs_files(httpd_t)
|
|
- fs_read_cifs_symlinks(httpd_t)
|
|
+ fs_manage_nfs_dirs(httpd_t)
|
|
+ fs_manage_nfs_files(httpd_t)
|
|
+ fs_manage_nfs_symlinks(httpd_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
|
|
- fs_exec_cifs_files(httpd_t)
|
|
+
|
|
+tunable_policy(`httpd_use_nfs',`
|
|
+ automount_search_tmp_dirs(httpd_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_execmem',`
|
|
- allow httpd_t self:process { execmem execstack };
|
|
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
+ fs_read_cifs_files(httpd_t)
|
|
+ fs_read_cifs_symlinks(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_sendmail',`
|
|
- corenet_sendrecv_smtp_client_packets(httpd_t)
|
|
+ # allow httpd to connect to mail servers
|
|
corenet_tcp_connect_smtp_port(httpd_t)
|
|
- corenet_tcp_sendrecv_smtp_port(httpd_t)
|
|
- corenet_sendrecv_pop_client_packets(httpd_t)
|
|
+ corenet_sendrecv_smtp_client_packets(httpd_t)
|
|
corenet_tcp_connect_pop_port(httpd_t)
|
|
- corenet_tcp_sendrecv_pop_port(httpd_t)
|
|
-
|
|
+ corenet_sendrecv_pop_client_packets(httpd_t)
|
|
mta_send_mail(httpd_t)
|
|
mta_signal_system_mail(httpd_t)
|
|
+ postfix_rw_spool_maildrop_files(httpd_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- tunable_policy(`httpd_can_network_connect_zabbix',`
|
|
- zabbix_tcp_connect(httpd_t)
|
|
- ')
|
|
+tunable_policy(`httpd_use_cifs',`
|
|
+ fs_manage_cifs_dirs(httpd_t)
|
|
+ fs_manage_cifs_files(httpd_t)
|
|
+ fs_manage_cifs_symlinks(httpd_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
|
|
- spamassassin_domtrans_client(httpd_t)
|
|
- ')
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_graceful_shutdown',`
|
|
- corenet_sendrecv_http_client_packets(httpd_t)
|
|
- corenet_tcp_connect_http_port(httpd_t)
|
|
- corenet_tcp_sendrecv_http_port(httpd_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
|
|
- gpg_spec_domtrans(httpd_t, httpd_gpg_t)
|
|
- ')
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- tunable_policy(`httpd_mod_auth_ntlm_winbind',`
|
|
- samba_domtrans_winbind_helper(httpd_t)
|
|
- ')
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_read_user_content',`
|
|
- userdom_read_user_home_content_files(httpd_t)
|
|
+tunable_policy(`httpd_use_fusefs',`
|
|
+ fs_manage_fusefs_dirs(httpd_t)
|
|
+ fs_manage_fusefs_files(httpd_t)
|
|
+ fs_manage_fusefs_symlinks(httpd_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_setrlimit',`
|
|
@@ -695,49 +813,48 @@ tunable_policy(`httpd_setrlimit',`
|
|
|
|
tunable_policy(`httpd_ssi_exec',`
|
|
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
|
|
+ allow httpd_sys_script_t httpd_t:fd use;
|
|
+ allow httpd_sys_script_t httpd_t:fifo_file rw_file_perms;
|
|
+ allow httpd_sys_script_t httpd_t:process sigchld;
|
|
')
|
|
|
|
-tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
|
|
- can_exec(httpd_t, httpd_tmp_t)
|
|
-')
|
|
-
|
|
+# When the admin starts the server, the server wants to access
|
|
+# the TTY or PTY associated with the session. The httpd appears
|
|
+# to run correctly without this permission, so the permission
|
|
+# are dontaudited here.
|
|
tunable_policy(`httpd_tty_comm',`
|
|
- userdom_use_user_terminals(httpd_t)
|
|
-',`
|
|
- userdom_dontaudit_use_user_terminals(httpd_t)
|
|
+ userdom_use_inherited_user_terminals(httpd_t)
|
|
+ userdom_use_inherited_user_terminals(httpd_suexec_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_use_cifs',`
|
|
- fs_list_auto_mountpoints(httpd_t)
|
|
- fs_manage_cifs_dirs(httpd_t)
|
|
- fs_manage_cifs_files(httpd_t)
|
|
- fs_manage_cifs_symlinks(httpd_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
|
|
- fs_exec_cifs_files(httpd_t)
|
|
-')
|
|
+optional_policy(`
|
|
+ cobbler_list_config(httpd_t)
|
|
+ cobbler_read_config(httpd_t)
|
|
|
|
-tunable_policy(`httpd_use_fusefs',`
|
|
- fs_list_auto_mountpoints(httpd_t)
|
|
- fs_manage_fusefs_dirs(httpd_t)
|
|
- fs_manage_fusefs_files(httpd_t)
|
|
- fs_read_fusefs_symlinks(httpd_t)
|
|
-')
|
|
+ tunable_policy(`httpd_serve_cobbler_files',`
|
|
+ cobbler_manage_lib_files(httpd_t)
|
|
+',`
|
|
+ cobbler_read_lib_files(httpd_t)
|
|
+ cobbler_search_lib(httpd_t)
|
|
+ ')
|
|
|
|
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
|
|
- fs_exec_fusefs_files(httpd_t)
|
|
+ tunable_policy(`httpd_can_network_connect_cobbler',`
|
|
+ corenet_tcp_connect_cobbler_port(httpd_t)
|
|
+ ')
|
|
')
|
|
|
|
-tunable_policy(`httpd_use_nfs',`
|
|
- fs_list_auto_mountpoints(httpd_t)
|
|
- fs_manage_nfs_dirs(httpd_t)
|
|
- fs_manage_nfs_files(httpd_t)
|
|
- fs_manage_nfs_symlinks(httpd_t)
|
|
+optional_policy(`
|
|
+ tunable_policy(`httpd_use_sasl',`
|
|
+ sasl_connect(httpd_t)
|
|
+ ')
|
|
')
|
|
|
|
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
|
|
- fs_exec_nfs_files(httpd_t)
|
|
+optional_policy(`
|
|
+ # Support for ABRT retrace server
|
|
+ # mod_wsgi
|
|
+ abrt_manage_spool_retrace(httpd_t)
|
|
+ abrt_domtrans_retrace_worker(httpd_t)
|
|
+ abrt_read_config(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -748,14 +865,6 @@ optional_policy(`
|
|
ccs_read_config(httpd_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- clamav_domtrans_clamscan(httpd_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- cobbler_read_config(httpd_t)
|
|
- cobbler_read_lib_files(httpd_t)
|
|
-')
|
|
|
|
optional_policy(`
|
|
cron_system_entry(httpd_t, httpd_exec_t)
|
|
@@ -770,6 +879,23 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ #needed by FreeIPA
|
|
+ dirsrv_stream_connect(httpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dirsrv_manage_config(httpd_t)
|
|
+ dirsrv_manage_log(httpd_t)
|
|
+ dirsrv_manage_var_run(httpd_t)
|
|
+ dirsrv_read_share(httpd_t)
|
|
+ dirsrv_signal(httpd_t)
|
|
+ dirsrv_signull(httpd_t)
|
|
+ dirsrvadmin_manage_config(httpd_t)
|
|
+ dirsrvadmin_manage_tmp(httpd_t)
|
|
+ dirsrvadmin_domtrans_unconfined_script_t(httpd_t)
|
|
+')
|
|
+
|
|
+ optional_policy(`
|
|
dbus_system_bus_client(httpd_t)
|
|
|
|
tunable_policy(`httpd_dbus_avahi',`
|
|
@@ -786,35 +912,48 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- kerberos_manage_host_rcache(httpd_t)
|
|
- kerberos_read_keytab(httpd_t)
|
|
- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_23")
|
|
- kerberos_tmp_filetrans_host_rcache(httpd_t, file, "HTTP_48")
|
|
- kerberos_use(httpd_t)
|
|
+ tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
|
|
+ gpg_domtrans_web(httpd_t)
|
|
+ ')
|
|
')
|
|
|
|
optional_policy(`
|
|
- ldap_stream_connect(httpd_t)
|
|
+ gssproxy_stream_connect(httpd_t)
|
|
+')
|
|
|
|
- tunable_policy(`httpd_can_network_connect_ldap',`
|
|
- ldap_tcp_connect(httpd_t)
|
|
- ')
|
|
+optional_policy(`
|
|
+ jetty_admin(httpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ kerberos_manage_host_rcache(httpd_t)
|
|
+ kerberos_read_keytab(httpd_t)
|
|
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_23")
|
|
+ kerberos_tmp_filetrans_host_rcache(httpd_t, "HTTP_48")
|
|
+ kerberos_use(httpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ # needed by FreeIPA
|
|
+ ldap_stream_connect(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mailman_signal_cgi(httpd_t)
|
|
mailman_domtrans_cgi(httpd_t)
|
|
mailman_read_data_files(httpd_t)
|
|
+ # should have separate types for public and private archives
|
|
mailman_search_data(httpd_t)
|
|
mailman_read_archive(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- memcached_stream_connect(httpd_t)
|
|
+ mediawiki_read_tmp_files(httpd_t)
|
|
+ mediawiki_delete_tmp_files(httpd_t)
|
|
+')
|
|
|
|
- tunable_policy(`httpd_can_network_connect_memcache',`
|
|
- memcached_tcp_connect(httpd_t)
|
|
- ')
|
|
+optional_policy(`
|
|
+ memcached_stream_connect(httpd_t)
|
|
|
|
tunable_policy(`httpd_manage_ipa',`
|
|
memcached_manage_pid_files(httpd_t)
|
|
@@ -822,8 +961,18 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ munin_read_config(httpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ # Allow httpd to work with mysql
|
|
mysql_read_config(httpd_t)
|
|
mysql_stream_connect(httpd_t)
|
|
+ mysql_rw_db_sockets(httpd_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ postgresql_stream_connect(httpd_t)
|
|
+ ')
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
mysql_tcp_connect(httpd_t)
|
|
@@ -832,6 +981,7 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
nagios_read_config(httpd_t)
|
|
+ nagios_read_log(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -842,20 +992,39 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ openshift_search_lib(httpd_t)
|
|
+ openshift_initrc_signull(httpd_t)
|
|
+ openshift_initrc_signal(httpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ passenger_exec(httpd_t)
|
|
+ passenger_manage_pid_content(httpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
pcscd_read_pid_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- postgresql_stream_connect(httpd_t)
|
|
- postgresql_unpriv_client(httpd_t)
|
|
+ pki_apache_domain_signal(httpd_t)
|
|
+ pki_manage_apache_config_files(httpd_t)
|
|
+ pki_manage_apache_lib(httpd_t)
|
|
+ pki_manage_apache_log_files(httpd_t)
|
|
+ pki_manage_apache_run(httpd_t)
|
|
+ pki_read_tomcat_cert(httpd_t)
|
|
+')
|
|
|
|
- tunable_policy(`httpd_can_network_connect_db',`
|
|
- postgresql_tcp_connect(httpd_t)
|
|
- ')
|
|
+optional_policy(`
|
|
+ puppet_read_lib(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- puppet_read_lib_files(httpd_t)
|
|
+ pwauth_domtrans(httpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rpm_dontaudit_read_db(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -863,19 +1032,35 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # Allow httpd to work with postgresql
|
|
+ postgresql_stream_connect(httpd_t)
|
|
+ postgresql_unpriv_client(httpd_t)
|
|
+
|
|
+ tunable_policy(`httpd_can_network_connect_db',`
|
|
+ postgresql_tcp_connect(httpd_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
seutil_sigchld_newrole(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
smokeping_read_lib_files(httpd_t)
|
|
+ smokeping_read_pid_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ files_dontaudit_rw_usr_dirs(httpd_t)
|
|
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
|
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ thin_stream_connect(httpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
udev_read_db(httpd_t)
|
|
')
|
|
|
|
@@ -883,65 +1068,173 @@ optional_policy(`
|
|
yam_read_content(httpd_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ zarafa_manage_lib_files(httpd_t)
|
|
+ zarafa_stream_connect_server(httpd_t)
|
|
+ zarafa_search_config(httpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ zoneminder_append_log(httpd_t)
|
|
+ zoneminder_manage_lib_dirs(httpd_t)
|
|
+ zoneminder_manage_lib_files(httpd_t)
|
|
+ zoneminder_stream_connect(httpd_t)
|
|
+ zoneminder_exec(httpd_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
-# Helper local policy
|
|
+# Apache helper local policy
|
|
#
|
|
|
|
-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
|
|
+domtrans_pattern(httpd_t, httpd_helper_exec_t, httpd_helper_t)
|
|
|
|
-append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
|
|
-read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
|
|
+allow httpd_helper_t httpd_config_t:file read_file_perms;
|
|
|
|
-files_search_etc(httpd_helper_t)
|
|
+allow httpd_helper_t httpd_log_t:file append_file_perms;
|
|
|
|
-logging_search_logs(httpd_helper_t)
|
|
logging_send_syslog_msg(httpd_helper_t)
|
|
|
|
+tunable_policy(`httpd_verify_dns',`
|
|
+ corenet_udp_bind_all_ephemeral_ports(httpd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`httpd_run_stickshift', `
|
|
+ allow httpd_t self:capability { fowner fsetid sys_resource };
|
|
+ dontaudit httpd_t self:capability sys_ptrace;
|
|
+ allow httpd_t self:process setexec;
|
|
+
|
|
+ files_dontaudit_getattr_all_files(httpd_t)
|
|
+ domain_getpgid_all_domains(httpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`httpd_run_stickshift', `
|
|
+ passenger_manage_lib_files(httpd_t)
|
|
+ passenger_getattr_log_files(httpd_t)
|
|
+ ',`
|
|
+ passenger_domtrans(httpd_t)
|
|
+ passenger_read_lib_files(httpd_t)
|
|
+ passenger_stream_connect(httpd_t)
|
|
+ passenger_manage_tmp_files(httpd_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`httpd_run_stickshift', `
|
|
+ oddjob_dbus_chat(httpd_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
tunable_policy(`httpd_tty_comm',`
|
|
- userdom_use_user_terminals(httpd_helper_t)
|
|
-',`
|
|
- userdom_dontaudit_use_user_terminals(httpd_helper_t)
|
|
+ userdom_use_inherited_user_terminals(httpd_helper_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Suexec local policy
|
|
+# Apache PHP script local policy
|
|
+#
|
|
+
|
|
+allow httpd_php_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
+allow httpd_php_t self:fd use;
|
|
+allow httpd_php_t self:fifo_file rw_fifo_file_perms;
|
|
+allow httpd_php_t self:sock_file read_sock_file_perms;
|
|
+allow httpd_php_t self:unix_dgram_socket create_socket_perms;
|
|
+allow httpd_php_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow httpd_php_t self:unix_dgram_socket sendto;
|
|
+allow httpd_php_t self:unix_stream_socket connectto;
|
|
+allow httpd_php_t self:shm create_shm_perms;
|
|
+allow httpd_php_t self:sem create_sem_perms;
|
|
+allow httpd_php_t self:msgq create_msgq_perms;
|
|
+allow httpd_php_t self:msg { send receive };
|
|
+
|
|
+domtrans_pattern(httpd_t, httpd_php_exec_t, httpd_php_t)
|
|
+
|
|
+# allow php to read and append to apache logfiles
|
|
+allow httpd_php_t httpd_log_t:file { read_file_perms append_file_perms };
|
|
+
|
|
+manage_dirs_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
|
|
+manage_files_pattern(httpd_php_t, httpd_php_tmp_t, httpd_php_tmp_t)
|
|
+files_tmp_filetrans(httpd_php_t, httpd_php_tmp_t, { file dir })
|
|
+
|
|
+fs_search_auto_mountpoints(httpd_php_t)
|
|
+
|
|
+auth_use_nsswitch(httpd_php_t)
|
|
+
|
|
+libs_exec_lib_files(httpd_php_t)
|
|
+
|
|
+userdom_use_unpriv_users_fds(httpd_php_t)
|
|
+
|
|
+tunable_policy(`httpd_can_network_connect_db',`
|
|
+ corenet_tcp_connect_gds_db_port(httpd_php_t)
|
|
+ corenet_tcp_connect_mssql_port(httpd_php_t)
|
|
+ corenet_sendrecv_mssql_client_packets(httpd_php_t)
|
|
+ corenet_tcp_connect_oracle_port(httpd_php_t)
|
|
+ corenet_sendrecv_oracle_client_packets(httpd_php_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_stream_connect(httpd_php_t)
|
|
+ mysql_rw_db_sockets(httpd_php_t)
|
|
+ mysql_read_config(httpd_php_t)
|
|
+
|
|
+ tunable_policy(`httpd_can_network_connect_db',`
|
|
+ mysql_tcp_connect(httpd_php_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ postgresql_stream_connect(httpd_php_t)
|
|
+ postgresql_unpriv_client(httpd_php_t)
|
|
+
|
|
+ tunable_policy(`httpd_can_network_connect_db',`
|
|
+ postgresql_tcp_connect(httpd_php_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Apache suexec local policy
|
|
#
|
|
|
|
allow httpd_suexec_t self:capability { setuid setgid };
|
|
allow httpd_suexec_t self:process signal_perms;
|
|
allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
|
|
-allow httpd_suexec_t self:tcp_socket { accept listen };
|
|
-allow httpd_suexec_t self:unix_stream_socket { accept listen };
|
|
+allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
|
|
|
create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
|
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
|
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
|
-read_lnk_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
|
+
|
|
+allow httpd_suexec_t httpd_t:fifo_file read_fifo_file_perms;
|
|
|
|
manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
|
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
|
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
|
|
|
+can_exec(httpd_suexec_t, httpd_sys_script_exec_t)
|
|
+
|
|
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
|
|
+read_files_pattern(httpd_suexec_t, httpd_user_rw_content_t, httpd_user_rw_content_t)
|
|
+read_files_pattern(httpd_suexec_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
+
|
|
kernel_read_kernel_sysctls(httpd_suexec_t)
|
|
kernel_list_proc(httpd_suexec_t)
|
|
kernel_read_proc_symlinks(httpd_suexec_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(httpd_suexec_t)
|
|
-corenet_all_recvfrom_netlabel(httpd_suexec_t)
|
|
-corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
|
|
-corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
|
|
-
|
|
-corecmd_exec_bin(httpd_suexec_t)
|
|
-corecmd_exec_shell(httpd_suexec_t)
|
|
-
|
|
dev_read_urand(httpd_suexec_t)
|
|
|
|
fs_read_iso9660_files(httpd_suexec_t)
|
|
fs_search_auto_mountpoints(httpd_suexec_t)
|
|
|
|
-files_read_usr_files(httpd_suexec_t)
|
|
+application_exec_all(httpd_suexec_t)
|
|
+
|
|
+# for shell scripts
|
|
+corecmd_exec_bin(httpd_suexec_t)
|
|
+corecmd_exec_shell(httpd_suexec_t)
|
|
+
|
|
files_dontaudit_search_pids(httpd_suexec_t)
|
|
files_search_home(httpd_suexec_t)
|
|
|
|
@@ -950,123 +1243,74 @@ auth_use_nsswitch(httpd_suexec_t)
|
|
logging_search_logs(httpd_suexec_t)
|
|
logging_send_syslog_msg(httpd_suexec_t)
|
|
|
|
-miscfiles_read_localization(httpd_suexec_t)
|
|
miscfiles_read_public_files(httpd_suexec_t)
|
|
|
|
-tunable_policy(`httpd_builtin_scripting',`
|
|
- exec_files_pattern(httpd_suexec_t, httpd_script_exec_type, httpd_script_exec_type)
|
|
-
|
|
- allow httpd_suexec_t httpdcontent:dir list_dir_perms;
|
|
- allow httpd_suexec_t httpdcontent:file read_file_perms;
|
|
- allow httpd_suexec_t httpdcontent:lnk_file read_lnk_file_perms;
|
|
-')
|
|
+corenet_all_recvfrom_netlabel(httpd_suexec_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect',`
|
|
+ allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
|
+ allow httpd_suexec_t self:udp_socket create_socket_perms;
|
|
+
|
|
+ corenet_tcp_sendrecv_generic_if(httpd_suexec_t)
|
|
+ corenet_udp_sendrecv_generic_if(httpd_suexec_t)
|
|
+ corenet_tcp_sendrecv_generic_node(httpd_suexec_t)
|
|
+ corenet_udp_sendrecv_generic_node(httpd_suexec_t)
|
|
+ corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
|
|
+ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
|
|
corenet_tcp_connect_all_ports(httpd_suexec_t)
|
|
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
|
- corenet_tcp_sendrecv_all_ports(httpd_suexec_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
- corenet_sendrecv_gds_db_client_packets(httpd_suexec_t)
|
|
corenet_tcp_connect_gds_db_port(httpd_suexec_t)
|
|
- corenet_tcp_sendrecv_gds_db_port(httpd_suexec_t)
|
|
- corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
|
|
corenet_tcp_connect_mssql_port(httpd_suexec_t)
|
|
- corenet_tcp_sendrecv_mssql_port(httpd_suexec_t)
|
|
- corenet_sendrecv_oracledb_client_packets(httpd_suexec_t)
|
|
- corenet_tcp_connect_oracledb_port(httpd_suexec_t)
|
|
- corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
|
|
+ corenet_sendrecv_mssql_client_packets(httpd_suexec_t)
|
|
+ corenet_tcp_connect_oracle_port(httpd_suexec_t)
|
|
+ corenet_sendrecv_oracle_client_packets(httpd_suexec_t)
|
|
')
|
|
|
|
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
|
|
+
|
|
tunable_policy(`httpd_can_sendmail',`
|
|
- corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
|
|
- corenet_tcp_connect_smtp_port(httpd_suexec_t)
|
|
- corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
|
|
- corenet_sendrecv_pop_client_packets(httpd_suexec_t)
|
|
- corenet_tcp_connect_pop_port(httpd_suexec_t)
|
|
- corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
|
|
mta_send_mail(httpd_suexec_t)
|
|
- mta_signal_system_mail(httpd_suexec_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
+ allow httpd_sys_script_t httpdcontent:file entrypoint;
|
|
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
- fs_list_auto_mountpoints(httpd_suexec_t)
|
|
- fs_read_cifs_files(httpd_suexec_t)
|
|
- fs_read_cifs_symlinks(httpd_suexec_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
|
|
- fs_exec_cifs_files(httpd_suexec_t)
|
|
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
|
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
|
+ manage_sock_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
|
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
- fs_list_auto_mountpoints(httpd_suexec_t)
|
|
+ fs_list_auto_mountpoints(httpd_suexec_t)
|
|
fs_read_nfs_files(httpd_suexec_t)
|
|
fs_read_nfs_symlinks(httpd_suexec_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
|
|
fs_exec_nfs_files(httpd_suexec_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_execmem',`
|
|
- allow httpd_suexec_t self:process { execmem execstack };
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_tmp_exec',`
|
|
- can_exec(httpd_suexec_t, httpd_suexec_tmp_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_tty_comm',`
|
|
- userdom_use_user_terminals(httpd_suexec_t)
|
|
-',`
|
|
- userdom_dontaudit_use_user_terminals(httpd_suexec_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_use_cifs',`
|
|
- fs_list_auto_mountpoints(httpd_suexec_t)
|
|
- fs_manage_cifs_dirs(httpd_suexec_t)
|
|
- fs_manage_cifs_files(httpd_suexec_t)
|
|
- fs_manage_cifs_symlinks(httpd_suexec_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
|
|
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
+ fs_read_cifs_files(httpd_suexec_t)
|
|
+ fs_read_cifs_symlinks(httpd_suexec_t)
|
|
fs_exec_cifs_files(httpd_suexec_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_use_fusefs',`
|
|
- fs_list_auto_mountpoints(httpd_suexec_t)
|
|
- fs_manage_fusefs_dirs(httpd_suexec_t)
|
|
- fs_manage_fusefs_files(httpd_suexec_t)
|
|
- fs_read_fusefs_symlinks(httpd_suexec_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
|
|
- fs_exec_fusefs_files(httpd_suexec_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_use_nfs',`
|
|
- fs_list_auto_mountpoints(httpd_suexec_t)
|
|
- fs_manage_nfs_dirs(httpd_suexec_t)
|
|
- fs_manage_nfs_files(httpd_suexec_t)
|
|
- fs_manage_nfs_symlinks(httpd_suexec_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
|
|
- fs_exec_nfs_files(httpd_suexec_t)
|
|
+optional_policy(`
|
|
+ mailman_domtrans_cgi(httpd_suexec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mailman_domtrans_cgi(httpd_suexec_t)
|
|
+ mta_stub(httpd_suexec_t)
|
|
+
|
|
+ # apache should set close-on-exec
|
|
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(httpd_suexec_t)
|
|
+ mysql_rw_db_sockets(httpd_suexec_t)
|
|
mysql_read_config(httpd_suexec_t)
|
|
|
|
tunable_policy(`httpd_can_network_connect_db',`
|
|
@@ -1083,172 +1327,106 @@ optional_policy(`
|
|
')
|
|
')
|
|
|
|
-tunable_policy(`httpd_read_user_content',`
|
|
- userdom_read_user_home_content_files(httpd_suexec_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_enable_homedirs',`
|
|
- userdom_search_user_home_dirs(httpd_suexec_t)
|
|
-')
|
|
-
|
|
########################################
|
|
#
|
|
-# Common script local policy
|
|
+# Apache system script local policy
|
|
#
|
|
|
|
-allow httpd_script_domains self:fifo_file rw_file_perms;
|
|
-allow httpd_script_domains self:unix_stream_socket connectto;
|
|
-
|
|
-allow httpd_script_domains httpd_sys_content_t:dir search_dir_perms;
|
|
+allow httpd_sys_script_t self:process getsched;
|
|
|
|
-append_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
|
|
-read_lnk_files_pattern(httpd_script_domains, httpd_log_t, httpd_log_t)
|
|
-
|
|
-kernel_dontaudit_search_sysctl(httpd_script_domains)
|
|
-kernel_dontaudit_search_kernel_sysctl(httpd_script_domains)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(httpd_script_domains)
|
|
-corenet_all_recvfrom_netlabel(httpd_script_domains)
|
|
-corenet_tcp_sendrecv_generic_if(httpd_script_domains)
|
|
-corenet_tcp_sendrecv_generic_node(httpd_script_domains)
|
|
+allow httpd_sys_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
|
|
+allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
|
|
|
-corecmd_exec_all_executables(httpd_script_domains)
|
|
+dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
|
|
|
-dev_read_rand(httpd_script_domains)
|
|
-dev_read_urand(httpd_script_domains)
|
|
+allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
|
|
|
|
-files_exec_etc_files(httpd_script_domains)
|
|
-files_read_etc_files(httpd_script_domains)
|
|
-files_search_home(httpd_script_domains)
|
|
+allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
|
+read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
+read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
|
|
|
-libs_exec_ld_so(httpd_script_domains)
|
|
-libs_exec_lib_files(httpd_script_domains)
|
|
+kernel_read_kernel_sysctls(httpd_sys_script_t)
|
|
|
|
-logging_search_logs(httpd_script_domains)
|
|
+dev_list_sysfs(httpd_sys_script_t)
|
|
|
|
-miscfiles_read_fonts(httpd_script_domains)
|
|
-miscfiles_read_public_files(httpd_script_domains)
|
|
+files_read_var_symlinks(httpd_sys_script_t)
|
|
+files_search_var_lib(httpd_sys_script_t)
|
|
+files_search_spool(httpd_sys_script_t)
|
|
|
|
-seutil_dontaudit_search_config(httpd_script_domains)
|
|
+logging_inherit_append_all_logs(httpd_sys_script_t)
|
|
|
|
-tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
- allow httpd_script_domains httpdcontent:file entrypoint;
|
|
+# Should we add a boolean?
|
|
+apache_domtrans_rotatelogs(httpd_sys_script_t)
|
|
|
|
- manage_dirs_pattern(httpd_script_domains, httpdcontent, httpdcontent)
|
|
- manage_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
|
|
- manage_lnk_files_pattern(httpd_script_domains, httpdcontent, httpdcontent)
|
|
+auth_use_nsswitch(httpd_sys_script_t)
|
|
|
|
- can_exec(httpd_script_domains, httpdcontent)
|
|
+ifdef(`distro_redhat',`
|
|
+ allow httpd_sys_script_t httpd_log_t:file append_file_perms;
|
|
')
|
|
|
|
-tunable_policy(`httpd_enable_cgi',`
|
|
- allow httpd_script_domains self:process { setsched signal_perms };
|
|
- allow httpd_script_domains self:unix_stream_socket create_stream_socket_perms;
|
|
-
|
|
- kernel_read_system_state(httpd_script_domains)
|
|
-
|
|
- fs_getattr_all_fs(httpd_script_domains)
|
|
-
|
|
- files_read_etc_runtime_files(httpd_script_domains)
|
|
- files_read_usr_files(httpd_script_domains)
|
|
-
|
|
- libs_read_lib_files(httpd_script_domains)
|
|
-
|
|
- miscfiles_read_localization(httpd_script_domains)
|
|
+tunable_policy(`httpd_can_sendmail',`
|
|
+ mta_send_mail(httpd_sys_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- tunable_policy(`httpd_enable_cgi && allow_ypbind',`
|
|
- nis_use_ypbind_uncond(httpd_script_domains)
|
|
+ tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
|
|
+ spamassassin_domtrans_client(httpd_t)
|
|
')
|
|
')
|
|
|
|
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
|
- corenet_sendrecv_gds_db_client_packets(httpd_script_domains)
|
|
- corenet_tcp_connect_gds_db_port(httpd_script_domains)
|
|
- corenet_tcp_sendrecv_gds_db_port(httpd_script_domains)
|
|
- corenet_sendrecv_mssql_client_packets(httpd_script_domains)
|
|
- corenet_tcp_connect_mssql_port(httpd_script_domains)
|
|
- corenet_tcp_sendrecv_mssql_port(httpd_script_domains)
|
|
- corenet_sendrecv_oracledb_client_packets(httpd_script_domains)
|
|
- corenet_tcp_connect_oracledb_port(httpd_script_domains)
|
|
- corenet_tcp_sendrecv_oracledb_port(httpd_script_domains)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- mysql_read_config(httpd_script_domains)
|
|
- mysql_stream_connect(httpd_script_domains)
|
|
-
|
|
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
|
- mysql_tcp_connect(httpd_script_domains)
|
|
- ')
|
|
+tunable_policy(`httpd_can_network_connect_db',`
|
|
+ corenet_tcp_connect_gds_db_port(httpd_sys_script_t)
|
|
+ corenet_tcp_connect_mssql_port(httpd_sys_script_t)
|
|
+ corenet_sendrecv_mssql_client_packets(httpd_sys_script_t)
|
|
+ corenet_tcp_connect_oracle_port(httpd_sys_script_t)
|
|
+ corenet_sendrecv_oracle_client_packets(httpd_sys_script_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- postgresql_stream_connect(httpd_script_domains)
|
|
+fs_cifs_entry_type(httpd_sys_script_t)
|
|
+fs_read_iso9660_files(httpd_sys_script_t)
|
|
+fs_nfs_entry_type(httpd_sys_script_t)
|
|
+fs_rw_anon_inodefs_files(httpd_sys_script_t)
|
|
|
|
- tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
|
|
- postgresql_tcp_connect(httpd_script_domains)
|
|
- ')
|
|
-')
|
|
+tunable_policy(`httpd_use_nfs',`
|
|
+ fs_list_auto_mountpoints(httpd_sys_script_t)
|
|
+ fs_manage_nfs_dirs(httpd_sys_script_t)
|
|
+ fs_manage_nfs_files(httpd_sys_script_t)
|
|
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
|
|
+ fs_exec_nfs_files(httpd_sys_script_t)
|
|
|
|
-optional_policy(`
|
|
- nscd_use(httpd_script_domains)
|
|
+ fs_list_auto_mountpoints(httpd_suexec_t)
|
|
+ fs_manage_nfs_dirs(httpd_suexec_t)
|
|
+ fs_manage_nfs_files(httpd_suexec_t)
|
|
+ fs_manage_nfs_symlinks(httpd_suexec_t)
|
|
+ fs_exec_nfs_files(httpd_suexec_t)
|
|
')
|
|
|
|
-########################################
|
|
-#
|
|
-# System script local policy
|
|
-#
|
|
-
|
|
-allow httpd_sys_script_t self:tcp_socket { accept listen };
|
|
-
|
|
-allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
|
-
|
|
-dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
|
-
|
|
-allow httpd_sys_script_t httpd_squirrelmail_t:file { append_file_perms read_file_perms };
|
|
-
|
|
-allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
|
-allow httpd_sys_script_t squirrelmail_spool_t:file read_file_perms;
|
|
-allow httpd_sys_script_t squirrelmail_spool_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
-kernel_read_kernel_sysctls(httpd_sys_script_t)
|
|
-
|
|
-fs_search_auto_mountpoints(httpd_sys_script_t)
|
|
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
|
|
|
|
-files_read_var_symlinks(httpd_sys_script_t)
|
|
-files_search_var_lib(httpd_sys_script_t)
|
|
-files_search_spool(httpd_sys_script_t)
|
|
-
|
|
-apache_domtrans_rotatelogs(httpd_sys_script_t)
|
|
-
|
|
-auth_use_nsswitch(httpd_sys_script_t)
|
|
-
|
|
-tunable_policy(`httpd_can_sendmail',`
|
|
- corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
|
|
- corenet_tcp_connect_smtp_port(httpd_sys_script_t)
|
|
- corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
|
|
- corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
|
|
- corenet_tcp_connect_pop_port(httpd_sys_script_t)
|
|
- corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
|
|
-
|
|
- mta_send_mail(httpd_sys_script_t)
|
|
- mta_signal_system_mail(httpd_sys_script_t)
|
|
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
|
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
|
|
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
|
|
+
|
|
+ corenet_tcp_bind_generic_node(httpd_sys_script_t)
|
|
+ corenet_udp_bind_generic_node(httpd_sys_script_t)
|
|
+ corenet_tcp_sendrecv_generic_if(httpd_sys_script_t)
|
|
+ corenet_udp_sendrecv_generic_if(httpd_sys_script_t)
|
|
+ corenet_tcp_sendrecv_generic_node(httpd_sys_script_t)
|
|
+ corenet_udp_sendrecv_generic_node(httpd_sys_script_t)
|
|
+ corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
|
|
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
|
|
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
|
|
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_enable_homedirs',`
|
|
userdom_search_user_home_dirs(httpd_sys_script_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
|
- corenet_tcp_connect_all_ports(httpd_sys_script_t)
|
|
- corenet_sendrecv_all_client_packets(httpd_sys_script_t)
|
|
- corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_execmem',`
|
|
- allow httpd_sys_script_t self:process { execmem execstack };
|
|
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
+ fs_list_auto_mountpoints(httpd_sys_script_t)
|
|
+ fs_read_nfs_files(httpd_sys_script_t)
|
|
+ fs_read_nfs_symlinks(httpd_sys_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_read_user_content',`
|
|
@@ -1256,64 +1434,74 @@ tunable_policy(`httpd_read_user_content',`
|
|
')
|
|
|
|
tunable_policy(`httpd_use_cifs',`
|
|
- fs_list_auto_mountpoints(httpd_sys_script_t)
|
|
fs_manage_cifs_dirs(httpd_sys_script_t)
|
|
fs_manage_cifs_files(httpd_sys_script_t)
|
|
fs_manage_cifs_symlinks(httpd_sys_script_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_use_cifs && httpd_builtin_scripting',`
|
|
- fs_exec_cifs_files(httpd_sys_script_t)
|
|
+ fs_manage_cifs_dirs(httpd_suexec_t)
|
|
+ fs_manage_cifs_files(httpd_suexec_t)
|
|
+ fs_manage_cifs_symlinks(httpd_suexec_t)
|
|
+ fs_exec_cifs_files(httpd_suexec_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_use_fusefs',`
|
|
- fs_list_auto_mountpoints(httpd_sys_script_t)
|
|
fs_manage_fusefs_dirs(httpd_sys_script_t)
|
|
fs_manage_fusefs_files(httpd_sys_script_t)
|
|
- fs_read_fusefs_symlinks(httpd_sys_script_t)
|
|
+ fs_manage_fusefs_symlinks(httpd_sys_script_t)
|
|
+ fs_manage_fusefs_dirs(httpd_suexec_t)
|
|
+ fs_manage_fusefs_files(httpd_suexec_t)
|
|
+ fs_manage_fusefs_symlinks(httpd_suexec_t)
|
|
+ fs_exec_fusefs_files(httpd_suexec_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_use_fusefs && httpd_builtin_scripting',`
|
|
- fs_exec_fusefs_files(httpd_sys_script_t)
|
|
+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
+ fs_read_cifs_files(httpd_sys_script_t)
|
|
+ fs_read_cifs_symlinks(httpd_sys_script_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_use_nfs',`
|
|
- fs_list_auto_mountpoints(httpd_sys_script_t)
|
|
- fs_manage_nfs_dirs(httpd_sys_script_t)
|
|
- fs_manage_nfs_files(httpd_sys_script_t)
|
|
- fs_manage_nfs_symlinks(httpd_sys_script_t)
|
|
+optional_policy(`
|
|
+ clamav_domtrans_clamscan(httpd_sys_script_t)
|
|
+ clamav_domtrans_clamscan(httpd_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
|
|
- fs_exec_nfs_files(httpd_sys_script_t)
|
|
+optional_policy(`
|
|
+ mysql_stream_connect(httpd_sys_script_t)
|
|
+ mysql_rw_db_sockets(httpd_sys_script_t)
|
|
+ mysql_read_config(httpd_sys_script_t)
|
|
+
|
|
+ tunable_policy(`httpd_can_network_connect_db',`
|
|
+ mysql_tcp_connect(httpd_sys_script_t)
|
|
+ ')
|
|
')
|
|
|
|
optional_policy(`
|
|
- clamav_domtrans_clamscan(httpd_sys_script_t)
|
|
+ postgresql_stream_connect(httpd_sys_script_t)
|
|
+ postgresql_unpriv_client(httpd_sys_script_t)
|
|
+
|
|
+ tunable_policy(`httpd_can_network_connect_db',`
|
|
+ postgresql_tcp_connect(httpd_sys_script_t)
|
|
+ ')
|
|
')
|
|
|
|
optional_policy(`
|
|
- postgresql_unpriv_client(httpd_sys_script_t)
|
|
+ snmp_read_snmp_var_lib_files(httpd_sys_script_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Rotatelogs local policy
|
|
+# httpd_rotatelogs local policy
|
|
#
|
|
|
|
allow httpd_rotatelogs_t self:capability dac_override;
|
|
|
|
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
|
-read_lnk_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
|
|
|
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
|
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
|
|
+kernel_dontaudit_read_proc_symlinks(httpd_rotatelogs_t)
|
|
|
|
-files_read_etc_files(httpd_rotatelogs_t)
|
|
|
|
logging_search_logs(httpd_rotatelogs_t)
|
|
|
|
-miscfiles_read_localization(httpd_rotatelogs_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -1321,8 +1509,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
|
|
#
|
|
|
|
optional_policy(`
|
|
- apache_content_template(unconfined)
|
|
+ type httpd_unconfined_script_t;
|
|
+ type httpd_unconfined_script_exec_t;
|
|
+ domain_type(httpd_unconfined_script_t)
|
|
+ domain_entry_file(httpd_unconfined_script_t, httpd_unconfined_script_exec_t)
|
|
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
|
unconfined_domain(httpd_unconfined_script_t)
|
|
+
|
|
+ role system_r types httpd_unconfined_script_t;
|
|
+ allow httpd_t httpd_unconfined_script_t:process signal_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -1330,49 +1525,38 @@ optional_policy(`
|
|
# User content local policy
|
|
#
|
|
|
|
-tunable_policy(`httpd_enable_homedirs',`
|
|
- userdom_search_user_home_dirs(httpd_user_script_t)
|
|
-')
|
|
+auth_use_nsswitch(httpd_user_script_t)
|
|
|
|
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
|
- fs_list_auto_mountpoints(httpd_user_script_t)
|
|
- fs_read_cifs_files(httpd_user_script_t)
|
|
- fs_read_cifs_symlinks(httpd_user_script_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
|
|
- fs_exec_cifs_files(httpd_user_script_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
- fs_list_auto_mountpoints(httpd_user_script_t)
|
|
- fs_read_nfs_files(httpd_user_script_t)
|
|
- fs_read_nfs_symlinks(httpd_user_script_t)
|
|
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
|
+ allow httpd_user_script_t httpdcontent:file entrypoint;
|
|
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
|
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t, httpd_user_content_t)
|
|
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
+ manage_files_pattern(httpd_user_script_t, httpd_user_ra_content_t, httpd_user_ra_content_t)
|
|
')
|
|
|
|
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
|
|
- fs_exec_nfs_files(httpd_user_script_t)
|
|
+# allow accessing files/dirs below the users home dir
|
|
+tunable_policy(`httpd_enable_homedirs',`
|
|
+ userdom_search_user_home_content(httpd_t)
|
|
+ userdom_search_user_home_content(httpd_suexec_t)
|
|
+ userdom_search_user_home_content(httpd_user_script_t)
|
|
')
|
|
|
|
tunable_policy(`httpd_read_user_content',`
|
|
+ userdom_read_user_home_content_files(httpd_t)
|
|
+ userdom_read_user_home_content_files(httpd_suexec_t)
|
|
userdom_read_user_home_content_files(httpd_user_script_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- postgresql_unpriv_client(httpd_user_script_t)
|
|
-')
|
|
-
|
|
########################################
|
|
#
|
|
-# Passwd local policy
|
|
+# httpd_passwd local policy
|
|
#
|
|
|
|
allow httpd_passwd_t self:fifo_file manage_fifo_file_perms;
|
|
allow httpd_passwd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow httpd_passwd_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
-dontaudit httpd_passwd_t httpd_config_t:file read_file_perms;
|
|
-
|
|
kernel_read_system_state(httpd_passwd_t)
|
|
|
|
corecmd_exec_bin(httpd_passwd_t)
|
|
@@ -1382,38 +1566,99 @@ dev_read_urand(httpd_passwd_t)
|
|
|
|
domain_use_interactive_fds(httpd_passwd_t)
|
|
|
|
+
|
|
auth_use_nsswitch(httpd_passwd_t)
|
|
|
|
-miscfiles_read_generic_certs(httpd_passwd_t)
|
|
-miscfiles_read_localization(httpd_passwd_t)
|
|
+miscfiles_read_certs(httpd_passwd_t)
|
|
|
|
-########################################
|
|
-#
|
|
-# GPG local policy
|
|
-#
|
|
+systemd_manage_passwd_run(httpd_passwd_t)
|
|
+systemd_manage_passwd_run(httpd_t)
|
|
+#systemd_passwd_agent_dev_template(httpd)
|
|
|
|
-allow httpd_gpg_t self:process setrlimit;
|
|
+domtrans_pattern(httpd_t, httpd_passwd_exec_t, httpd_passwd_t)
|
|
+dontaudit httpd_passwd_t httpd_config_t:file read;
|
|
+
|
|
+search_dirs_pattern(httpd_script_type, httpd_sys_content_t, httpd_script_exec_type)
|
|
+corecmd_shell_entry_type(httpd_script_type)
|
|
+
|
|
+allow httpd_script_type self:fifo_file rw_file_perms;
|
|
+allow httpd_script_type self:unix_stream_socket connectto;
|
|
+
|
|
+allow httpd_script_type httpd_t:fifo_file write;
|
|
+# apache should set close-on-exec
|
|
+apache_dontaudit_leaks(httpd_script_type)
|
|
+
|
|
+append_files_pattern(httpd_script_type, httpd_log_t, httpd_log_t)
|
|
+logging_search_logs(httpd_script_type)
|
|
+
|
|
+kernel_dontaudit_search_sysctl(httpd_script_type)
|
|
+kernel_dontaudit_search_kernel_sysctl(httpd_script_type)
|
|
+
|
|
+dev_read_rand(httpd_script_type)
|
|
+dev_read_urand(httpd_script_type)
|
|
+
|
|
+corecmd_exec_all_executables(httpd_script_type)
|
|
+application_exec_all(httpd_script_type)
|
|
+
|
|
+files_exec_etc_files(httpd_script_type)
|
|
+files_search_home(httpd_script_type)
|
|
+
|
|
+libs_exec_ld_so(httpd_script_type)
|
|
+libs_exec_lib_files(httpd_script_type)
|
|
+
|
|
+miscfiles_read_fonts(httpd_script_type)
|
|
+miscfiles_read_public_files(httpd_script_type)
|
|
+
|
|
+allow httpd_t httpd_script_type:unix_stream_socket connectto;
|
|
|
|
-allow httpd_gpg_t httpd_t:fd use;
|
|
-allow httpd_gpg_t httpd_t:fifo_file rw_fifo_file_perms;
|
|
-allow httpd_gpg_t httpd_t:process sigchld;
|
|
+allow httpd_t httpd_script_exec_type:file read_file_perms;
|
|
+allow httpd_t httpd_script_exec_type:lnk_file read_lnk_file_perms;
|
|
+allow httpd_t httpd_script_type:process { signal sigkill sigstop };
|
|
+allow httpd_t httpd_script_exec_type:dir list_dir_perms;
|
|
|
|
-dev_read_rand(httpd_gpg_t)
|
|
-dev_read_urand(httpd_gpg_t)
|
|
+allow httpd_script_type self:process { setsched signal_perms };
|
|
+allow httpd_script_type self:unix_stream_socket create_stream_socket_perms;
|
|
+allow httpd_script_type self:unix_dgram_socket create_socket_perms;
|
|
|
|
-files_read_usr_files(httpd_gpg_t)
|
|
+allow httpd_script_type httpd_t:fd use;
|
|
+allow httpd_script_type httpd_t:process sigchld;
|
|
|
|
-miscfiles_read_localization(httpd_gpg_t)
|
|
+dontaudit httpd_script_type httpd_t:tcp_socket { read write };
|
|
|
|
-tunable_policy(`httpd_gpg_anon_write',`
|
|
- miscfiles_manage_public_files(httpd_gpg_t)
|
|
+fs_getattr_xattr_fs(httpd_script_type)
|
|
+
|
|
+files_read_etc_runtime_files(httpd_script_type)
|
|
+
|
|
+libs_read_lib_files(httpd_script_type)
|
|
+
|
|
+allow httpd_script_type httpd_sys_content_t:dir search_dir_perms;
|
|
+
|
|
+tunable_policy(`httpd_enable_cgi && nis_enabled',`
|
|
+ nis_use_ypbind_uncond(httpd_script_type)
|
|
')
|
|
|
|
optional_policy(`
|
|
- apache_manage_sys_rw_content(httpd_gpg_t)
|
|
+ nscd_socket_use(httpd_script_type)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- gpg_entry_type(httpd_gpg_t)
|
|
- gpg_exec(httpd_gpg_t)
|
|
+read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
|
+
|
|
+tunable_policy(`httpd_builtin_scripting',`
|
|
+ allow httpd_t httpd_content_type:dir search_dir_perms;
|
|
+ allow httpd_suexec_t httpd_content_type:dir search_dir_perms;
|
|
+
|
|
+ allow httpd_t httpd_content_type:dir list_dir_perms;
|
|
+ read_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
|
+ read_lnk_files_pattern(httpd_t, httpd_content_type, httpd_content_type)
|
|
+')
|
|
+
|
|
+tunable_policy(`httpd_use_openstack',`
|
|
+ corenet_tcp_connect_keystone_port(httpd_sys_script_t)
|
|
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
|
|
+ corenet_tcp_connect_glance_port(httpd_sys_script_t)
|
|
+ corenet_tcp_connect_osapi_compute_port(httpd_sys_script_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`httpd_use_openstack',`
|
|
+ corenet_tcp_connect_osapi_compute_port(httpd_t)
|
|
')
|
|
diff --git a/apcupsd.fc b/apcupsd.fc
|
|
index 5ec0e13..1c37fe1 100644
|
|
--- a/apcupsd.fc
|
|
+++ b/apcupsd.fc
|
|
@@ -1,10 +1,13 @@
|
|
/etc/rc\.d/init\.d/apcupsd -- gen_context(system_u:object_r:apcupsd_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/apcupsd.* -- gen_context(system_u:object_r:apcupsd_unit_file_t,s0)
|
|
+
|
|
/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
|
|
|
|
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
|
|
|
|
/var/lock/subsys/apcupsd -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
|
|
+/var/lock/LCK.. -- gen_context(system_u:object_r:apcupsd_lock_t,s0)
|
|
|
|
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
|
|
/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
|
|
diff --git a/apcupsd.if b/apcupsd.if
|
|
index f3c0aba..b6afc90 100644
|
|
--- a/apcupsd.if
|
|
+++ b/apcupsd.if
|
|
@@ -125,6 +125,49 @@ interface(`apcupsd_cgi_script_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute apcupsd server in the apcupsd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apcupsd_systemctl',`
|
|
+ gen_require(`
|
|
+ type apcupsd_t;
|
|
+ type apcupsd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 apcupsd_unit_file_t:file read_file_perms;
|
|
+ allow $1 apcupsd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, apcupsd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create configuration files in /var/lock
|
|
+## with a named file type transition.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apcupsd_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type apcupsd_lock_t;
|
|
+ ')
|
|
+
|
|
+ files_lock_filetrans($1, apcupsd_lock_t, file, "apcupsd")
|
|
+ files_lock_filetrans($1, apcupsd_lock_t, file, "LCK..")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an apcupsd environment.
|
|
## </summary>
|
|
@@ -144,11 +187,16 @@ interface(`apcupsd_admin',`
|
|
gen_require(`
|
|
type apcupsd_t, apcupsd_tmp_t, apcupsd_log_t;
|
|
type apcupsd_var_run_t, apcupsd_initrc_exec_t, apcupsd_lock_t;
|
|
+ type apcupsd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 apcupsd_t:process { ptrace signal_perms };
|
|
+ allow $1 apcupsd_t:process signal_perms;
|
|
ps_process_pattern($1, apcupsd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 apcupsd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
apcupsd_initrc_domtrans($1, apcupsd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 apcupsd_initrc_exec_t system_r;
|
|
@@ -165,4 +213,8 @@ interface(`apcupsd_admin',`
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, apcupsd_var_run_t)
|
|
+
|
|
+ apcupsd_systemctl($1)
|
|
+ admin_pattern($1, apcupsd_unit_file_t)
|
|
+ allow $1 apcupsd_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/apcupsd.te b/apcupsd.te
|
|
index 080bc4d..b4c43c7 100644
|
|
--- a/apcupsd.te
|
|
+++ b/apcupsd.te
|
|
@@ -24,6 +24,9 @@ files_tmp_file(apcupsd_tmp_t)
|
|
type apcupsd_var_run_t;
|
|
files_pid_file(apcupsd_var_run_t)
|
|
|
|
+type apcupsd_unit_file_t;
|
|
+systemd_unit_file(apcupsd_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -38,9 +41,7 @@ allow apcupsd_t self:tcp_socket create_stream_socket_perms;
|
|
allow apcupsd_t apcupsd_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(apcupsd_t, apcupsd_lock_t, file)
|
|
|
|
-append_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
|
|
-create_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
|
|
-setattr_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
|
|
+manage_files_pattern(apcupsd_t, apcupsd_log_t, apcupsd_log_t)
|
|
logging_log_filetrans(apcupsd_t, apcupsd_log_t, file)
|
|
|
|
manage_files_pattern(apcupsd_t, apcupsd_tmp_t, apcupsd_tmp_t)
|
|
@@ -54,7 +55,6 @@ kernel_read_system_state(apcupsd_t)
|
|
corecmd_exec_bin(apcupsd_t)
|
|
corecmd_exec_shell(apcupsd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(apcupsd_t)
|
|
corenet_all_recvfrom_netlabel(apcupsd_t)
|
|
corenet_tcp_sendrecv_generic_if(apcupsd_t)
|
|
corenet_tcp_sendrecv_generic_node(apcupsd_t)
|
|
@@ -67,6 +67,8 @@ corenet_tcp_bind_apcupsd_port(apcupsd_t)
|
|
corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
|
|
corenet_tcp_sendrecv_apcupsd_port(apcupsd_t)
|
|
corenet_tcp_connect_apcupsd_port(apcupsd_t)
|
|
+corenet_udp_bind_apc_port(apcupsd_t)
|
|
+corenet_udp_bind_snmp_port(apcupsd_t)
|
|
|
|
corenet_udp_bind_snmp_port(apcupsd_t)
|
|
corenet_sendrecv_snmp_server_packets(apcupsd_t)
|
|
@@ -74,19 +76,25 @@ corenet_udp_sendrecv_snmp_port(apcupsd_t)
|
|
|
|
dev_rw_generic_usb_dev(apcupsd_t)
|
|
|
|
-files_read_etc_files(apcupsd_t)
|
|
files_manage_etc_runtime_files(apcupsd_t)
|
|
files_etc_filetrans_etc_runtime(apcupsd_t, file, "nologin")
|
|
|
|
term_use_unallocated_ttys(apcupsd_t)
|
|
+term_use_usb_ttys(apcupsd_t)
|
|
|
|
-logging_send_syslog_msg(apcupsd_t)
|
|
+#apcupsd runs shutdown, probably need a shutdown domain
|
|
+init_rw_utmp(apcupsd_t)
|
|
+init_telinit(apcupsd_t)
|
|
|
|
-miscfiles_read_localization(apcupsd_t)
|
|
+auth_use_nsswitch(apcupsd_t)
|
|
+
|
|
+logging_send_syslog_msg(apcupsd_t)
|
|
|
|
sysnet_dns_name_resolve(apcupsd_t)
|
|
|
|
-userdom_use_user_ttys(apcupsd_t)
|
|
+systemd_start_power_services(apcupsd_t)
|
|
+
|
|
+userdom_use_inherited_user_ttys(apcupsd_t)
|
|
|
|
optional_policy(`
|
|
hostname_exec(apcupsd_t)
|
|
@@ -112,7 +120,6 @@ optional_policy(`
|
|
allow httpd_apcupsd_cgi_script_t self:tcp_socket create_stream_socket_perms;
|
|
allow httpd_apcupsd_cgi_script_t self:udp_socket create_socket_perms;
|
|
|
|
- corenet_all_recvfrom_unlabeled(httpd_apcupsd_cgi_script_t)
|
|
corenet_all_recvfrom_netlabel(httpd_apcupsd_cgi_script_t)
|
|
corenet_tcp_sendrecv_generic_if(httpd_apcupsd_cgi_script_t)
|
|
corenet_tcp_sendrecv_generic_node(httpd_apcupsd_cgi_script_t)
|
|
diff --git a/apm.fc b/apm.fc
|
|
index ce27d2f..d20377e 100644
|
|
--- a/apm.fc
|
|
+++ b/apm.fc
|
|
@@ -1,3 +1,4 @@
|
|
+/usr/lib/systemd/system/apmd.* -- gen_context(system_u:object_r:apmd_unit_file_t,s0)
|
|
/etc/rc\.d/init\.d/acpid -- gen_context(system_u:object_r:apmd_initrc_exec_t,s0)
|
|
|
|
/usr/bin/apm -- gen_context(system_u:object_r:apm_exec_t,s0)
|
|
diff --git a/apm.if b/apm.if
|
|
index 1a7a97e..1d29dce 100644
|
|
--- a/apm.if
|
|
+++ b/apm.if
|
|
@@ -141,6 +141,29 @@ interface(`apm_stream_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute apmd server in the apmd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`apmd_systemctl',`
|
|
+ gen_require(`
|
|
+ type apmd_t;
|
|
+ type apmd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 apmd_unit_file_t:file read_file_perms;
|
|
+ allow $1 apmd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, apmd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an apm environment.
|
|
## </summary>
|
|
@@ -163,9 +186,13 @@ interface(`apm_admin',`
|
|
type apmd_tmp_t;
|
|
')
|
|
|
|
- allow $1 apmd_t:process { ptrace signal_perms };
|
|
+ allow $1 apmd_t:process { signal_perms };
|
|
ps_process_pattern($1, apmd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 apmd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, apmd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 apmd_initrc_exec_t system_r;
|
|
diff --git a/apm.te b/apm.te
|
|
index 7fd431b..7ac00c5 100644
|
|
--- a/apm.te
|
|
+++ b/apm.te
|
|
@@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
|
|
type apmd_var_run_t;
|
|
files_pid_file(apmd_var_run_t)
|
|
|
|
+type apmd_unit_file_t;
|
|
+systemd_unit_file(apmd_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Client local policy
|
|
@@ -48,7 +51,7 @@ dev_rw_apm_bios(apm_t)
|
|
|
|
fs_getattr_xattr_fs(apm_t)
|
|
|
|
-term_use_all_terms(apm_t)
|
|
+term_use_all_inherited_terms(apm_t)
|
|
|
|
domain_use_interactive_fds(apm_t)
|
|
|
|
@@ -60,7 +63,7 @@ logging_send_syslog_msg(apm_t)
|
|
#
|
|
|
|
allow apmd_t self:capability { sys_admin sys_nice sys_time kill mknod };
|
|
-dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config };
|
|
+dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_tty_config };
|
|
allow apmd_t self:process { signal_perms getsession };
|
|
allow apmd_t self:fifo_file rw_fifo_file_perms;
|
|
allow apmd_t self:netlink_socket create_socket_perms;
|
|
@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
|
|
fs_dontaudit_getattr_all_symlinks(apmd_t)
|
|
fs_dontaudit_getattr_all_pipes(apmd_t)
|
|
fs_dontaudit_getattr_all_sockets(apmd_t)
|
|
-
|
|
-selinux_search_fs(apmd_t)
|
|
+fs_read_cgroup_files(apmd_t)
|
|
|
|
corecmd_exec_all_executables(apmd_t)
|
|
|
|
@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
|
|
auth_use_nsswitch(apmd_t)
|
|
|
|
init_domtrans_script(apmd_t)
|
|
+init_read_utmp(apmd_t)
|
|
+init_telinit(apmd_t)
|
|
|
|
libs_exec_ld_so(apmd_t)
|
|
libs_exec_lib_files(apmd_t)
|
|
@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t)
|
|
logging_send_audit_msgs(apmd_t)
|
|
logging_send_syslog_msg(apmd_t)
|
|
|
|
-miscfiles_read_localization(apmd_t)
|
|
miscfiles_read_hwdata(apmd_t)
|
|
|
|
modutils_domtrans_insmod(apmd_t)
|
|
modutils_read_module_config(apmd_t)
|
|
|
|
-seutil_dontaudit_read_config(apmd_t)
|
|
+seutil_sigchld_newrole(apmd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(apmd_t)
|
|
userdom_dontaudit_search_user_home_dirs(apmd_t)
|
|
-userdom_dontaudit_search_user_home_content(apmd_t)
|
|
+userdom_dontaudit_search_user_home_content(apmd_t) # Excessive?
|
|
|
|
optional_policy(`
|
|
automount_domtrans(apmd_t)
|
|
@@ -206,11 +209,15 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- seutil_sigchld_newrole(apmd_t)
|
|
+ shutdown_domtrans(apmd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- shutdown_domtrans(apmd_t)
|
|
+ sssd_search_lib(apmd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ systemd_dbus_chat_logind(apmd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/apt.if b/apt.if
|
|
index cde81d2..2fe0201 100644
|
|
--- a/apt.if
|
|
+++ b/apt.if
|
|
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
|
|
|
|
files_search_var($1)
|
|
allow $1 apt_var_cache_t:dir list_dir_perms;
|
|
- dontaudit $1 apt_var_cache_t:dir write_dir_perms;
|
|
+ dontaudit $1 apt_var_cache_t:dir rw_dir_perms;
|
|
allow $1 apt_var_cache_t:file read_file_perms;
|
|
')
|
|
|
|
diff --git a/apt.te b/apt.te
|
|
index efa8530..f928b63 100644
|
|
--- a/apt.te
|
|
+++ b/apt.te
|
|
@@ -85,7 +85,6 @@ kernel_read_kernel_sysctls(apt_t)
|
|
corecmd_exec_bin(apt_t)
|
|
corecmd_exec_shell(apt_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(apt_t)
|
|
corenet_all_recvfrom_netlabel(apt_t)
|
|
corenet_tcp_sendrecv_generic_if(apt_t)
|
|
corenet_tcp_sendrecv_generic_node(apt_t)
|
|
@@ -101,27 +100,24 @@ domain_getattr_all_domains(apt_t)
|
|
domain_use_interactive_fds(apt_t)
|
|
|
|
files_exec_usr_files(apt_t)
|
|
-files_read_etc_files(apt_t)
|
|
files_read_etc_runtime_files(apt_t)
|
|
|
|
fs_getattr_all_fs(apt_t)
|
|
|
|
term_create_pty(apt_t, apt_devpts_t)
|
|
term_list_ptys(apt_t)
|
|
-term_use_all_terms(apt_t)
|
|
+term_use_all_inherited_terms(apt_t)
|
|
|
|
libs_exec_ld_so(apt_t)
|
|
libs_exec_lib_files(apt_t)
|
|
|
|
logging_send_syslog_msg(apt_t)
|
|
|
|
-miscfiles_read_localization(apt_t)
|
|
-
|
|
seutil_use_newrole_fds(apt_t)
|
|
|
|
sysnet_read_config(apt_t)
|
|
|
|
-userdom_use_user_terminals(apt_t)
|
|
+userdom_use_inherited_user_terminals(apt_t)
|
|
|
|
optional_policy(`
|
|
backup_manage_store_files(apt_t)
|
|
diff --git a/arpwatch.fc b/arpwatch.fc
|
|
index 9ca0d0f..9a1a61f 100644
|
|
--- a/arpwatch.fc
|
|
+++ b/arpwatch.fc
|
|
@@ -1,5 +1,7 @@
|
|
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/arpwatch.* -- gen_context(system_u:object_r:arpwatch_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
|
|
|
|
/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
|
|
diff --git a/arpwatch.if b/arpwatch.if
|
|
index 50c9b9c..51c8cc0 100644
|
|
--- a/arpwatch.if
|
|
+++ b/arpwatch.if
|
|
@@ -119,6 +119,29 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute arpwatch server in the arpwatch domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`arpwatch_systemctl',`
|
|
+ gen_require(`
|
|
+ type arpwatch_t;
|
|
+ type arpwatch_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 arpwatch_unit_file_t:file read_file_perms;
|
|
+ allow $1 arpwatch_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, arpwatch_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an arpwatch environment.
|
|
## </summary>
|
|
@@ -138,11 +161,16 @@ interface(`arpwatch_admin',`
|
|
gen_require(`
|
|
type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
|
|
type arpwatch_data_t, arpwatch_var_run_t;
|
|
+ type arpwatch_unit_file_t;
|
|
')
|
|
|
|
- allow $1 arpwatch_t:process { ptrace signal_perms };
|
|
+ allow $1 arpwatch_t:process signal_perms;
|
|
ps_process_pattern($1, arpwatch_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 arpwatch_t:process ptrace;
|
|
+ ')
|
|
+
|
|
arpwatch_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 arpwatch_initrc_exec_t system_r;
|
|
@@ -156,4 +184,8 @@ interface(`arpwatch_admin',`
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, arpwatch_var_run_t)
|
|
+
|
|
+ arpwatch_systemctl($1)
|
|
+ admin_pattern($1, arpwatch_unit_file_t)
|
|
+ allow $1 arpwatch_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/arpwatch.te b/arpwatch.te
|
|
index 2d7bf34..2927585 100644
|
|
--- a/arpwatch.te
|
|
+++ b/arpwatch.te
|
|
@@ -21,6 +21,9 @@ files_tmp_file(arpwatch_tmp_t)
|
|
type arpwatch_var_run_t;
|
|
files_pid_file(arpwatch_var_run_t)
|
|
|
|
+type arpwatch_unit_file_t;
|
|
+systemd_unit_file(arpwatch_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -33,6 +36,7 @@ allow arpwatch_t self:unix_stream_socket { accept listen };
|
|
allow arpwatch_t self:tcp_socket { accept listen };
|
|
allow arpwatch_t self:packet_socket create_socket_perms;
|
|
allow arpwatch_t self:socket create_socket_perms;
|
|
+allow arpwatch_t self:netlink_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
|
|
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
|
|
@@ -45,11 +49,23 @@ files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
|
|
manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
|
|
files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
|
|
|
|
-kernel_read_kernel_sysctls(arpwatch_t)
|
|
kernel_read_network_state(arpwatch_t)
|
|
+# meminfo
|
|
kernel_read_system_state(arpwatch_t)
|
|
+kernel_read_kernel_sysctls(arpwatch_t)
|
|
+kernel_read_proc_symlinks(arpwatch_t)
|
|
kernel_request_load_module(arpwatch_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(arpwatch_t)
|
|
+corenet_tcp_sendrecv_generic_if(arpwatch_t)
|
|
+corenet_udp_sendrecv_generic_if(arpwatch_t)
|
|
+corenet_raw_sendrecv_generic_if(arpwatch_t)
|
|
+corenet_tcp_sendrecv_generic_node(arpwatch_t)
|
|
+corenet_udp_sendrecv_generic_node(arpwatch_t)
|
|
+corenet_raw_sendrecv_generic_node(arpwatch_t)
|
|
+corenet_tcp_sendrecv_all_ports(arpwatch_t)
|
|
+corenet_udp_sendrecv_all_ports(arpwatch_t)
|
|
+
|
|
dev_read_sysfs(arpwatch_t)
|
|
dev_read_usbmon_dev(arpwatch_t)
|
|
dev_rw_generic_usb_dev(arpwatch_t)
|
|
@@ -59,15 +75,12 @@ fs_search_auto_mountpoints(arpwatch_t)
|
|
|
|
domain_use_interactive_fds(arpwatch_t)
|
|
|
|
-files_read_usr_files(arpwatch_t)
|
|
files_search_var_lib(arpwatch_t)
|
|
|
|
auth_use_nsswitch(arpwatch_t)
|
|
|
|
logging_send_syslog_msg(arpwatch_t)
|
|
|
|
-miscfiles_read_localization(arpwatch_t)
|
|
-
|
|
userdom_dontaudit_search_user_home_dirs(arpwatch_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
|
|
|
|
diff --git a/asterisk.if b/asterisk.if
|
|
index 2077053..198a02a 100644
|
|
--- a/asterisk.if
|
|
+++ b/asterisk.if
|
|
@@ -124,9 +124,13 @@ interface(`asterisk_admin',`
|
|
type asterisk_var_lib_t, asterisk_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 asterisk_t:process { ptrace signal_perms };
|
|
+ allow $1 asterisk_t:process signal_perms;
|
|
ps_process_pattern($1, asterisk_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 asterisk_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, asterisk_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 asterisk_initrc_exec_t system_r;
|
|
diff --git a/asterisk.te b/asterisk.te
|
|
index 7e41350..1076937 100644
|
|
--- a/asterisk.te
|
|
+++ b/asterisk.te
|
|
@@ -19,7 +19,7 @@ type asterisk_log_t;
|
|
logging_log_file(asterisk_log_t)
|
|
|
|
type asterisk_spool_t;
|
|
-files_type(asterisk_spool_t)
|
|
+files_spool_file(asterisk_spool_t)
|
|
|
|
type asterisk_tmp_t;
|
|
files_tmp_file(asterisk_tmp_t)
|
|
@@ -73,11 +73,11 @@ fs_tmpfs_filetrans(asterisk_t, asterisk_tmpfs_t, { dir file lnk_file sock_file f
|
|
|
|
manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t)
|
|
|
|
+manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
|
|
manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
|
|
manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
|
|
manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t)
|
|
-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file)
|
|
-
|
|
+files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file sock_file fifo_file })
|
|
can_exec(asterisk_t, asterisk_exec_t)
|
|
|
|
kernel_read_kernel_sysctls(asterisk_t)
|
|
@@ -88,7 +88,6 @@ kernel_request_load_module(asterisk_t)
|
|
corecmd_exec_bin(asterisk_t)
|
|
corecmd_exec_shell(asterisk_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(asterisk_t)
|
|
corenet_all_recvfrom_netlabel(asterisk_t)
|
|
corenet_tcp_sendrecv_generic_if(asterisk_t)
|
|
corenet_udp_sendrecv_generic_if(asterisk_t)
|
|
@@ -136,7 +135,6 @@ dev_read_urand(asterisk_t)
|
|
|
|
domain_use_interactive_fds(asterisk_t)
|
|
|
|
-files_read_usr_files(asterisk_t)
|
|
files_search_spool(asterisk_t)
|
|
files_dontaudit_search_home(asterisk_t)
|
|
|
|
@@ -150,8 +148,6 @@ auth_use_nsswitch(asterisk_t)
|
|
logging_search_logs(asterisk_t)
|
|
logging_send_syslog_msg(asterisk_t)
|
|
|
|
-miscfiles_read_localization(asterisk_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
|
|
userdom_dontaudit_search_user_home_dirs(asterisk_t)
|
|
|
|
diff --git a/authconfig.fc b/authconfig.fc
|
|
new file mode 100644
|
|
index 0000000..4579cfe
|
|
--- /dev/null
|
|
+++ b/authconfig.fc
|
|
@@ -0,0 +1,3 @@
|
|
+/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:authconfig_exec_t,s0)
|
|
+
|
|
+/var/lib/authconfig(/.*)? gen_context(system_u:object_r:authconfig_var_lib_t,s0)
|
|
diff --git a/authconfig.if b/authconfig.if
|
|
new file mode 100644
|
|
index 0000000..316c324
|
|
--- /dev/null
|
|
+++ b/authconfig.if
|
|
@@ -0,0 +1,127 @@
|
|
+
|
|
+## <summary>policy for authconfig</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the authconfig domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`authconfig_domtrans',`
|
|
+ gen_require(`
|
|
+ type authconfig_t, authconfig_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, authconfig_exec_t, authconfig_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search authconfig lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`authconfig_search_lib',`
|
|
+ gen_require(`
|
|
+ type authconfig_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 authconfig_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read authconfig lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`authconfig_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type authconfig_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage authconfig lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`authconfig_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type authconfig_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage authconfig lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`authconfig_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type authconfig_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, authconfig_var_lib_t, authconfig_var_lib_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an authconfig environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`authconfig_admin',`
|
|
+ gen_require(`
|
|
+ type authconfig_t;
|
|
+ type authconfig_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 authconfig_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, authconfig_t)
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ admin_pattern($1, authconfig_var_lib_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/authconfig.te b/authconfig.te
|
|
new file mode 100644
|
|
index 0000000..f2aa4e6
|
|
--- /dev/null
|
|
+++ b/authconfig.te
|
|
@@ -0,0 +1,32 @@
|
|
+policy_module(authconfig, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type authconfig_t;
|
|
+type authconfig_exec_t;
|
|
+application_domain(authconfig_t, authconfig_exec_t)
|
|
+role system_r types authconfig_t;
|
|
+
|
|
+type authconfig_var_lib_t;
|
|
+files_type(authconfig_var_lib_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# authconfig local policy
|
|
+#
|
|
+allow authconfig_t self:fifo_file rw_fifo_file_perms;
|
|
+allow authconfig_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
|
|
+manage_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
|
|
+manage_lnk_files_pattern(authconfig_t, authconfig_var_lib_t, authconfig_var_lib_t)
|
|
+files_var_lib_filetrans(authconfig_t, authconfig_var_lib_t, { dir file lnk_file })
|
|
+
|
|
+domain_use_interactive_fds(authconfig_t)
|
|
+
|
|
+init_domtrans_script(authconfig_t)
|
|
+
|
|
+unconfined_domain_noaudit(authconfig_t)
|
|
diff --git a/automount.fc b/automount.fc
|
|
index 92adb37..0a2ffc6 100644
|
|
--- a/automount.fc
|
|
+++ b/automount.fc
|
|
@@ -1,6 +1,8 @@
|
|
/etc/apm/event\.d/autofs -- gen_context(system_u:object_r:automount_exec_t,s0)
|
|
/etc/rc\.d/init\.d/autofs -- gen_context(system_u:object_r:automount_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/autofs.* -- gen_context(system_u:object_r:automount_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/automount -- gen_context(system_u:object_r:automount_exec_t,s0)
|
|
|
|
/var/lock/subsys/autofs -- gen_context(system_u:object_r:automount_lock_t,s0)
|
|
diff --git a/automount.if b/automount.if
|
|
index f24e369..9bce868 100644
|
|
--- a/automount.if
|
|
+++ b/automount.if
|
|
@@ -29,7 +29,6 @@ interface(`automount_domtrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-#
|
|
interface(`automount_signal',`
|
|
gen_require(`
|
|
type automount_t;
|
|
@@ -114,6 +113,25 @@ interface(`automount_dontaudit_write_pipes',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Allow domain to search of automount temporary
|
|
+## directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`automount_search_tmp_dirs',`
|
|
+ gen_require(`
|
|
+ type automount_tmp_t;
|
|
+ ')
|
|
+
|
|
+ search_dirs_pattern($1, automount_tmp_t, automount_tmp_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Do not audit attempts to get
|
|
## attributes of automount temporary
|
|
## directories.
|
|
@@ -134,6 +152,29 @@ interface(`automount_dontaudit_getattr_tmp_dirs',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute automount server in the automount domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`automount_systemctl',`
|
|
+ gen_require(`
|
|
+ type automount_t;
|
|
+ type automount_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 automount_unit_file_t:file read_file_perms;
|
|
+ allow $1 automount_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, automount_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an automount environment.
|
|
## </summary>
|
|
@@ -153,12 +194,16 @@ interface(`automount_admin',`
|
|
gen_require(`
|
|
type automount_t, automount_lock_t, automount_tmp_t;
|
|
type automount_var_run_t, automount_initrc_exec_t;
|
|
- type automount_keytab_t;
|
|
+ type automount_unit_file_t, automount_keytab_t;
|
|
')
|
|
|
|
- allow $1 automount_t:process { ptrace signal_perms };
|
|
+ allow $1 automount_t:process signal_perms;
|
|
ps_process_pattern($1, automount_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 automount_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, automount_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 automount_initrc_exec_t system_r;
|
|
@@ -175,4 +220,8 @@ interface(`automount_admin',`
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, automount_var_run_t)
|
|
+
|
|
+ automount_systemctl($1)
|
|
+ admin_pattern($1, automount_unit_file_t)
|
|
+ allow $1 automount_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/automount.te b/automount.te
|
|
index 27d2f40..1268d7d 100644
|
|
--- a/automount.te
|
|
+++ b/automount.te
|
|
@@ -22,6 +22,9 @@ type automount_tmp_t;
|
|
files_tmp_file(automount_tmp_t)
|
|
files_mountpoint(automount_tmp_t)
|
|
|
|
+type automount_unit_file_t;
|
|
+systemd_unit_file(automount_unit_file_t)
|
|
+
|
|
type automount_var_run_t;
|
|
files_pid_file(automount_var_run_t)
|
|
|
|
@@ -30,7 +33,8 @@ files_pid_file(automount_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
|
|
+allow automount_t self:capability { setgid setuid sys_nice sys_resource dac_override sys_admin };
|
|
+allow automount_t self:capability2 block_suspend;
|
|
dontaudit automount_t self:capability sys_tty_config;
|
|
allow automount_t self:process { signal_perms getpgid setpgid setsched setrlimit };
|
|
allow automount_t self:fifo_file rw_fifo_file_perms;
|
|
@@ -67,7 +71,6 @@ kernel_dontaudit_search_xen_state(automount_t)
|
|
corecmd_exec_bin(automount_t)
|
|
corecmd_exec_shell(automount_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(automount_t)
|
|
corenet_all_recvfrom_netlabel(automount_t)
|
|
corenet_tcp_sendrecv_generic_if(automount_t)
|
|
corenet_udp_sendrecv_generic_if(automount_t)
|
|
@@ -101,7 +104,6 @@ files_mount_all_file_type_fs(automount_t)
|
|
files_mounton_all_mountpoints(automount_t)
|
|
files_mounton_mnt(automount_t)
|
|
files_read_etc_runtime_files(automount_t)
|
|
-files_read_usr_files(automount_t)
|
|
files_search_boot(automount_t)
|
|
files_search_all(automount_t)
|
|
files_unmount_all_file_type_fs(automount_t)
|
|
@@ -135,15 +137,18 @@ auth_use_nsswitch(automount_t)
|
|
logging_send_syslog_msg(automount_t)
|
|
logging_search_logs(automount_t)
|
|
|
|
-miscfiles_read_localization(automount_t)
|
|
miscfiles_read_generic_certs(automount_t)
|
|
|
|
-mount_domtrans(automount_t)
|
|
-mount_signal(automount_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(automount_t)
|
|
|
|
optional_policy(`
|
|
+ # Run mount in the mount_t domain.
|
|
+ mount_domtrans(automount_t)
|
|
+ mount_domtrans_showmount(automount_t)
|
|
+ mount_signal(automount_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
fstools_domtrans(automount_t)
|
|
')
|
|
|
|
@@ -166,3 +171,8 @@ optional_policy(`
|
|
optional_policy(`
|
|
udev_read_db(automount_t)
|
|
')
|
|
+
|
|
+tunable_policy(`mount_anyfile',`
|
|
+ files_mounton_non_security(automount_t)
|
|
+')
|
|
+
|
|
diff --git a/avahi.fc b/avahi.fc
|
|
index e9fe2ca..4c2d076 100644
|
|
--- a/avahi.fc
|
|
+++ b/avahi.fc
|
|
@@ -1,5 +1,7 @@
|
|
/etc/rc\.d/init\.d/avahi.* -- gen_context(system_u:object_r:avahi_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/avahi.* -- gen_context(system_u:object_r:avahi_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/avahi-daemon -- gen_context(system_u:object_r:avahi_exec_t,s0)
|
|
/usr/sbin/avahi-dnsconfd -- gen_context(system_u:object_r:avahi_exec_t,s0)
|
|
/usr/sbin/avahi-autoipd -- gen_context(system_u:object_r:avahi_exec_t,s0)
|
|
diff --git a/avahi.if b/avahi.if
|
|
index 9078c3d..bca0ac9 100644
|
|
--- a/avahi.if
|
|
+++ b/avahi.if
|
|
@@ -211,6 +211,29 @@ interface(`avahi_dontaudit_search_pid',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute avahi server in the avahi domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`avahi_systemctl',`
|
|
+ gen_require(`
|
|
+ type avahi_t;
|
|
+ type avahi_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 avahi_unit_file_t:file read_file_perms;
|
|
+ allow $1 avahi_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, avahi_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Create specified objects in generic
|
|
## pid directories with the avahi pid file type.
|
|
## </summary>
|
|
@@ -258,12 +281,17 @@ interface(`avahi_filetrans_pid',`
|
|
interface(`avahi_admin',`
|
|
gen_require(`
|
|
type avahi_t, avahi_var_run_t, avahi_initrc_exec_t;
|
|
+ type avahi_unit_file_t;
|
|
type avahi_var_lib_t;
|
|
')
|
|
|
|
- allow $1 avahi_t:process { ptrace signal_perms };
|
|
+ allow $1 avahi_t:process signal_perms;
|
|
ps_process_pattern($1, avahi_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 avahi_t:process ptrace;
|
|
+ ')
|
|
+
|
|
avahi_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 avahi_initrc_exec_t system_r;
|
|
@@ -274,4 +302,8 @@ interface(`avahi_admin',`
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, avahi_var_lib_t)
|
|
+
|
|
+ avahi_systemctl($1)
|
|
+ admin_pattern($1, avahi_unit_file_t)
|
|
+ allow $1 avahi_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/avahi.te b/avahi.te
|
|
index b8355b3..844e45b 100644
|
|
--- a/avahi.te
|
|
+++ b/avahi.te
|
|
@@ -17,6 +17,10 @@ files_pid_file(avahi_var_lib_t)
|
|
|
|
type avahi_var_run_t;
|
|
files_pid_file(avahi_var_run_t)
|
|
+init_sock_file(avahi_var_run_t)
|
|
+
|
|
+type avahi_unit_file_t;
|
|
+systemd_unit_file(avahi_unit_file_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -49,7 +53,6 @@ kernel_request_load_module(avahi_t)
|
|
corecmd_exec_bin(avahi_t)
|
|
corecmd_exec_shell(avahi_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(avahi_t)
|
|
corenet_all_recvfrom_netlabel(avahi_t)
|
|
corenet_tcp_sendrecv_generic_if(avahi_t)
|
|
corenet_udp_sendrecv_generic_if(avahi_t)
|
|
@@ -72,9 +75,9 @@ fs_search_auto_mountpoints(avahi_t)
|
|
fs_list_inotifyfs(avahi_t)
|
|
|
|
domain_use_interactive_fds(avahi_t)
|
|
+domain_dontaudit_signull_all_domains(avahi_t)
|
|
|
|
files_read_etc_runtime_files(avahi_t)
|
|
-files_read_usr_files(avahi_t)
|
|
|
|
auth_use_nsswitch(avahi_t)
|
|
|
|
@@ -83,13 +86,14 @@ init_signull_script(avahi_t)
|
|
|
|
logging_send_syslog_msg(avahi_t)
|
|
|
|
-miscfiles_read_localization(avahi_t)
|
|
miscfiles_read_generic_certs(avahi_t)
|
|
|
|
sysnet_domtrans_ifconfig(avahi_t)
|
|
sysnet_manage_config(avahi_t)
|
|
sysnet_etc_filetrans_config(avahi_t)
|
|
|
|
+systemd_login_signull(avahi_t)
|
|
+
|
|
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
|
|
userdom_dontaudit_search_user_home_dirs(avahi_t)
|
|
|
|
diff --git a/awstats.te b/awstats.te
|
|
index c1b16c3..c222135 100644
|
|
--- a/awstats.te
|
|
+++ b/awstats.te
|
|
@@ -52,8 +52,6 @@ corecmd_exec_shell(awstats_t)
|
|
dev_read_urand(awstats_t)
|
|
|
|
files_dontaudit_search_all_mountpoints(awstats_t)
|
|
-files_read_etc_files(awstats_t)
|
|
-files_read_usr_files(awstats_t)
|
|
|
|
fs_list_inotifyfs(awstats_t)
|
|
|
|
@@ -61,8 +59,6 @@ libs_read_lib_files(awstats_t)
|
|
|
|
logging_read_generic_logs(awstats_t)
|
|
|
|
-miscfiles_read_localization(awstats_t)
|
|
-
|
|
sysnet_dns_name_resolve(awstats_t)
|
|
|
|
tunable_policy(`awstats_purge_apache_log_files',`
|
|
@@ -90,9 +86,13 @@ optional_policy(`
|
|
# CGI local policy
|
|
#
|
|
|
|
+apache_read_log(httpd_awstats_script_t)
|
|
+
|
|
+manage_dirs_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
|
|
+manage_files_pattern(httpd_awstats_script_t, awstats_tmp_t, awstats_tmp_t)
|
|
+files_tmp_filetrans(httpd_awstats_script_t, awstats_tmp_t, { dir file })
|
|
+
|
|
allow httpd_awstats_script_t awstats_var_lib_t:dir list_dir_perms;
|
|
|
|
read_files_pattern(httpd_awstats_script_t, awstats_var_lib_t, awstats_var_lib_t)
|
|
files_search_var_lib(httpd_awstats_script_t)
|
|
-
|
|
-apache_read_log(httpd_awstats_script_t)
|
|
diff --git a/backup.te b/backup.te
|
|
index 7811450..d8a8bd6 100644
|
|
--- a/backup.te
|
|
+++ b/backup.te
|
|
@@ -38,7 +38,6 @@ kernel_read_kernel_sysctls(backup_t)
|
|
corecmd_exec_bin(backup_t)
|
|
corecmd_exec_shell(backup_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(backup_t)
|
|
corenet_all_recvfrom_netlabel(backup_t)
|
|
corenet_tcp_sendrecv_generic_if(backup_t)
|
|
corenet_tcp_sendrecv_generic_node(backup_t)
|
|
@@ -67,7 +66,7 @@ logging_send_syslog_msg(backup_t)
|
|
|
|
sysnet_read_config(backup_t)
|
|
|
|
-userdom_use_user_terminals(backup_t)
|
|
+userdom_use_inherited_user_terminals(backup_t)
|
|
|
|
optional_policy(`
|
|
cron_system_entry(backup_t, backup_exec_t)
|
|
diff --git a/bacula.te b/bacula.te
|
|
index f16b000..ed47057 100644
|
|
--- a/bacula.te
|
|
+++ b/bacula.te
|
|
@@ -148,9 +148,7 @@ corenet_tcp_connect_hplip_port(bacula_admin_t)
|
|
|
|
domain_use_interactive_fds(bacula_admin_t)
|
|
|
|
-files_read_etc_files(bacula_admin_t)
|
|
|
|
-miscfiles_read_localization(bacula_admin_t)
|
|
|
|
sysnet_dns_name_resolve(bacula_admin_t)
|
|
|
|
diff --git a/bcfg2.fc b/bcfg2.fc
|
|
index fb42e35..8af0e14 100644
|
|
--- a/bcfg2.fc
|
|
+++ b/bcfg2.fc
|
|
@@ -1,5 +1,7 @@
|
|
/etc/rc\.d/init\.d/bcfg2-server -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/bcfg2-server.* -- gen_context(system_u:object_r:bcfg2_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0)
|
|
|
|
/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
|
|
diff --git a/bcfg2.if b/bcfg2.if
|
|
index ec95d36..7132e1e 100644
|
|
--- a/bcfg2.if
|
|
+++ b/bcfg2.if
|
|
@@ -117,6 +117,31 @@ interface(`bcfg2_manage_lib_dirs',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute bcfg2 server in the bcfg2 domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`bcfg2_systemctl',`
|
|
+ gen_require(`
|
|
+ type bcfg2_t;
|
|
+ type bcfg2_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 bcfg2_unit_file_t:file read_file_perms;
|
|
+ allow $1 bcfg2_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, bcfg2_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an bcfg2 environment.
|
|
## </summary>
|
|
@@ -136,11 +161,16 @@ interface(`bcfg2_admin',`
|
|
gen_require(`
|
|
type bcfg2_t, bcfg2_initrc_exec_t, bcfg2_var_lib_t;
|
|
type bcfg2_var_run_t;
|
|
+ type bcfg2_unit_file_t;
|
|
')
|
|
|
|
- allow $1 bcfg2_t:process { ptrace signal_perms };
|
|
+ allow $1 bcfg2_t:process { signal_perms };
|
|
ps_process_pattern($1, bcfg2_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 bcfg2_t:process ptrace;
|
|
+ ')
|
|
+
|
|
bcfg2_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 bcfg2_initrc_exec_t system_r;
|
|
@@ -151,4 +181,13 @@ interface(`bcfg2_admin',`
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, bcfg2_var_lib_t)
|
|
+
|
|
+ bcfg2_systemctl($1)
|
|
+ admin_pattern($1, bcfg2_unit_file_t)
|
|
+ allow $1 bcfg2_unit_file_t:service all_service_perms;
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/bcfg2.te b/bcfg2.te
|
|
index c3fd7b1..e189593 100644
|
|
--- a/bcfg2.te
|
|
+++ b/bcfg2.te
|
|
@@ -15,6 +15,9 @@ init_script_file(bcfg2_initrc_exec_t)
|
|
type bcfg2_var_lib_t;
|
|
files_type(bcfg2_var_lib_t)
|
|
|
|
+type bcfg2_unit_file_t;
|
|
+systemd_unit_file(bcfg2_unit_file_t)
|
|
+
|
|
type bcfg2_var_run_t;
|
|
files_pid_file(bcfg2_var_run_t)
|
|
|
|
@@ -52,10 +55,7 @@ dev_read_urand(bcfg2_t)
|
|
|
|
domain_use_interactive_fds(bcfg2_t)
|
|
|
|
-files_read_usr_files(bcfg2_t)
|
|
|
|
auth_use_nsswitch(bcfg2_t)
|
|
|
|
logging_send_syslog_msg(bcfg2_t)
|
|
-
|
|
-miscfiles_read_localization(bcfg2_t)
|
|
diff --git a/bind.fc b/bind.fc
|
|
index 2b9a3a1..1742ebf 100644
|
|
--- a/bind.fc
|
|
+++ b/bind.fc
|
|
@@ -1,54 +1,71 @@
|
|
-/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
|
|
|
|
-/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
|
-/etc/bind/named\.conf.* -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
|
-/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
|
-/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
|
-/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
|
+/etc/rndc.* -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
|
+/etc/unbound(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/etc/unbound/.*\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
|
+/etc/dnssec-trigger/dnssec_trigger_server\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/unbound.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/named.* -- gen_context(system_u:object_r:named_unit_file_t,s0)
|
|
|
|
/usr/sbin/lwresd -- gen_context(system_u:object_r:named_exec_t,s0)
|
|
-/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
|
|
-/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
|
|
-/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
|
|
+/usr/sbin/named -- gen_context(system_u:object_r:named_exec_t,s0)
|
|
+/usr/sbin/named-checkconf -- gen_context(system_u:object_r:named_checkconf_exec_t,s0)
|
|
+/usr/sbin/r?ndc -- gen_context(system_u:object_r:ndc_exec_t,s0)
|
|
/usr/sbin/unbound -- gen_context(system_u:object_r:named_exec_t,s0)
|
|
+/usr/sbin/unbound-anchor -- gen_context(system_u:object_r:named_exec_t,s0)
|
|
+/usr/sbin/unbound-checkconf -- gen_context(system_u:object_r:named_exec_t,s0)
|
|
|
|
-/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
-/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
|
+/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
|
|
|
|
-/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
+/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
|
|
+/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
|
+/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
|
+/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
|
|
|
-/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
|
|
+ifdef(`distro_debian',`
|
|
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
|
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/etc/bind/named\.conf\.local -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/etc/bind/named\.conf\.options -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
|
+/var/cache/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
+')
|
|
+
|
|
+ifdef(`distro_gentoo',`
|
|
+/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
|
+/etc/bind/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/etc/bind/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
|
+/var/bind(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
+/var/bind/pri(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
|
+')
|
|
|
|
-/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
|
-/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
-/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
+ifdef(`distro_redhat',`
|
|
+/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/var/lib/unbound(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
+/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
|
+/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
+/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
|
-/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/var/named/chroot/etc/named\.rfc1912\.zones -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
-/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
|
|
+/var/named/chroot/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/var/named/chroot/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/var/named/chroot/etc/named\.root\.hints -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/var/named/chroot/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
/var/named/chroot/proc(/.*)? <<none>>
|
|
-/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
|
|
-/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
-/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
|
-/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
-/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
+/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
|
|
+/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
+/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
|
+/var/named/chroot/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
+/var/named/chroot/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
/var/named/chroot/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
-/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
+/var/named/chroot/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
|
|
/var/named/chroot/var/log/named.* -- gen_context(system_u:object_r:named_log_t,s0)
|
|
-/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
-
|
|
-/var/run/ndc -s gen_context(system_u:object_r:named_var_run_t,s0)
|
|
-/var/run/bind(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
|
-/var/run/named(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
|
-/var/run/unbound(/.*)? gen_context(system_u:object_r:named_var_run_t,s0)
|
|
+/var/named/dynamic(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
|
+')
|
|
diff --git a/bind.if b/bind.if
|
|
index 531a8f2..0df9341 100644
|
|
--- a/bind.if
|
|
+++ b/bind.if
|
|
@@ -20,6 +20,29 @@ interface(`bind_initrc_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute bind server in the bind domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`bind_systemctl',`
|
|
+ gen_require(`
|
|
+ type named_unit_file_t;
|
|
+ type named_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 named_unit_file_t:file read_file_perms;
|
|
+ allow $1 named_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, named_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Execute ndc in the ndc domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -169,6 +192,7 @@ interface(`bind_read_config',`
|
|
type named_conf_t;
|
|
')
|
|
|
|
+ allow $1 named_conf_t:dir list_dir_perms;
|
|
read_files_pattern($1, named_conf_t, named_conf_t)
|
|
')
|
|
|
|
@@ -212,6 +236,25 @@ interface(`bind_manage_config_dirs',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Create, read, write, and delete
|
|
+## BIND configuration files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`bind_manage_config',`
|
|
+ gen_require(`
|
|
+ type named_conf_t;
|
|
+ ')
|
|
+
|
|
+ manage_files_pattern($1, named_conf_t, named_conf_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Search bind cache directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -310,6 +353,27 @@ interface(`bind_read_zone',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Read BIND zone files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`bind_read_log',`
|
|
+ gen_require(`
|
|
+ type named_zone_t;
|
|
+ type named_log_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ allow $1 named_zone_t:dir search_dir_perms;
|
|
+ read_files_pattern($1, named_log_t, named_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Create, read, write, and delete
|
|
## bind zone files.
|
|
## </summary>
|
|
@@ -364,11 +428,17 @@ interface(`bind_admin',`
|
|
type named_t, named_tmp_t, named_log_t;
|
|
type named_cache_t, named_zone_t, named_initrc_exec_t;
|
|
type dnssec_t, ndc_t, named_conf_t, named_var_run_t;
|
|
- type named_keytab_t;
|
|
+ type named_keytab_t, named_unit_file_t;
|
|
')
|
|
|
|
- allow $1 { named_t ndc_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { named_t ndc_t })
|
|
+ allow $1 named_t:process signal_perms;
|
|
+ ps_process_pattern($1, named_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 named_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ bind_run_ndc($1, $2)
|
|
|
|
init_labeled_script_domtrans($1, named_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -384,11 +454,15 @@ interface(`bind_admin',`
|
|
files_list_etc($1)
|
|
admin_pattern($1, { named_keytab_t named_conf_t })
|
|
|
|
+ admin_pattern($1, named_keytab_t)
|
|
+
|
|
files_list_var($1)
|
|
admin_pattern($1, { dnssec_t named_cache_t named_zone_t })
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, named_var_run_t)
|
|
|
|
- bind_run_ndc($1, $2)
|
|
+ admin_pattern($1, named_unit_file_t)
|
|
+ bind_systemctl($1)
|
|
+ allow $1 named_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/bind.te b/bind.te
|
|
index 1241123..ad2dccc 100644
|
|
--- a/bind.te
|
|
+++ b/bind.te
|
|
@@ -34,7 +34,7 @@ type named_checkconf_exec_t;
|
|
init_system_domain(named_t, named_checkconf_exec_t)
|
|
|
|
type named_conf_t;
|
|
-files_type(named_conf_t)
|
|
+files_config_file(named_conf_t)
|
|
files_mountpoint(named_conf_t)
|
|
|
|
# for secondary zone files
|
|
@@ -44,6 +44,9 @@ files_type(named_cache_t)
|
|
type named_initrc_exec_t;
|
|
init_script_file(named_initrc_exec_t)
|
|
|
|
+type named_unit_file_t;
|
|
+systemd_unit_file(named_unit_file_t)
|
|
+
|
|
type named_keytab_t;
|
|
files_type(named_keytab_t)
|
|
|
|
@@ -71,8 +74,9 @@ role ndc_roles types ndc_t;
|
|
# Local policy
|
|
#
|
|
|
|
-allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
|
|
+allow named_t self:capability { chown dac_override fowner net_admin setgid setuid sys_chroot sys_nice sys_resource };
|
|
dontaudit named_t self:capability sys_tty_config;
|
|
+allow named_t self:capability2 block_suspend;
|
|
allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
|
|
allow named_t self:fifo_file rw_fifo_file_perms;
|
|
allow named_t self:unix_stream_socket { accept listen };
|
|
@@ -89,9 +93,7 @@ manage_lnk_files_pattern(named_t, named_cache_t, named_cache_t)
|
|
|
|
allow named_t named_keytab_t:file read_file_perms;
|
|
|
|
-append_files_pattern(named_t, named_log_t, named_log_t)
|
|
-create_files_pattern(named_t, named_log_t, named_log_t)
|
|
-setattr_files_pattern(named_t, named_log_t, named_log_t)
|
|
+manage_files_pattern(named_t, named_log_t, named_log_t)
|
|
logging_log_filetrans(named_t, named_log_t, file)
|
|
|
|
manage_dirs_pattern(named_t, named_tmp_t, named_tmp_t)
|
|
@@ -115,7 +117,6 @@ kernel_read_network_state(named_t)
|
|
|
|
corecmd_search_bin(named_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(named_t)
|
|
corenet_all_recvfrom_netlabel(named_t)
|
|
corenet_tcp_sendrecv_generic_if(named_t)
|
|
corenet_udp_sendrecv_generic_if(named_t)
|
|
@@ -144,6 +145,7 @@ corenet_tcp_sendrecv_all_ports(named_t)
|
|
dev_read_sysfs(named_t)
|
|
dev_read_rand(named_t)
|
|
dev_read_urand(named_t)
|
|
+dev_dontaudit_write_urand(named_t)
|
|
|
|
domain_use_interactive_fds(named_t)
|
|
|
|
@@ -175,6 +177,15 @@ tunable_policy(`named_write_master_zones',`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # needed by FreeIPA with DNS support
|
|
+ dirsrv_stream_connect(named_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ cron_system_entry(named_t, named_exec_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
dbus_system_domain(named_t, named_exec_t)
|
|
|
|
init_dbus_chat_script(named_t)
|
|
@@ -215,7 +226,8 @@ optional_policy(`
|
|
#
|
|
|
|
allow ndc_t self:capability { dac_override net_admin };
|
|
-allow ndc_t self:process signal_perms;
|
|
+allow ndc_t self:capability2 block_suspend;
|
|
+allow ndc_t self:process { fork signal_perms };
|
|
allow ndc_t self:fifo_file rw_fifo_file_perms;
|
|
allow ndc_t self:unix_stream_socket { accept listen };
|
|
|
|
@@ -229,10 +241,9 @@ allow ndc_t named_conf_t:lnk_file read_lnk_file_perms;
|
|
|
|
allow ndc_t named_zone_t:dir search_dir_perms;
|
|
|
|
-kernel_read_kernel_sysctls(ndc_t)
|
|
kernel_read_system_state(ndc_t)
|
|
+kernel_read_kernel_sysctls(ndc_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ndc_t)
|
|
corenet_all_recvfrom_netlabel(ndc_t)
|
|
corenet_tcp_sendrecv_generic_if(ndc_t)
|
|
corenet_tcp_sendrecv_generic_node(ndc_t)
|
|
@@ -257,7 +268,7 @@ init_use_script_ptys(ndc_t)
|
|
|
|
logging_send_syslog_msg(ndc_t)
|
|
|
|
-miscfiles_read_localization(ndc_t)
|
|
+userdom_use_inherited_user_terminals(ndc_t)
|
|
|
|
userdom_use_user_terminals(ndc_t)
|
|
|
|
diff --git a/bird.te b/bird.te
|
|
index 1d60c27..f8bb700 100644
|
|
--- a/bird.te
|
|
+++ b/bird.te
|
|
@@ -51,7 +51,6 @@ corenet_tcp_connect_bgp_port(bird_t)
|
|
corenet_tcp_sendrecv_bgp_port(bird_t)
|
|
|
|
# /etc/iproute2/rt_realms
|
|
-files_read_etc_files(bird_t)
|
|
|
|
logging_send_syslog_msg(bird_t)
|
|
|
|
diff --git a/bitlbee.if b/bitlbee.if
|
|
index e73fb79..2badfc0 100644
|
|
--- a/bitlbee.if
|
|
+++ b/bitlbee.if
|
|
@@ -44,9 +44,13 @@ interface(`bitlbee_admin',`
|
|
type bitlbee_log_t, bitlbee_tmp_t;
|
|
')
|
|
|
|
- allow $1 bitlbee_t:process { ptrace signal_perms };
|
|
+ allow $1 bitlbee_t:process signal_perms;
|
|
ps_process_pattern($1, bitlbee_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 bitlbee_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, bitlbee_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 bitlbee_initrc_exec_t system_r;
|
|
diff --git a/bitlbee.te b/bitlbee.te
|
|
index f5c1a48..49eff68 100644
|
|
--- a/bitlbee.te
|
|
+++ b/bitlbee.te
|
|
@@ -35,9 +35,12 @@ files_pid_file(bitlbee_var_run_t)
|
|
|
|
allow bitlbee_t self:capability { dac_override kill setgid setuid sys_nice };
|
|
allow bitlbee_t self:process { setsched signal };
|
|
+
|
|
allow bitlbee_t self:fifo_file rw_fifo_file_perms;
|
|
-allow bitlbee_t self:tcp_socket { accept listen };
|
|
-allow bitlbee_t self:unix_stream_socket { accept listen };
|
|
+allow bitlbee_t self:udp_socket create_socket_perms;
|
|
+allow bitlbee_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
|
|
+allow bitlbee_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow bitlbee_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
allow bitlbee_t bitlbee_conf_t:dir list_dir_perms;
|
|
allow bitlbee_t bitlbee_conf_t:file read_file_perms;
|
|
@@ -45,6 +48,7 @@ allow bitlbee_t bitlbee_conf_t:file read_file_perms;
|
|
manage_dirs_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
|
append_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
|
create_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
|
+read_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
|
setattr_files_pattern(bitlbee_t, bitlbee_log_t, bitlbee_log_t)
|
|
|
|
manage_files_pattern(bitlbee_t, bitlbee_tmp_t, bitlbee_tmp_t)
|
|
@@ -59,8 +63,8 @@ manage_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
|
|
manage_sock_files_pattern(bitlbee_t, bitlbee_var_run_t, bitlbee_var_run_t)
|
|
files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file })
|
|
|
|
-kernel_read_kernel_sysctls(bitlbee_t)
|
|
kernel_read_system_state(bitlbee_t)
|
|
+kernel_read_kernel_sysctls(bitlbee_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(bitlbee_t)
|
|
corenet_all_recvfrom_netlabel(bitlbee_t)
|
|
@@ -109,16 +113,12 @@ corenet_tcp_sendrecv_interwise_port(bitlbee_t)
|
|
dev_read_rand(bitlbee_t)
|
|
dev_read_urand(bitlbee_t)
|
|
|
|
-files_read_usr_files(bitlbee_t)
|
|
-
|
|
libs_legacy_use_shared_libs(bitlbee_t)
|
|
|
|
auth_use_nsswitch(bitlbee_t)
|
|
|
|
logging_send_syslog_msg(bitlbee_t)
|
|
|
|
-miscfiles_read_localization(bitlbee_t)
|
|
-
|
|
optional_policy(`
|
|
tcpd_wrapped_domain(bitlbee_t, bitlbee_exec_t)
|
|
')
|
|
diff --git a/blueman.fc b/blueman.fc
|
|
index c295d2e..4f84e9c 100644
|
|
--- a/blueman.fc
|
|
+++ b/blueman.fc
|
|
@@ -1,3 +1,4 @@
|
|
+
|
|
/usr/libexec/blueman-mechanism -- gen_context(system_u:object_r:blueman_exec_t,s0)
|
|
|
|
/var/lib/blueman(/.*)? gen_context(system_u:object_r:blueman_var_lib_t,s0)
|
|
diff --git a/blueman.if b/blueman.if
|
|
index 16ec525..1dd4059 100644
|
|
--- a/blueman.if
|
|
+++ b/blueman.if
|
|
@@ -38,6 +38,7 @@ interface(`blueman_dbus_chat',`
|
|
|
|
allow $1 blueman_t:dbus send_msg;
|
|
allow blueman_t $1:dbus send_msg;
|
|
+ ps_process_pattern(blueman_t, $1)
|
|
')
|
|
|
|
########################################
|
|
diff --git a/blueman.te b/blueman.te
|
|
index 3a5032e..2097425 100644
|
|
--- a/blueman.te
|
|
+++ b/blueman.te
|
|
@@ -7,7 +7,7 @@ policy_module(blueman, 1.1.0)
|
|
|
|
type blueman_t;
|
|
type blueman_exec_t;
|
|
-dbus_system_domain(blueman_t, blueman_exec_t)
|
|
+init_daemon_domain(blueman_t, blueman_exec_t)
|
|
|
|
type blueman_var_lib_t;
|
|
files_type(blueman_var_lib_t)
|
|
@@ -21,7 +21,8 @@ files_pid_file(blueman_var_run_t)
|
|
#
|
|
|
|
allow blueman_t self:capability { net_admin sys_nice };
|
|
-allow blueman_t self:process { signal_perms setsched };
|
|
+allow blueman_t self:process { execmem signal_perms setsched };
|
|
+
|
|
allow blueman_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
manage_dirs_pattern(blueman_t, blueman_var_lib_t, blueman_var_lib_t)
|
|
@@ -32,7 +33,7 @@ manage_dirs_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
|
|
manage_files_pattern(blueman_t, blueman_var_run_t, blueman_var_run_t)
|
|
files_pid_filetrans(blueman_t, blueman_var_run_t, { dir file })
|
|
|
|
-kernel_read_net_sysctls(blueman_t)
|
|
+kernel_rw_net_sysctls(blueman_t)
|
|
kernel_read_system_state(blueman_t)
|
|
kernel_request_load_module(blueman_t)
|
|
|
|
@@ -41,29 +42,44 @@ corecmd_exec_bin(blueman_t)
|
|
dev_read_rand(blueman_t)
|
|
dev_read_urand(blueman_t)
|
|
dev_rw_wireless(blueman_t)
|
|
+dev_rwx_zero(blueman_t)
|
|
|
|
domain_use_interactive_fds(blueman_t)
|
|
|
|
files_list_tmp(blueman_t)
|
|
-files_read_usr_files(blueman_t)
|
|
|
|
auth_use_nsswitch(blueman_t)
|
|
|
|
logging_send_syslog_msg(blueman_t)
|
|
|
|
-miscfiles_read_localization(blueman_t)
|
|
-
|
|
sysnet_domtrans_ifconfig(blueman_t)
|
|
+sysnet_dns_name_resolve(blueman_t)
|
|
|
|
optional_policy(`
|
|
avahi_domtrans(blueman_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ bluetooth_read_config(blueman_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_domain(blueman_t, blueman_exec_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
dnsmasq_domtrans(blueman_t)
|
|
dnsmasq_read_pid_files(blueman_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_search_gconf(blueman_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
iptables_domtrans(blueman_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_read_state_xdm(blueman_t)
|
|
+')
|
|
diff --git a/bluetooth.fc b/bluetooth.fc
|
|
index 2b9c7f3..0086b95 100644
|
|
--- a/bluetooth.fc
|
|
+++ b/bluetooth.fc
|
|
@@ -5,10 +5,14 @@
|
|
/etc/rc\.d/init\.d/dund -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
|
|
/etc/rc\.d/init\.d/pand -- gen_context(system_u:object_r:bluetooth_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/bluetooth.* -- gen_context(system_u:object_r:bluetooth_unit_file_t,s0)
|
|
+
|
|
/usr/bin/blue.*pin -- gen_context(system_u:object_r:bluetooth_helper_exec_t,s0)
|
|
/usr/bin/dund -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
|
/usr/bin/hidd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
|
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
|
+/usr/bin/pand -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
|
+/usr/libexec/bluetooth/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
|
|
|
/usr/sbin/bluetoothd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
|
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
|
diff --git a/bluetooth.if b/bluetooth.if
|
|
index c723a0a..3e8a553 100644
|
|
--- a/bluetooth.if
|
|
+++ b/bluetooth.if
|
|
@@ -37,7 +37,12 @@ interface(`bluetooth_role',`
|
|
domtrans_pattern($2, bluetooth_helper_exec_t, bluetooth_helper_t)
|
|
|
|
ps_process_pattern($2, bluetooth_helper_t)
|
|
- allow $2 bluetooth_helper_t:process { ptrace signal_perms };
|
|
+
|
|
+ allow $2 bluetooth_helper_t:process signal_perms;
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 bluetooth_helper_t:process ptrace;
|
|
+ ')
|
|
|
|
allow $2 bluetooth_t:socket rw_socket_perms;
|
|
|
|
@@ -45,8 +50,10 @@ interface(`bluetooth_role',`
|
|
allow $2 { bluetooth_helper_tmp_t bluetooth_helper_tmpfs_t }:file { manage_file_perms relabel_file_perms };
|
|
allow $2 bluetooth_helper_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
|
|
|
+ manage_dirs_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
|
|
+ manage_files_pattern($2, bluetooth_helper_tmpfs_t, bluetooth_helper_tmpfs_t)
|
|
+ bluetooth_stream_connect($2)
|
|
stream_connect_pattern($2, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
|
|
- files_search_pids($2)
|
|
')
|
|
|
|
#####################################
|
|
@@ -130,6 +137,27 @@ interface(`bluetooth_dbus_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## dontaudit Send and receive messages from
|
|
+## bluetooth over dbus.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`bluetooth_dontaudit_dbus_chat',`
|
|
+ gen_require(`
|
|
+ type bluetooth_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 bluetooth_t:dbus send_msg;
|
|
+ dontaudit bluetooth_t $1:dbus send_msg;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Execute bluetooth_helper in the bluetooth_helper domain. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -190,6 +218,29 @@ interface(`bluetooth_dontaudit_read_helper_state',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute bluetooth server in the bluetooth domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`bluetooth_systemctl',`
|
|
+ gen_require(`
|
|
+ type bluetooth_t;
|
|
+ type bluetooth_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 bluetooth_unit_file_t:file read_file_perms;
|
|
+ allow $1 bluetooth_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, bluetooth_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an bluetooth environment.
|
|
## </summary>
|
|
@@ -210,12 +261,16 @@ interface(`bluetooth_admin',`
|
|
type bluetooth_t, bluetooth_tmp_t, bluetooth_lock_t;
|
|
type bluetooth_var_lib_t, bluetooth_var_run_t;
|
|
type bluetooth_conf_t, bluetooth_conf_rw_t, bluetooth_var_lib_t;
|
|
- type bluetooth_initrc_exec_t;
|
|
+ type bluetooth_unit_file_t, bluetooth_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 bluetooth_t:process { ptrace signal_perms };
|
|
+ allow $1 bluetooth_t:process signal_perms;
|
|
ps_process_pattern($1, bluetooth_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 bluetooth_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, bluetooth_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 bluetooth_initrc_exec_t system_r;
|
|
@@ -235,4 +290,8 @@ interface(`bluetooth_admin',`
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, bluetooth_var_run_t)
|
|
+
|
|
+ bluetooth_systemctl($1)
|
|
+ admin_pattern($1, bluetooth_unit_file_t)
|
|
+ allow $1 bluetooth_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/bluetooth.te b/bluetooth.te
|
|
index 851769e..055c97c 100644
|
|
--- a/bluetooth.te
|
|
+++ b/bluetooth.te
|
|
@@ -49,6 +49,9 @@ files_type(bluetooth_var_lib_t)
|
|
type bluetooth_var_run_t;
|
|
files_pid_file(bluetooth_var_run_t)
|
|
|
|
+type bluetooth_unit_file_t;
|
|
+systemd_unit_file(bluetooth_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -78,7 +81,8 @@ files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
|
|
|
|
manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
|
|
manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
|
|
-files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
|
|
+manage_fifo_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
|
|
+files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file fifo_file })
|
|
|
|
manage_dirs_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
|
|
manage_files_pattern(bluetooth_t, bluetooth_var_lib_t, bluetooth_var_lib_t)
|
|
@@ -90,14 +94,24 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
|
|
|
|
can_exec(bluetooth_t, bluetooth_helper_exec_t)
|
|
|
|
+corecmd_exec_bin(bluetooth_t)
|
|
+corecmd_exec_shell(bluetooth_t)
|
|
+
|
|
kernel_read_kernel_sysctls(bluetooth_t)
|
|
kernel_read_system_state(bluetooth_t)
|
|
kernel_read_network_state(bluetooth_t)
|
|
kernel_request_load_module(bluetooth_t)
|
|
kernel_search_debugfs(bluetooth_t)
|
|
|
|
-corecmd_exec_bin(bluetooth_t)
|
|
-corecmd_exec_shell(bluetooth_t)
|
|
+corenet_all_recvfrom_netlabel(bluetooth_t)
|
|
+corenet_tcp_sendrecv_generic_if(bluetooth_t)
|
|
+corenet_udp_sendrecv_generic_if(bluetooth_t)
|
|
+corenet_raw_sendrecv_generic_if(bluetooth_t)
|
|
+corenet_tcp_sendrecv_generic_node(bluetooth_t)
|
|
+corenet_udp_sendrecv_generic_node(bluetooth_t)
|
|
+corenet_raw_sendrecv_generic_node(bluetooth_t)
|
|
+corenet_tcp_sendrecv_all_ports(bluetooth_t)
|
|
+corenet_udp_sendrecv_all_ports(bluetooth_t)
|
|
|
|
dev_read_sysfs(bluetooth_t)
|
|
dev_rw_usbfs(bluetooth_t)
|
|
@@ -110,7 +124,6 @@ domain_use_interactive_fds(bluetooth_t)
|
|
domain_dontaudit_search_all_domains_state(bluetooth_t)
|
|
|
|
files_read_etc_runtime_files(bluetooth_t)
|
|
-files_read_usr_files(bluetooth_t)
|
|
|
|
fs_getattr_all_fs(bluetooth_t)
|
|
fs_search_auto_mountpoints(bluetooth_t)
|
|
@@ -122,7 +135,6 @@ auth_use_nsswitch(bluetooth_t)
|
|
|
|
logging_send_syslog_msg(bluetooth_t)
|
|
|
|
-miscfiles_read_localization(bluetooth_t)
|
|
miscfiles_read_fonts(bluetooth_t)
|
|
miscfiles_read_hwdata(bluetooth_t)
|
|
|
|
@@ -130,6 +142,10 @@ userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
|
|
userdom_dontaudit_use_user_terminals(bluetooth_t)
|
|
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
|
|
|
|
+# machine-info
|
|
+systemd_hostnamed_read_config(bluetooth_t)
|
|
+systemd_dbus_chat_hostnamed(bluetooth_t)
|
|
+
|
|
optional_policy(`
|
|
dbus_system_bus_client(bluetooth_t)
|
|
dbus_connect_system_bus(bluetooth_t)
|
|
@@ -200,7 +216,6 @@ dev_read_urand(bluetooth_helper_t)
|
|
domain_read_all_domains_state(bluetooth_helper_t)
|
|
|
|
files_read_etc_runtime_files(bluetooth_helper_t)
|
|
-files_read_usr_files(bluetooth_helper_t)
|
|
files_dontaudit_list_default(bluetooth_helper_t)
|
|
|
|
term_dontaudit_use_all_ttys(bluetooth_helper_t)
|
|
diff --git a/boinc.fc b/boinc.fc
|
|
index 6d3ccad..bda740a 100644
|
|
--- a/boinc.fc
|
|
+++ b/boinc.fc
|
|
@@ -1,9 +1,12 @@
|
|
-/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
|
|
|
|
-/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/boinc-client -- gen_context(system_u:object_r:boinc_initrc_exec_t,s0)
|
|
|
|
-/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
|
|
-/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
|
|
-/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
|
|
+/usr/bin/boinc_client -- gen_context(system_u:object_r:boinc_exec_t,s0)
|
|
|
|
-/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
|
|
+/usr/lib/systemd/system/boinc-client\.service -- gen_context(system_u:object_r:boinc_unit_file_t,s0)
|
|
+
|
|
+/var/lib/boinc(/.*)? gen_context(system_u:object_r:boinc_var_lib_t,s0)
|
|
+/var/lib/boinc/projects(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
|
|
+/var/lib/boinc/slots(/.*)? gen_context(system_u:object_r:boinc_project_var_lib_t,s0)
|
|
+
|
|
+/var/log/boinc\.log.* -- gen_context(system_u:object_r:boinc_log_t,s0)
|
|
diff --git a/boinc.if b/boinc.if
|
|
index 02fefaa..fbcef10 100644
|
|
--- a/boinc.if
|
|
+++ b/boinc.if
|
|
@@ -1,9 +1,165 @@
|
|
-## <summary>Platform for computing using volunteered resources.</summary>
|
|
+## <summary>policy for boinc</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an boinc environment.
|
|
+## Execute a domain transition to run boinc.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`boinc_domtrans',`
|
|
+ gen_require(`
|
|
+ type boinc_t, boinc_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, boinc_exec_t, boinc_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute boinc server in the boinc domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`boinc_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type boinc_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, boinc_initrc_exec_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Dontaudit getattr on boinc lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`boinc_dontaudit_getattr_lib',`
|
|
+ gen_require(`
|
|
+ type boinc_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 boinc_var_lib_t:file getattr;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search boinc lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`boinc_search_lib',`
|
|
+ gen_require(`
|
|
+ type boinc_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 boinc_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read boinc lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`boinc_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type boinc_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## boinc lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`boinc_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type boinc_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage boinc var_lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`boinc_manage_var_lib',`
|
|
+ gen_require(`
|
|
+ type boinc_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
|
|
+ manage_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
|
|
+ manage_lnk_files_pattern($1, boinc_var_lib_t, boinc_var_lib_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute boinc server in the boinc domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`boinc_systemctl',`
|
|
+ gen_require(`
|
|
+ type boinc_t;
|
|
+ type boinc_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 boinc_unit_file_t:file read_file_perms;
|
|
+ allow $1 boinc_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, boinc_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an boinc environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -19,26 +175,32 @@
|
|
#
|
|
interface(`boinc_admin',`
|
|
gen_require(`
|
|
-
|
|
- type boinc_t, boinc_project_t, boinc_log_t;
|
|
- type boinc_var_lib_t, boinc_tmp_t, boinc_initrc_exec_t;
|
|
- type boinc_project_var_lib_t, boinc_project_tmp_t;
|
|
+ type boinc_t, boinc_initrc_exec_t, boinc_var_lib_t;
|
|
+ type boinc_unit_file_t;
|
|
')
|
|
|
|
- allow $1 { boinc_t boinc_project_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { boinc_t boinc_project_t })
|
|
+ allow $1 boinc_t:process signal_perms;
|
|
+ ps_process_pattern($1, boinc_t)
|
|
|
|
- init_labeled_script_domtrans($1, boinc_initrc_exec_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 boinc_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ boinc_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 boinc_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, boinc_log_t)
|
|
+ files_list_var_lib($1)
|
|
+ admin_pattern($1, boinc_var_lib_t)
|
|
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, { boinc_project_tmp_t boinc_tmp_t })
|
|
+ boinc_systemctl($1)
|
|
+ admin_pattern($1, boinc_unit_file_t)
|
|
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, { boinc_project_var_lib_t boinc_var_lib_t })
|
|
+ allow $1 boinc_unit_file_t:service all_service_perms;
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/boinc.te b/boinc.te
|
|
index 687d4c4..28c35c1 100644
|
|
--- a/boinc.te
|
|
+++ b/boinc.te
|
|
@@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1)
|
|
## </desc>
|
|
gen_tunable(boinc_execmem, true)
|
|
|
|
-type boinc_t;
|
|
+attribute boinc_domain;
|
|
+
|
|
+type boinc_t, boinc_domain;
|
|
type boinc_exec_t;
|
|
init_daemon_domain(boinc_t, boinc_exec_t)
|
|
|
|
@@ -28,31 +30,69 @@ files_tmpfs_file(boinc_tmpfs_t)
|
|
type boinc_var_lib_t;
|
|
files_type(boinc_var_lib_t)
|
|
|
|
-type boinc_project_var_lib_t;
|
|
-files_type(boinc_project_var_lib_t)
|
|
-
|
|
type boinc_log_t;
|
|
logging_log_file(boinc_log_t)
|
|
|
|
+type boinc_unit_file_t;
|
|
+systemd_unit_file(boinc_unit_file_t)
|
|
+
|
|
type boinc_project_t;
|
|
domain_type(boinc_project_t)
|
|
-domain_entry_file(boinc_project_t, boinc_project_var_lib_t)
|
|
role system_r types boinc_project_t;
|
|
|
|
type boinc_project_tmp_t;
|
|
files_tmp_file(boinc_project_tmp_t)
|
|
|
|
+type boinc_project_var_lib_t;
|
|
+files_type(boinc_project_var_lib_t)
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# boinc domain local policy
|
|
+#
|
|
+
|
|
+allow boinc_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow boinc_domain self:process signal;
|
|
+allow boinc_domain self:sem create_sem_perms;
|
|
+
|
|
+manage_dirs_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
|
|
+manage_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
|
|
+manage_lnk_files_pattern(boinc_domain, boinc_var_lib_t, boinc_var_lib_t)
|
|
+
|
|
+corecmd_exec_bin(boinc_domain)
|
|
+corecmd_exec_shell(boinc_domain)
|
|
+
|
|
+dev_read_rand(boinc_domain)
|
|
+dev_read_urand(boinc_domain)
|
|
+dev_read_sysfs(boinc_domain)
|
|
+dev_rw_xserver_misc(boinc_domain)
|
|
+
|
|
+domain_read_all_domains_state(boinc_domain)
|
|
+
|
|
+files_read_etc_runtime_files(boinc_domain)
|
|
+
|
|
+fs_getattr_all_fs(boinc_domain)
|
|
+
|
|
+miscfiles_read_fonts(boinc_domain)
|
|
+
|
|
+tunable_policy(`boinc_execmem',`
|
|
+ allow boinc_domain self:process { execstack execmem };
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_dns_name_resolve(boinc_domain)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# boinc local policy
|
|
#
|
|
|
|
allow boinc_t self:process { setsched setpgid signull sigkill };
|
|
-allow boinc_t self:unix_stream_socket { accept listen };
|
|
-allow boinc_t self:tcp_socket { accept listen };
|
|
+
|
|
+allow boinc_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow boinc_t self:tcp_socket create_stream_socket_perms;
|
|
allow boinc_t self:shm create_shm_perms;
|
|
-allow boinc_t self:fifo_file rw_fifo_file_perms;
|
|
-allow boinc_t self:sem create_sem_perms;
|
|
|
|
manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
|
manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t)
|
|
@@ -61,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file })
|
|
manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t)
|
|
fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file)
|
|
|
|
-manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
|
|
-manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
|
|
-manage_lnk_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
|
|
-
|
|
-# entry files to the boinc_project_t domain
|
|
-manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
|
-manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
|
+exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t)
|
|
+# this should be created by default by boinc
|
|
+# we need this label for transition to boinc_project_t
|
|
+# other boinc lib files will end up with boinc_var_lib_t
|
|
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "slots")
|
|
filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, dir, "projects")
|
|
|
|
-append_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
|
|
-create_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
|
|
-setattr_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
|
|
-logging_log_filetrans(boinc_t, boinc_log_t, file)
|
|
-
|
|
-can_exec(boinc_t, boinc_var_lib_t)
|
|
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
|
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
|
|
|
-domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
|
|
+manage_files_pattern(boinc_t, boinc_log_t, boinc_log_t)
|
|
+logging_log_filetrans(boinc_t, boinc_log_t, { file })
|
|
|
|
+# needs read /proc/interrupts
|
|
kernel_read_system_state(boinc_t)
|
|
+kernel_read_network_state(boinc_t)
|
|
kernel_search_vm_sysctl(boinc_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(boinc_t)
|
|
+dev_getattr_mouse_dev(boinc_t)
|
|
+
|
|
+files_getattr_all_dirs(boinc_t)
|
|
+files_getattr_all_files(boinc_t)
|
|
+
|
|
corenet_all_recvfrom_netlabel(boinc_t)
|
|
corenet_tcp_sendrecv_generic_if(boinc_t)
|
|
+corenet_udp_sendrecv_generic_if(boinc_t)
|
|
corenet_tcp_sendrecv_generic_node(boinc_t)
|
|
+corenet_udp_sendrecv_generic_node(boinc_t)
|
|
+corenet_tcp_sendrecv_all_ports(boinc_t)
|
|
+corenet_udp_sendrecv_all_ports(boinc_t)
|
|
corenet_tcp_bind_generic_node(boinc_t)
|
|
-
|
|
-corenet_sendrecv_boinc_client_packets(boinc_t)
|
|
-corenet_sendrecv_boinc_server_packets(boinc_t)
|
|
+corenet_udp_bind_generic_node(boinc_t)
|
|
corenet_tcp_bind_boinc_port(boinc_t)
|
|
-corenet_tcp_connect_boinc_port(boinc_t)
|
|
-corenet_tcp_sendrecv_boinc_port(boinc_t)
|
|
-
|
|
-corenet_sendrecv_boinc_client_server_packets(boinc_t)
|
|
corenet_tcp_bind_boinc_client_port(boinc_t)
|
|
-corenet_tcp_sendrecv_boinc_client_port(boinc_t)
|
|
-
|
|
-corenet_sendrecv_http_client_packets(boinc_t)
|
|
+corenet_tcp_connect_boinc_port(boinc_t)
|
|
corenet_tcp_connect_http_port(boinc_t)
|
|
-corenet_tcp_sendrecv_http_port(boinc_t)
|
|
-
|
|
-corenet_sendrecv_http_cache_client_packets(boinc_t)
|
|
corenet_tcp_connect_http_cache_port(boinc_t)
|
|
-corenet_tcp_sendrecv_http_cache_port(boinc_t)
|
|
-
|
|
-corenet_sendrecv_squid_client_packets(boinc_t)
|
|
corenet_tcp_connect_squid_port(boinc_t)
|
|
-corenet_tcp_sendrecv_squid_port(boinc_t)
|
|
-
|
|
-corecmd_exec_bin(boinc_t)
|
|
-corecmd_exec_shell(boinc_t)
|
|
-
|
|
-dev_read_rand(boinc_t)
|
|
-dev_read_urand(boinc_t)
|
|
-dev_read_sysfs(boinc_t)
|
|
-dev_rw_xserver_misc(boinc_t)
|
|
-
|
|
-domain_read_all_domains_state(boinc_t)
|
|
|
|
files_dontaudit_getattr_boot_dirs(boinc_t)
|
|
-files_getattr_all_dirs(boinc_t)
|
|
-files_getattr_all_files(boinc_t)
|
|
-files_read_etc_files(boinc_t)
|
|
-files_read_etc_runtime_files(boinc_t)
|
|
-files_read_usr_files(boinc_t)
|
|
|
|
-fs_getattr_all_fs(boinc_t)
|
|
+auth_read_passwd(boinc_t)
|
|
|
|
term_getattr_all_ptys(boinc_t)
|
|
term_getattr_unallocated_ttys(boinc_t)
|
|
@@ -137,8 +151,7 @@ init_read_utmp(boinc_t)
|
|
|
|
logging_send_syslog_msg(boinc_t)
|
|
|
|
-miscfiles_read_fonts(boinc_t)
|
|
-miscfiles_read_localization(boinc_t)
|
|
+xserver_stream_connect(boinc_t)
|
|
|
|
tunable_policy(`boinc_execmem',`
|
|
allow boinc_t self:process { execstack execmem };
|
|
@@ -148,48 +161,61 @@ optional_policy(`
|
|
mta_send_mail(boinc_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- sysnet_dns_name_resolve(boinc_t)
|
|
-')
|
|
-
|
|
########################################
|
|
#
|
|
-# Project local policy
|
|
+# boinc-projects local policy
|
|
#
|
|
|
|
allow boinc_project_t self:capability { setuid setgid };
|
|
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
|
|
+
|
|
+domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
|
|
+allow boinc_t boinc_project_t:process sigkill;
|
|
+allow boinc_t boinc_project_t:process noatsecure;
|
|
+
|
|
+allow boinc_project_t self:process { setcap getcap setpgid setsched signal signull sigkill sigstop };
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow boinc_project_t self:process ptrace;
|
|
+')
|
|
+
|
|
+allow boinc_project_t self:process { execstack };
|
|
|
|
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
|
|
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
|
|
manage_sock_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
|
|
files_tmp_filetrans(boinc_project_t, boinc_project_tmp_t, { dir file sock_file})
|
|
|
|
+allow boinc_project_t boinc_project_var_lib_t:file entrypoint;
|
|
+exec_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
|
manage_dirs_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
|
manage_files_pattern(boinc_project_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
|
|
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "projects")
|
|
+files_var_lib_filetrans(boinc_project_t, boinc_project_var_lib_t, dir, "slots" )
|
|
|
|
allow boinc_project_t boinc_project_var_lib_t:file execmod;
|
|
-can_exec(boinc_project_t, boinc_project_var_lib_t)
|
|
|
|
allow boinc_project_t boinc_t:shm rw_shm_perms;
|
|
-allow boinc_project_t boinc_tmpfs_t:file { read write };
|
|
+allow boinc_project_t boinc_tmpfs_t:file rw_inherited_file_perms;
|
|
|
|
kernel_read_kernel_sysctls(boinc_project_t)
|
|
-kernel_read_network_state(boinc_project_t)
|
|
kernel_search_vm_sysctl(boinc_project_t)
|
|
+kernel_read_network_state(boinc_project_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(boinc_project_t)
|
|
-corenet_all_recvfrom_netlabel(boinc_project_t)
|
|
-corenet_tcp_sendrecv_generic_if(boinc_project_t)
|
|
-corenet_tcp_sendrecv_generic_node(boinc_project_t)
|
|
-corenet_tcp_bind_generic_node(boinc_project_t)
|
|
-
|
|
-corenet_sendrecv_boinc_client_packets(boinc_project_t)
|
|
corenet_tcp_connect_boinc_port(boinc_project_t)
|
|
-corenet_tcp_sendrecv_boinc_port(boinc_project_t)
|
|
|
|
files_dontaudit_search_home(boinc_project_t)
|
|
|
|
+# needed by java
|
|
+fs_read_hugetlbfs_files(boinc_project_t)
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_read_gconf_config(boinc_project_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
java_exec(boinc_project_t)
|
|
')
|
|
+
|
|
+# until solution for VirtualBox, java ..
|
|
+optional_policy(`
|
|
+ unconfined_domain(boinc_project_t)
|
|
+')
|
|
diff --git a/brctl.te b/brctl.te
|
|
index c5a9113..6ad8ccb 100644
|
|
--- a/brctl.te
|
|
+++ b/brctl.te
|
|
@@ -34,12 +34,9 @@ dev_write_sysfs_dirs(brctl_t)
|
|
|
|
domain_use_interactive_fds(brctl_t)
|
|
|
|
-files_read_etc_files(brctl_t)
|
|
|
|
term_dontaudit_use_console(brctl_t)
|
|
|
|
-miscfiles_read_localization(brctl_t)
|
|
-
|
|
optional_policy(`
|
|
xen_append_log(brctl_t)
|
|
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
|
|
diff --git a/bugzilla.fc b/bugzilla.fc
|
|
index fce0b6e..fb6e397 100644
|
|
--- a/bugzilla.fc
|
|
+++ b/bugzilla.fc
|
|
@@ -1,4 +1,4 @@
|
|
-/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
|
|
-/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
|
|
+/usr/share/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
|
|
+/usr/share/bugzilla/.*\.cgi -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
|
|
|
|
/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_rw_content_t,s0)
|
|
diff --git a/bugzilla.if b/bugzilla.if
|
|
index 1b22262..bf0cefa 100644
|
|
--- a/bugzilla.if
|
|
+++ b/bugzilla.if
|
|
@@ -48,24 +48,26 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`bugzilla_admin',`
|
|
gen_require(`
|
|
type httpd_bugzilla_script_t, httpd_bugzilla_content_t, httpd_bugzilla_ra_content_t;
|
|
type httpd_bugzilla_rw_content_t, httpd_bugzilla_script_exec_t;
|
|
- type httpd_bugzilla_htaccess_t;
|
|
+ type httpd_bugzilla_htaccess_t, httpd_bugzilla_tmp_t;
|
|
')
|
|
|
|
- allow $1 httpd_bugzilla_script_t:process { ptrace signal_perms };
|
|
+ allow $1 httpd_bugzilla_script_t:process signal_perms;
|
|
ps_process_pattern($1, httpd_bugzilla_script_t)
|
|
|
|
- files_search_usr($1)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 httpd_bugzilla_script_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ files_list_tmp($1)
|
|
+ admin_pattern($1, httpd_bugzilla_tmp_t)
|
|
+
|
|
+ files_list_var_lib(httpd_bugzilla_script_t)
|
|
+
|
|
admin_pattern($1, httpd_bugzilla_script_exec_t)
|
|
admin_pattern($1, httpd_bugzilla_script_t)
|
|
admin_pattern($1, httpd_bugzilla_content_t)
|
|
@@ -76,5 +78,7 @@ interface(`bugzilla_admin',`
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, httpd_bugzilla_rw_content_t)
|
|
|
|
- apache_list_sys_content($1)
|
|
+ optional_policy(`
|
|
+ apache_list_sys_content($1)
|
|
+ ')
|
|
')
|
|
diff --git a/bugzilla.te b/bugzilla.te
|
|
index 18623e3..d9f3061 100644
|
|
--- a/bugzilla.te
|
|
+++ b/bugzilla.te
|
|
@@ -7,6 +7,9 @@ policy_module(bugzilla, 1.1.0)
|
|
|
|
apache_content_template(bugzilla)
|
|
|
|
+type httpd_bugzilla_tmp_t;
|
|
+files_tmp_file(httpd_bugzilla_tmp_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -14,7 +17,6 @@ apache_content_template(bugzilla)
|
|
|
|
allow httpd_bugzilla_script_t self:tcp_socket { accept listen };
|
|
|
|
-corenet_all_recvfrom_unlabeled(httpd_bugzilla_script_t)
|
|
corenet_all_recvfrom_netlabel(httpd_bugzilla_script_t)
|
|
corenet_tcp_sendrecv_generic_if(httpd_bugzilla_script_t)
|
|
corenet_tcp_sendrecv_generic_node(httpd_bugzilla_script_t)
|
|
@@ -27,11 +29,21 @@ corenet_sendrecv_smtp_client_packets(httpd_bugzilla_script_t)
|
|
corenet_tcp_connect_smtp_port(httpd_bugzilla_script_t)
|
|
corenet_tcp_sendrecv_smtp_port(httpd_bugzilla_script_t)
|
|
|
|
+manage_dirs_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
|
|
+manage_files_pattern(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, httpd_bugzilla_tmp_t)
|
|
+files_tmp_filetrans(httpd_bugzilla_script_t, httpd_bugzilla_tmp_t, { file dir })
|
|
+
|
|
files_search_var_lib(httpd_bugzilla_script_t)
|
|
|
|
-sysnet_dns_name_resolve(httpd_bugzilla_script_t)
|
|
+auth_read_passwd(httpd_bugzilla_script_t)
|
|
+
|
|
+dev_read_sysfs(httpd_bugzilla_script_t)
|
|
+
|
|
+sysnet_read_config(httpd_bugzilla_script_t)
|
|
sysnet_use_ldap(httpd_bugzilla_script_t)
|
|
|
|
+miscfiles_read_certs(httpd_bugzilla_script_t)
|
|
+
|
|
optional_policy(`
|
|
mta_send_mail(httpd_bugzilla_script_t)
|
|
')
|
|
diff --git a/cachefilesd.fc b/cachefilesd.fc
|
|
index 648c790..aa03fc8 100644
|
|
--- a/cachefilesd.fc
|
|
+++ b/cachefilesd.fc
|
|
@@ -1,9 +1,34 @@
|
|
-/etc/rc\.d/init\.d/cachefilesd -- gen_context(system_u:object_r:cachefilesd_initrc_exec_t,s0)
|
|
+###############################################################################
|
|
+#
|
|
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
|
|
+# Written by David Howells (dhowells@redhat.com)
|
|
+# Karl MacMillan (kmacmill@redhat.com)
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of the GNU General Public License
|
|
+# as published by the Free Software Foundation; either version
|
|
+# 2 of the License, or (at your option) any later version.
|
|
+#
|
|
+###############################################################################
|
|
+
|
|
+#
|
|
+# Define the contexts to be assigned to various files and directories of
|
|
+# importance to the CacheFiles kernel module and userspace management daemon.
|
|
+#
|
|
+
|
|
+# cachefilesd executable will have:
|
|
+# label: system_u:object_r:cachefilesd_exec_t
|
|
+# MLS sensitivity: s0
|
|
+# MCS categories: <none>
|
|
+
|
|
+/dev/cachefiles -c gen_context(system_u:object_r:cachefiles_dev_t,s0)
|
|
|
|
/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
|
|
|
|
/usr/sbin/cachefilesd -- gen_context(system_u:object_r:cachefilesd_exec_t,s0)
|
|
|
|
-/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefilesd_cache_t,s0)
|
|
+/var/cache/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
|
|
+
|
|
+/var/fscache(/.*)? gen_context(system_u:object_r:cachefiles_var_t,s0)
|
|
|
|
-/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
|
|
+/var/run/cachefilesd\.pid -- gen_context(system_u:object_r:cachefilesd_var_run_t,s0)
|
|
diff --git a/cachefilesd.if b/cachefilesd.if
|
|
index 8de2ab9..3b41945 100644
|
|
--- a/cachefilesd.if
|
|
+++ b/cachefilesd.if
|
|
@@ -1,39 +1,35 @@
|
|
-## <summary>CacheFiles user-space management daemon.</summary>
|
|
+###############################################################################
|
|
+#
|
|
+# Copyright (C) 2006 Red Hat, Inc. All Rights Reserved.
|
|
+# Written by David Howells (dhowells@redhat.com)
|
|
+# Karl MacMillan (kmacmill@redhat.com)
|
|
+#
|
|
+# This program is free software; you can redistribute it and/or
|
|
+# modify it under the terms of the GNU General Public License
|
|
+# as published by the Free Software Foundation; either version
|
|
+# 2 of the License, or (at your option) any later version.
|
|
+#
|
|
+###############################################################################
|
|
+
|
|
+#
|
|
+# Define the policy interface for the CacheFiles userspace management daemon.
|
|
+#
|
|
+## <summary>policy for cachefilesd</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an cachefilesd environment.
|
|
+## Execute a domain transition to run cachefilesd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`cachefilesd_admin',`
|
|
+interface(`cachefilesd_domtrans',`
|
|
gen_require(`
|
|
- type cachefilesd_t, cachefilesd_initrc_exec_t, cachefilesd_cache_t;
|
|
- type cachefilesd_var_run_t;
|
|
+ type cachefilesd_t, cachefilesd_exec_t;
|
|
')
|
|
|
|
- allow $1 cachefilesd_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, cachefilesd_t)
|
|
-
|
|
- init_labeled_script_domtrans($1, cachefilesd_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 cachefilesd_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- files_search_var($1)
|
|
- admin_pattern($1, cachefilesd_cache_t)
|
|
-
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, cachefilesd_var_run_t)
|
|
+ domtrans_pattern($1, cachefilesd_exec_t, cachefilesd_t)
|
|
')
|
|
diff --git a/cachefilesd.te b/cachefilesd.te
|
|
index a3760bc..a570048 100644
|
|
--- a/cachefilesd.te
|
|
+++ b/cachefilesd.te
|
|
@@ -1,52 +1,124 @@
|
|
policy_module(cachefilesd, 1.1.0)
|
|
|
|
-########################################
|
|
+###############################################################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
+#
|
|
+# Files in the cache are created by the cachefiles module with security ID
|
|
+# cachefiles_var_t
|
|
+#
|
|
+type cachefiles_var_t;
|
|
+files_type(cachefiles_var_t)
|
|
+
|
|
+#
|
|
+# The /dev/cachefiles character device has security ID cachefiles_dev_t
|
|
+#
|
|
+type cachefiles_dev_t;
|
|
+dev_node(cachefiles_dev_t)
|
|
+
|
|
+#
|
|
+# The cachefilesd daemon normally runs with security ID cachefilesd_t
|
|
+#
|
|
type cachefilesd_t;
|
|
type cachefilesd_exec_t;
|
|
init_daemon_domain(cachefilesd_t, cachefilesd_exec_t)
|
|
|
|
-type cachefilesd_initrc_exec_t;
|
|
-init_script_file(cachefilesd_initrc_exec_t)
|
|
-
|
|
-type cachefilesd_cache_t;
|
|
-files_type(cachefilesd_cache_t)
|
|
-
|
|
+#
|
|
+# The cachefilesd daemon pid file context
|
|
+#
|
|
type cachefilesd_var_run_t;
|
|
files_pid_file(cachefilesd_var_run_t)
|
|
|
|
-########################################
|
|
#
|
|
-# Local policy
|
|
+# The CacheFiles kernel module causes processes accessing the cache files to do
|
|
+# so acting as security ID cachefiles_kernel_t
|
|
+#
|
|
+type cachefiles_kernel_t;
|
|
+domain_type(cachefiles_kernel_t)
|
|
+domain_obj_id_change_exemption(cachefiles_kernel_t)
|
|
+role system_r types cachefiles_kernel_t;
|
|
+
|
|
+###############################################################################
|
|
#
|
|
+# Permit RPM to deal with files in the cache
|
|
+#
|
|
+optional_policy(`
|
|
+ rpm_use_script_fds(cachefilesd_t)
|
|
+')
|
|
|
|
+###############################################################################
|
|
+#
|
|
+# cachefilesd local policy
|
|
+#
|
|
+# These define what cachefilesd is permitted to do. This doesn't include very
|
|
+# much: startup stuff, logging, pid file, scanning the cache superstructure and
|
|
+# deleting files from the cache. It is not permitted to read/write files in
|
|
+# the cache.
|
|
+#
|
|
+# Check in /usr/share/selinux/devel/include/ for macros to use instead of allow
|
|
+# rules.
|
|
+#
|
|
allow cachefilesd_t self:capability { setuid setgid sys_admin dac_override };
|
|
|
|
+# Allow manipulation of pid file
|
|
+allow cachefilesd_t cachefilesd_var_run_t:file create_file_perms;
|
|
manage_files_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
|
|
+manage_dirs_pattern(cachefilesd_t, cachefilesd_var_run_t, cachefilesd_var_run_t)
|
|
files_pid_filetrans(cachefilesd_t, cachefilesd_var_run_t, file)
|
|
+files_create_as_is_all_files(cachefilesd_t)
|
|
|
|
-manage_dirs_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
|
|
-manage_files_pattern(cachefilesd_t, cachefilesd_cache_t, cachefilesd_cache_t)
|
|
-
|
|
-dev_rw_cachefiles(cachefilesd_t)
|
|
+# Allow access to cachefiles device file
|
|
+allow cachefilesd_t cachefiles_dev_t:chr_file rw_file_perms;
|
|
|
|
-files_create_all_files_as(cachefilesd_t)
|
|
-files_read_etc_files(cachefilesd_t)
|
|
+# Allow access to cache superstructure
|
|
+manage_dirs_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
|
|
+manage_files_pattern(cachefilesd_t, cachefiles_var_t, cachefiles_var_t)
|
|
|
|
+# Permit statfs on the backing filesystem
|
|
fs_getattr_xattr_fs(cachefilesd_t)
|
|
|
|
+# Basic access
|
|
+logging_send_syslog_msg(cachefilesd_t)
|
|
+init_dontaudit_use_script_ptys(cachefilesd_t)
|
|
term_dontaudit_use_generic_ptys(cachefilesd_t)
|
|
term_dontaudit_getattr_unallocated_ttys(cachefilesd_t)
|
|
|
|
-logging_send_syslog_msg(cachefilesd_t)
|
|
+###############################################################################
|
|
+#
|
|
+# When cachefilesd invokes the kernel module to begin caching, it has to tell
|
|
+# the kernel module the security context in which it should act, and this
|
|
+# policy has to approve that.
|
|
+#
|
|
+# There are two parts to this:
|
|
+#
|
|
+# (1) the security context used by the module to access files in the cache,
|
|
+# as set by the 'secctx' command in /etc/cachefilesd.conf, and
|
|
+#
|
|
+allow cachefilesd_t cachefiles_kernel_t:kernel_service { use_as_override };
|
|
|
|
-miscfiles_read_localization(cachefilesd_t)
|
|
+#
|
|
+# (2) the label that will be assigned to new files and directories created in
|
|
+# the cache by the module, which will be the same as the label on the
|
|
+# directory pointed to by the 'dir' command.
|
|
+#
|
|
+allow cachefilesd_t cachefiles_var_t:kernel_service { create_files_as };
|
|
|
|
-init_dontaudit_use_script_ptys(cachefilesd_t)
|
|
+###############################################################################
|
|
+#
|
|
+# cachefiles kernel module local policy
|
|
+#
|
|
+# This governs what the kernel module is allowed to do the contents of the
|
|
+# cache.
|
|
+#
|
|
+allow cachefiles_kernel_t self:capability { dac_override dac_read_search };
|
|
|
|
-optional_policy(`
|
|
- rpm_use_script_fds(cachefilesd_t)
|
|
-')
|
|
+manage_dirs_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
|
|
+manage_files_pattern(cachefiles_kernel_t, cachefiles_var_t, cachefiles_var_t)
|
|
+
|
|
+fs_getattr_xattr_fs(cachefiles_kernel_t)
|
|
+
|
|
+dev_search_sysfs(cachefiles_kernel_t)
|
|
+
|
|
+init_sigchld_script(cachefiles_kernel_t)
|
|
diff --git a/calamaris.te b/calamaris.te
|
|
index 7e57460..b0cf254 100644
|
|
--- a/calamaris.te
|
|
+++ b/calamaris.te
|
|
@@ -41,19 +41,23 @@ kernel_read_system_state(calamaris_t)
|
|
|
|
corecmd_exec_bin(calamaris_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(calamaris_t)
|
|
+corenet_tcp_sendrecv_generic_if(calamaris_t)
|
|
+corenet_udp_sendrecv_generic_if(calamaris_t)
|
|
+corenet_tcp_sendrecv_generic_node(calamaris_t)
|
|
+corenet_udp_sendrecv_generic_node(calamaris_t)
|
|
+corenet_tcp_sendrecv_all_ports(calamaris_t)
|
|
+corenet_udp_sendrecv_all_ports(calamaris_t)
|
|
+
|
|
dev_read_urand(calamaris_t)
|
|
|
|
-files_read_usr_files(calamaris_t)
|
|
+files_search_pids(calamaris_t)
|
|
files_read_etc_runtime_files(calamaris_t)
|
|
|
|
-libs_read_lib_files(calamaris_t)
|
|
-
|
|
auth_use_nsswitch(calamaris_t)
|
|
|
|
logging_send_syslog_msg(calamaris_t)
|
|
|
|
-miscfiles_read_localization(calamaris_t)
|
|
-
|
|
userdom_dontaudit_list_user_home_dirs(calamaris_t)
|
|
|
|
optional_policy(`
|
|
diff --git a/callweaver.te b/callweaver.te
|
|
index 0e5be4c..b9a407f 100644
|
|
--- a/callweaver.te
|
|
+++ b/callweaver.te
|
|
@@ -84,4 +84,3 @@ term_use_ptmx(callweaver_t)
|
|
|
|
auth_use_nsswitch(callweaver_t)
|
|
|
|
-miscfiles_read_localization(callweaver_t)
|
|
diff --git a/canna.if b/canna.if
|
|
index 400db07..f416e22 100644
|
|
--- a/canna.if
|
|
+++ b/canna.if
|
|
@@ -43,9 +43,13 @@ interface(`canna_admin',`
|
|
type canna_var_run_t, canna_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 canna_t:process { ptrace signal_perms };
|
|
+ allow $1 canna_t:process signal_perms;
|
|
ps_process_pattern($1, canna_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 canna_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, canna_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 canna_initrc_exec_t system_r;
|
|
diff --git a/canna.te b/canna.te
|
|
index 9fe6162..2245f3b 100644
|
|
--- a/canna.te
|
|
+++ b/canna.te
|
|
@@ -52,7 +52,6 @@ files_pid_filetrans(canna_t, canna_var_run_t, { dir sock_file })
|
|
kernel_read_kernel_sysctls(canna_t)
|
|
kernel_read_system_state(canna_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(canna_t)
|
|
corenet_all_recvfrom_netlabel(canna_t)
|
|
corenet_tcp_sendrecv_generic_if(canna_t)
|
|
corenet_tcp_sendrecv_generic_node(canna_t)
|
|
@@ -68,16 +67,12 @@ fs_search_auto_mountpoints(canna_t)
|
|
|
|
domain_use_interactive_fds(canna_t)
|
|
|
|
-files_read_etc_files(canna_t)
|
|
files_read_etc_runtime_files(canna_t)
|
|
-files_read_usr_files(canna_t)
|
|
files_search_tmp(canna_t)
|
|
files_dontaudit_read_root_files(canna_t)
|
|
|
|
logging_send_syslog_msg(canna_t)
|
|
|
|
-miscfiles_read_localization(canna_t)
|
|
-
|
|
sysnet_read_config(canna_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(canna_t)
|
|
diff --git a/ccs.if b/ccs.if
|
|
index 5ded72d..cb94e5e 100644
|
|
--- a/ccs.if
|
|
+++ b/ccs.if
|
|
@@ -98,20 +98,24 @@ interface(`ccs_manage_config',`
|
|
interface(`ccs_admin',`
|
|
gen_require(`
|
|
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
|
|
- type ccs_var_lib_t_t, ccs_var_log_t;
|
|
+ type ccs_var_lib_t, ccs_var_log_t;
|
|
type ccs_var_run_t, ccs_tmp_t;
|
|
')
|
|
|
|
- allow $1 ccs_t:process { ptrace signal_perms };
|
|
+ allow $1 ccs_t:process { signal_perms };
|
|
ps_process_pattern($1, ccs_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ccs_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, ccs_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 ccs_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
files_search_etc($1)
|
|
- admin_pattern($1, ccs_conf_t)
|
|
+ admin_pattern($1, cluster_conf_t)
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, ccs_var_lib_t)
|
|
diff --git a/ccs.te b/ccs.te
|
|
index 658134d..58deece 100644
|
|
--- a/ccs.te
|
|
+++ b/ccs.te
|
|
@@ -37,7 +37,7 @@ files_pid_file(ccs_var_run_t)
|
|
|
|
allow ccs_t self:capability { ipc_owner ipc_lock sys_nice sys_resource sys_admin };
|
|
allow ccs_t self:process { signal setrlimit setsched };
|
|
-dontaudit ccs_t self:process ptrace;
|
|
+
|
|
allow ccs_t self:fifo_file rw_fifo_file_perms;
|
|
allow ccs_t self:unix_stream_socket { accept connectto listen };
|
|
allow ccs_t self:tcp_socket { accept listen };
|
|
@@ -75,7 +75,6 @@ kernel_read_kernel_sysctls(ccs_t)
|
|
corecmd_list_bin(ccs_t)
|
|
corecmd_exec_bin(ccs_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ccs_t)
|
|
corenet_all_recvfrom_netlabel(ccs_t)
|
|
corenet_tcp_sendrecv_generic_if(ccs_t)
|
|
corenet_udp_sendrecv_generic_if(ccs_t)
|
|
@@ -95,15 +94,13 @@ corenet_udp_bind_netsupport_port(ccs_t)
|
|
|
|
dev_read_urand(ccs_t)
|
|
|
|
-files_read_etc_files(ccs_t)
|
|
files_read_etc_runtime_files(ccs_t)
|
|
|
|
init_rw_script_tmp_files(ccs_t)
|
|
+init_signal(ccs_t)
|
|
|
|
logging_send_syslog_msg(ccs_t)
|
|
|
|
-miscfiles_read_localization(ccs_t)
|
|
-
|
|
sysnet_dns_name_resolve(ccs_t)
|
|
|
|
userdom_manage_unpriv_user_shared_mem(ccs_t)
|
|
@@ -115,8 +112,7 @@ ifdef(`hide_broken_symptoms',`
|
|
')
|
|
|
|
optional_policy(`
|
|
- aisexec_stream_connect(ccs_t)
|
|
- corosync_stream_connect(ccs_t)
|
|
+ rhcs_stream_connect_cluster(ccs_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/cdrecord.if b/cdrecord.if
|
|
index fbc20f6..4de4a00 100644
|
|
--- a/cdrecord.if
|
|
+++ b/cdrecord.if
|
|
@@ -27,6 +27,9 @@ interface(`cdrecord_role',`
|
|
|
|
allow cdrecord_t $2:unix_stream_socket rw_socket_perms;
|
|
|
|
- allow $2 cdrecord_t:process { ptrace signal_perms };
|
|
+ allow $2 cdrecord_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 cdrecord_t:process ptrace;
|
|
+ ')
|
|
ps_process_pattern($2, cdrecord_t)
|
|
')
|
|
diff --git a/cdrecord.te b/cdrecord.te
|
|
index 16883c9..0f4ccb0 100644
|
|
--- a/cdrecord.te
|
|
+++ b/cdrecord.te
|
|
@@ -41,8 +41,6 @@ dev_read_sysfs(cdrecord_t)
|
|
domain_interactive_fd(cdrecord_t)
|
|
domain_use_interactive_fds(cdrecord_t)
|
|
|
|
-files_read_etc_files(cdrecord_t)
|
|
-
|
|
term_use_controlling_term(cdrecord_t)
|
|
term_list_ptys(cdrecord_t)
|
|
|
|
@@ -52,10 +50,7 @@ storage_write_scsi_generic(cdrecord_t)
|
|
|
|
logging_send_syslog_msg(cdrecord_t)
|
|
|
|
-miscfiles_read_localization(cdrecord_t)
|
|
-
|
|
-userdom_use_user_terminals(cdrecord_t)
|
|
-userdom_read_user_home_content_files(cdrecord_t)
|
|
+userdom_use_inherited_user_terminals(cdrecord_t)
|
|
|
|
tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
|
|
fs_list_auto_mountpoints(cdrecord_t)
|
|
@@ -104,11 +99,7 @@ tunable_policy(`cdrecord_read_content',`
|
|
userdom_dontaudit_read_user_home_content_files(cdrecord_t)
|
|
')
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- files_search_mnt(cdrecord_t)
|
|
- fs_read_nfs_files(cdrecord_t)
|
|
- fs_read_nfs_symlinks(cdrecord_t)
|
|
-')
|
|
+userdom_home_manager(cdrecord_t)
|
|
|
|
optional_policy(`
|
|
resmgr_stream_connect(cdrecord_t)
|
|
diff --git a/certmaster.if b/certmaster.if
|
|
index 0c53b18..ef29f6e 100644
|
|
--- a/certmaster.if
|
|
+++ b/certmaster.if
|
|
@@ -117,13 +117,16 @@ interface(`certmaster_manage_log',`
|
|
interface(`certmaster_admin',`
|
|
gen_require(`
|
|
type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
|
|
- type certmaster_etc_rw_t, certmaster_var_log_t;
|
|
- type certmaster_initrc_exec_t;
|
|
+ type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 certmaster_t:process { ptrace signal_perms };
|
|
+ allow $1 certmaster_t:process signal_perms;
|
|
ps_process_pattern($1, certmaster_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 certmaster_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 certmaster_initrc_exec_t system_r;
|
|
diff --git a/certmaster.te b/certmaster.te
|
|
index 4a87873..113f3b3 100644
|
|
--- a/certmaster.te
|
|
+++ b/certmaster.te
|
|
@@ -65,11 +65,10 @@ corenet_tcp_sendrecv_certmaster_port(certmaster_t)
|
|
dev_read_urand(certmaster_t)
|
|
|
|
files_list_var(certmaster_t)
|
|
-files_search_etc(certmaster_t)
|
|
-files_read_usr_files(certmaster_t)
|
|
|
|
auth_use_nsswitch(certmaster_t)
|
|
|
|
-miscfiles_read_localization(certmaster_t)
|
|
miscfiles_manage_generic_cert_dirs(certmaster_t)
|
|
miscfiles_manage_generic_cert_files(certmaster_t)
|
|
+
|
|
+mta_send_mail(certmaster_t)
|
|
diff --git a/certmonger.fc b/certmonger.fc
|
|
index ed298d8..cd8eb4d 100644
|
|
--- a/certmonger.fc
|
|
+++ b/certmonger.fc
|
|
@@ -2,6 +2,8 @@
|
|
|
|
/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
|
|
|
|
+/usr/lib/ipa/certmonger(/.*)? gen_context(system_u:object_r:certmonger_unconfined_exec_t,s0)
|
|
+
|
|
/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
|
|
|
|
/var/run/certmonger.* gen_context(system_u:object_r:certmonger_var_run_t,s0)
|
|
diff --git a/certmonger.if b/certmonger.if
|
|
index 008f8ef..144c074 100644
|
|
--- a/certmonger.if
|
|
+++ b/certmonger.if
|
|
@@ -160,16 +160,20 @@ interface(`certmonger_admin',`
|
|
')
|
|
|
|
ps_process_pattern($1, certmonger_t)
|
|
- allow $1 certmonger_t:process { ptrace signal_perms };
|
|
+ allow $1 certmonger_t:process signal_perms;
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 certmonger_t:process ptrace;
|
|
+ ')
|
|
|
|
certmonger_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 certmonger_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_var_lib($1)
|
|
+ files_list_var_lib($1)
|
|
admin_pattern($1, certmonger_var_lib_t)
|
|
|
|
- files_search_pids($1)
|
|
+ files_list_pids($1)
|
|
admin_pattern($1, certmonger_var_run_t)
|
|
')
|
|
diff --git a/certmonger.te b/certmonger.te
|
|
index 550b287..6e8a513 100644
|
|
--- a/certmonger.te
|
|
+++ b/certmonger.te
|
|
@@ -18,6 +18,9 @@ files_type(certmonger_var_lib_t)
|
|
type certmonger_var_run_t;
|
|
files_pid_file(certmonger_var_run_t)
|
|
|
|
+type certmonger_unconfined_exec_t;
|
|
+application_executable_file(certmonger_unconfined_exec_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -26,10 +29,12 @@ files_pid_file(certmonger_var_run_t)
|
|
allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice };
|
|
dontaudit certmonger_t self:capability sys_tty_config;
|
|
allow certmonger_t self:capability2 block_suspend;
|
|
+
|
|
allow certmonger_t self:process { getsched setsched sigkill signal };
|
|
-allow certmonger_t self:fifo_file rw_fifo_file_perms;
|
|
-allow certmonger_t self:unix_stream_socket { accept listen };
|
|
-allow certmonger_t self:tcp_socket { accept listen };
|
|
+allow certmonger_t self:fifo_file rw_file_perms;
|
|
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
|
|
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
|
|
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
|
|
@@ -41,6 +46,7 @@ files_pid_filetrans(certmonger_t, certmonger_var_run_t, { dir file })
|
|
|
|
kernel_read_kernel_sysctls(certmonger_t)
|
|
kernel_read_system_state(certmonger_t)
|
|
+kernel_read_network_state(certmonger_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(certmonger_t)
|
|
corenet_all_recvfrom_netlabel(certmonger_t)
|
|
@@ -49,16 +55,21 @@ corenet_tcp_sendrecv_generic_node(certmonger_t)
|
|
|
|
corenet_sendrecv_certmaster_client_packets(certmonger_t)
|
|
corenet_tcp_connect_certmaster_port(certmonger_t)
|
|
+
|
|
+corenet_tcp_connect_http_port(certmonger_t)
|
|
+corenet_tcp_connect_http_cache_port(certmonger_t)
|
|
+
|
|
+corenet_tcp_connect_pki_ca_port(certmonger_t)
|
|
corenet_tcp_sendrecv_certmaster_port(certmonger_t)
|
|
|
|
corecmd_exec_bin(certmonger_t)
|
|
corecmd_exec_shell(certmonger_t)
|
|
|
|
+dev_read_rand(certmonger_t)
|
|
dev_read_urand(certmonger_t)
|
|
|
|
domain_use_interactive_fds(certmonger_t)
|
|
|
|
-files_read_usr_files(certmonger_t)
|
|
files_list_tmp(certmonger_t)
|
|
|
|
fs_search_cgroup_dirs(certmonger_t)
|
|
@@ -70,16 +81,17 @@ init_getattr_all_script_files(certmonger_t)
|
|
|
|
logging_send_syslog_msg(certmonger_t)
|
|
|
|
-miscfiles_read_localization(certmonger_t)
|
|
miscfiles_manage_generic_cert_files(certmonger_t)
|
|
|
|
+systemd_exec_systemctl(certmonger_t)
|
|
+
|
|
userdom_search_user_home_content(certmonger_t)
|
|
|
|
optional_policy(`
|
|
- apache_initrc_domtrans(certmonger_t)
|
|
apache_search_config(certmonger_t)
|
|
apache_signal(certmonger_t)
|
|
apache_signull(certmonger_t)
|
|
+ apache_systemctl(certmonger_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -92,11 +104,47 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- kerberos_read_keytab(certmonger_t)
|
|
+ dirsrv_manage_config(certmonger_t)
|
|
+ dirsrv_signal(certmonger_t)
|
|
+ dirsrv_signull(certmonger_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
kerberos_use(certmonger_t)
|
|
+ kerberos_read_keytab(certmonger_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
pcscd_read_pid_files(certmonger_t)
|
|
pcscd_stream_connect(certmonger_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ pki_rw_tomcat_cert(certmonger_t)
|
|
+ pki_read_tomcat_lib_files(certmonger_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# certmonger_unconfined_script_t local policy
|
|
+#
|
|
+
|
|
+optional_policy(`
|
|
+ type certmonger_unconfined_t;
|
|
+ domain_type(certmonger_unconfined_t)
|
|
+
|
|
+ domain_entry_file(certmonger_unconfined_t, certmonger_unconfined_exec_t)
|
|
+ role system_r types certmonger_unconfined_t;
|
|
+
|
|
+ domtrans_pattern(certmonger_t, certmonger_unconfined_exec_t, certmonger_unconfined_t)
|
|
+
|
|
+ allow certmonger_t certmonger_unconfined_exec_t:dir search_dir_perms;
|
|
+ allow certmonger_t certmonger_unconfined_exec_t:dir read_file_perms;
|
|
+ allow certmonger_t certmonger_unconfined_exec_t:file ioctl;
|
|
+
|
|
+ init_domtrans_script(certmonger_unconfined_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ unconfined_domain(certmonger_unconfined_t)
|
|
+ ')
|
|
+')
|
|
diff --git a/certwatch.te b/certwatch.te
|
|
index 171fafb..e88a026 100644
|
|
--- a/certwatch.te
|
|
+++ b/certwatch.te
|
|
@@ -20,33 +20,45 @@ role certwatch_roles types certwatch_t;
|
|
|
|
allow certwatch_t self:capability sys_nice;
|
|
allow certwatch_t self:process { setsched getsched };
|
|
+allow certwatch_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
+kernel_read_system_state(certwatch_t)
|
|
+
|
|
+corecmd_exec_bin(certwatch_t)
|
|
+
|
|
+dev_read_rand(certwatch_t)
|
|
dev_read_urand(certwatch_t)
|
|
|
|
-files_read_etc_files(certwatch_t)
|
|
-files_read_usr_files(certwatch_t)
|
|
files_read_usr_symlinks(certwatch_t)
|
|
files_list_tmp(certwatch_t)
|
|
|
|
fs_list_inotifyfs(certwatch_t)
|
|
|
|
auth_manage_cache(certwatch_t)
|
|
+auth_read_passwd(certwatch_t)
|
|
auth_var_filetrans_cache(certwatch_t)
|
|
|
|
logging_send_syslog_msg(certwatch_t)
|
|
|
|
miscfiles_read_all_certs(certwatch_t)
|
|
-miscfiles_read_localization(certwatch_t)
|
|
+miscfiles_manage_generic_cert_dirs(certwatch_t)
|
|
+
|
|
+sysnet_read_config(certwatch_t)
|
|
|
|
-userdom_use_user_terminals(certwatch_t)
|
|
-userdom_dontaudit_list_user_home_dirs(certwatch_t)
|
|
+userdom_use_inherited_user_terminals(certwatch_t)
|
|
+userdom_dontaudit_list_admin_dir(certwatch_t)
|
|
|
|
optional_policy(`
|
|
+ apache_domtrans(certwatch_t)
|
|
apache_exec_modules(certwatch_t)
|
|
apache_read_config(certwatch_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mta_send_mail(certwatch_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
cron_system_entry(certwatch_t, certwatch_exec_t)
|
|
')
|
|
|
|
diff --git a/cfengine.if b/cfengine.if
|
|
index a731122..5279d4e 100644
|
|
--- a/cfengine.if
|
|
+++ b/cfengine.if
|
|
@@ -13,7 +13,6 @@
|
|
template(`cfengine_domain_template',`
|
|
gen_require(`
|
|
attribute cfengine_domain;
|
|
- type cfengine_log_t, cfengine_var_lib_t;
|
|
')
|
|
|
|
########################################
|
|
@@ -30,7 +29,29 @@ template(`cfengine_domain_template',`
|
|
# Policy
|
|
#
|
|
|
|
+ kernel_read_system_state(cfengine_$1_t)
|
|
+
|
|
auth_use_nsswitch(cfengine_$1_t)
|
|
+
|
|
+ logging_send_syslog_msg(cfengine_$1_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Search cfengine lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cfengine_search_lib_files',`
|
|
+ gen_require(`
|
|
+ type cfengine_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 cfengine_var_lib_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -71,6 +92,43 @@ interface(`cfengine_dontaudit_write_log_files',`
|
|
dontaudit $1 cfengine_var_log_t:file write_file_perms;
|
|
')
|
|
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow the specified domain to append cfengine's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cfengine_append_inherited_log',`
|
|
+ gen_require(`
|
|
+ type cfengine_var_log_t;
|
|
+ ')
|
|
+
|
|
+ cfengine_search_lib_files($1)
|
|
+ allow $1 cfengine_var_log_t:file { getattr append ioctl lock };
|
|
+')
|
|
+
|
|
+####################################
|
|
+## <summary>
|
|
+## Dontaudit the specified domain to write cfengine's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cfengine_dontaudit_write_log',`
|
|
+ gen_require(`
|
|
+ type cfengine_var_log_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 cfengine_var_log_t:file write;
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
@@ -94,7 +152,7 @@ interface(`cfengine_admin',`
|
|
type cfengine_initrc_exec_t, cfengine_log_t, cfengine_var_lib_t;
|
|
')
|
|
|
|
- allow $1 cfengine_domain:process { ptrace signal_perms };
|
|
+ allow $1 cfengine_domain:process { signal_perms };
|
|
ps_process_pattern($1, cfengine_domain)
|
|
|
|
init_labeled_script_domtrans($1, cfengine_initrc_exec_t)
|
|
@@ -105,3 +163,4 @@ interface(`cfengine_admin',`
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, { cfengine_log_t cfengine_var_lib_t })
|
|
')
|
|
+
|
|
diff --git a/cfengine.te b/cfengine.te
|
|
index fbe3ad9..ffde263 100644
|
|
--- a/cfengine.te
|
|
+++ b/cfengine.te
|
|
@@ -41,18 +41,13 @@ create_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
|
|
setattr_files_pattern(cfengine_domain, cfengine_log_t, cfengine_log_t)
|
|
logging_log_filetrans(cfengine_domain, cfengine_log_t, dir)
|
|
|
|
-kernel_read_system_state(cfengine_domain)
|
|
-
|
|
corecmd_exec_bin(cfengine_domain)
|
|
corecmd_exec_shell(cfengine_domain)
|
|
|
|
dev_read_urand(cfengine_domain)
|
|
dev_read_sysfs(cfengine_domain)
|
|
|
|
-logging_send_syslog_msg(cfengine_domain)
|
|
-
|
|
-miscfiles_read_localization(cfengine_domain)
|
|
-
|
|
+sysnet_dns_name_resolve(cfengine_domain)
|
|
sysnet_domtrans_ifconfig(cfengine_domain)
|
|
|
|
########################################
|
|
diff --git a/cgroup.if b/cgroup.if
|
|
index 85ca63f..1d1c99c 100644
|
|
--- a/cgroup.if
|
|
+++ b/cgroup.if
|
|
@@ -171,8 +171,26 @@ interface(`cgroup_admin',`
|
|
type cgrules_etc_t, cgclear_t;
|
|
')
|
|
|
|
- allow $1 { cgclear_t cgconfig_t cgred_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { cgclear_t cgconfig_t cgred_t })
|
|
+ allow $1 cgclear_t:process signal_perms;
|
|
+ ps_process_pattern($1, cgclear_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cgclear_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 cgconfig_t:process signal_perms;
|
|
+ ps_process_pattern($1, cgconfig_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cgconfig_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 cgred_t:process signal_perms;
|
|
+ ps_process_pattern($1, cgred_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cgred_t:process ptrace;
|
|
+ ')
|
|
|
|
admin_pattern($1, { cgconfig_etc_t cgrules_etc_t })
|
|
files_list_etc($1)
|
|
diff --git a/cgroup.te b/cgroup.te
|
|
index 80a88a2..1a33de9 100644
|
|
--- a/cgroup.te
|
|
+++ b/cgroup.te
|
|
@@ -25,8 +25,8 @@ files_pid_file(cgred_var_run_t)
|
|
type cgrules_etc_t;
|
|
files_config_file(cgrules_etc_t)
|
|
|
|
-type cgconfig_t;
|
|
-type cgconfig_exec_t;
|
|
+type cgconfig_t alias cgconfigparser_t;
|
|
+type cgconfig_exec_t alias cgconfigparser_exec_t;
|
|
init_daemon_domain(cgconfig_t, cgconfig_exec_t)
|
|
|
|
type cgconfig_initrc_exec_t;
|
|
@@ -42,10 +42,12 @@ files_config_file(cgconfig_etc_t)
|
|
|
|
allow cgclear_t self:capability { dac_read_search dac_override sys_admin };
|
|
|
|
-allow cgclear_t cgconfig_etc_t:file read_file_perms;
|
|
+read_files_pattern(cgclear_t, cgconfig_etc_t, cgconfig_etc_t)
|
|
|
|
kernel_read_system_state(cgclear_t)
|
|
|
|
+auth_use_nsswitch(cgclear_t)
|
|
+
|
|
domain_setpriority_all_domains(cgclear_t)
|
|
|
|
fs_manage_cgroup_dirs(cgclear_t)
|
|
@@ -64,20 +66,21 @@ allow cgconfig_t cgconfig_etc_t:file read_file_perms;
|
|
kernel_list_unlabeled(cgconfig_t)
|
|
kernel_read_system_state(cgconfig_t)
|
|
|
|
-files_read_etc_files(cgconfig_t)
|
|
-
|
|
fs_manage_cgroup_dirs(cgconfig_t)
|
|
fs_manage_cgroup_files(cgconfig_t)
|
|
fs_mount_cgroup(cgconfig_t)
|
|
fs_mounton_cgroup(cgconfig_t)
|
|
fs_unmount_cgroup(cgconfig_t)
|
|
|
|
+auth_use_nsswitch(cgconfig_t)
|
|
+
|
|
########################################
|
|
#
|
|
# cgred local policy
|
|
#
|
|
+allow cgred_t self:capability { chown fsetid net_admin sys_admin dac_override sys_ptrace };
|
|
+allow cgred_t self:process signal_perms;
|
|
|
|
-allow cgred_t self:capability { chown fsetid net_admin sys_admin sys_ptrace dac_override };
|
|
allow cgred_t self:netlink_socket { write bind create read };
|
|
allow cgred_t self:unix_dgram_socket { write create connect };
|
|
|
|
@@ -99,10 +102,10 @@ domain_setpriority_all_domains(cgred_t)
|
|
files_getattr_all_files(cgred_t)
|
|
files_getattr_all_sockets(cgred_t)
|
|
files_read_all_symlinks(cgred_t)
|
|
-files_read_etc_files(cgred_t)
|
|
|
|
fs_write_cgroup_files(cgred_t)
|
|
+fs_list_inotifyfs(cgred_t)
|
|
|
|
-logging_send_syslog_msg(cgred_t)
|
|
+auth_use_nsswitch(cgred_t)
|
|
|
|
-miscfiles_read_localization(cgred_t)
|
|
+logging_send_syslog_msg(cgred_t)
|
|
diff --git a/chrome.fc b/chrome.fc
|
|
new file mode 100644
|
|
index 0000000..57866f6
|
|
--- /dev/null
|
|
+++ b/chrome.fc
|
|
@@ -0,0 +1,9 @@
|
|
+/opt/google/chrome/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
|
|
+
|
|
+/usr/lib/chromium-browser/chrome-sandbox -- gen_context(system_u:object_r:chrome_sandbox_exec_t,s0)
|
|
+
|
|
+/opt/google/chrome/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
|
|
+/usr/lib/chromium-browser/nacl_helper_bootstrap -- gen_context(system_u:object_r:chrome_sandbox_nacl_exec_t,s0)
|
|
+
|
|
+HOME_DIR/\.cache/google-chrome(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
|
|
+HOME_DIR/\.cache/chromium(/.*)? gen_context(system_u:object_r:chrome_sandbox_home_t,s0)
|
|
diff --git a/chrome.if b/chrome.if
|
|
new file mode 100644
|
|
index 0000000..5977d96
|
|
--- /dev/null
|
|
+++ b/chrome.if
|
|
@@ -0,0 +1,134 @@
|
|
+
|
|
+## <summary>policy for chrome</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run chrome_sandbox.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`chrome_domtrans_sandbox',`
|
|
+ gen_require(`
|
|
+ type chrome_sandbox_t, chrome_sandbox_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, chrome_sandbox_exec_t, chrome_sandbox_t)
|
|
+ ps_process_pattern(chrome_sandbox_t, $1)
|
|
+
|
|
+ allow $1 chrome_sandbox_t:fd use;
|
|
+
|
|
+ ifdef(`hide_broken_symptoms',`
|
|
+ fs_dontaudit_rw_anon_inodefs_files(chrome_sandbox_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute chrome_sandbox in the chrome_sandbox domain, and
|
|
+## allow the specified role the chrome_sandbox domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the chrome_sandbox domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`chrome_run_sandbox',`
|
|
+ gen_require(`
|
|
+ type chrome_sandbox_t;
|
|
+ type chrome_sandbox_nacl_t;
|
|
+ ')
|
|
+
|
|
+ chrome_domtrans_sandbox($1)
|
|
+ role $2 types chrome_sandbox_t;
|
|
+ role $2 types chrome_sandbox_nacl_t;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Role access for chrome sandbox
|
|
+## </summary>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## User domain for the role
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`chrome_role_notrans',`
|
|
+ gen_require(`
|
|
+ type chrome_sandbox_t;
|
|
+ type chrome_sandbox_tmpfs_t;
|
|
+ type chrome_sandbox_nacl_t;
|
|
+ ')
|
|
+
|
|
+ role $1 types chrome_sandbox_t;
|
|
+ role $1 types chrome_sandbox_nacl_t;
|
|
+
|
|
+ ps_process_pattern($2, chrome_sandbox_t)
|
|
+ allow $2 chrome_sandbox_t:process signal_perms;
|
|
+
|
|
+ allow chrome_sandbox_t $2:unix_dgram_socket { read write };
|
|
+ allow $2 chrome_sandbox_t:unix_dgram_socket { read write };
|
|
+ allow chrome_sandbox_t $2:unix_stream_socket rw_inherited_sock_file_perms;;
|
|
+ dontaudit chrome_sandbox_t $2:unix_stream_socket shutdown;
|
|
+ allow chrome_sandbox_nacl_t $2:unix_stream_socket rw_inherited_sock_file_perms;
|
|
+ allow $2 chrome_sandbox_nacl_t:unix_stream_socket { getattr read write };
|
|
+ allow $2 chrome_sandbox_t:unix_stream_socket { getattr read write };
|
|
+
|
|
+ allow $2 chrome_sandbox_t:shm rw_shm_perms;
|
|
+
|
|
+ allow $2 chrome_sandbox_tmpfs_t:file rw_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Role access for chrome sandbox
|
|
+## </summary>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## User domain for the role
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`chrome_role',`
|
|
+ chrome_role_notrans($1, $2)
|
|
+ chrome_domtrans_sandbox($2)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Dontaudit read/write to a chrome_sandbox leaks
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`chrome_dontaudit_sandbox_leaks',`
|
|
+ gen_require(`
|
|
+ type chrome_sandbox_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 chrome_sandbox_t:unix_stream_socket { read write };
|
|
+')
|
|
diff --git a/chrome.te b/chrome.te
|
|
new file mode 100644
|
|
index 0000000..406f3a0
|
|
--- /dev/null
|
|
+++ b/chrome.te
|
|
@@ -0,0 +1,242 @@
|
|
+policy_module(chrome,1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type chrome_sandbox_t;
|
|
+type chrome_sandbox_exec_t;
|
|
+application_domain(chrome_sandbox_t, chrome_sandbox_exec_t)
|
|
+role system_r types chrome_sandbox_t;
|
|
+ubac_constrained(chrome_sandbox_t)
|
|
+
|
|
+type chrome_sandbox_tmp_t;
|
|
+files_tmp_file(chrome_sandbox_tmp_t)
|
|
+
|
|
+type chrome_sandbox_tmpfs_t;
|
|
+files_tmpfs_file(chrome_sandbox_tmpfs_t)
|
|
+ubac_constrained(chrome_sandbox_tmpfs_t)
|
|
+
|
|
+type chrome_sandbox_nacl_t;
|
|
+type chrome_sandbox_nacl_exec_t;
|
|
+application_domain(chrome_sandbox_nacl_t, chrome_sandbox_nacl_exec_t)
|
|
+role system_r types chrome_sandbox_nacl_t;
|
|
+ubac_constrained(chrome_sandbox_nacl_t)
|
|
+
|
|
+type chrome_sandbox_home_t;
|
|
+userdom_user_home_content(chrome_sandbox_home_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# chrome_sandbox local policy
|
|
+#
|
|
+allow chrome_sandbox_t self:capability2 block_suspend;
|
|
+allow chrome_sandbox_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_chroot sys_ptrace };
|
|
+dontaudit chrome_sandbox_t self:capability sys_nice;
|
|
+allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack };
|
|
+allow chrome_sandbox_t self:process setsched;
|
|
+allow chrome_sandbox_t self:fifo_file manage_fifo_file_perms;
|
|
+allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
+allow chrome_sandbox_t self:shm create_shm_perms;
|
|
+allow chrome_sandbox_t self:sem create_sem_perms;
|
|
+allow chrome_sandbox_t self:msgq create_msgq_perms;
|
|
+allow chrome_sandbox_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+dontaudit chrome_sandbox_t self:memprotect mmap_zero;
|
|
+
|
|
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
|
|
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
|
|
+manage_lnk_files_pattern(chrome_sandbox_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
|
|
+
|
|
+manage_dirs_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
|
|
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmp_t, chrome_sandbox_tmp_t)
|
|
+files_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
|
|
+userdom_user_tmp_filetrans(chrome_sandbox_t, chrome_sandbox_tmp_t, { dir file })
|
|
+
|
|
+manage_files_pattern(chrome_sandbox_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
|
|
+fs_tmpfs_filetrans(chrome_sandbox_t, chrome_sandbox_tmpfs_t, { file dir })
|
|
+
|
|
+kernel_read_system_state(chrome_sandbox_t)
|
|
+kernel_read_kernel_sysctls(chrome_sandbox_t)
|
|
+
|
|
+fs_manage_cgroup_dirs(chrome_sandbox_t)
|
|
+fs_manage_cgroup_files(chrome_sandbox_t)
|
|
+fs_read_dos_files(chrome_sandbox_t)
|
|
+fs_read_hugetlbfs_files(chrome_sandbox_t)
|
|
+
|
|
+corecmd_exec_bin(chrome_sandbox_t)
|
|
+
|
|
+corenet_all_recvfrom_netlabel(chrome_sandbox_t)
|
|
+corenet_tcp_connect_all_ephemeral_ports(chrome_sandbox_t)
|
|
+corenet_tcp_connect_aol_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_asterisk_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_commplex_link_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_couchdb_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_flash_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_ftp_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_gatekeeper_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_generic_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_http_cache_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_http_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_ipp_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_ipsecnat_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_jabber_client_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_jboss_management_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_mmcc_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_monopd_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_msnp_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_ms_streaming_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_pulseaudio_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_rtsp_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_soundd_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_speech_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_squid_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_tor_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_transproxy_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_vnc_port(chrome_sandbox_t)
|
|
+corenet_tcp_connect_whois_port(chrome_sandbox_t)
|
|
+corenet_tcp_sendrecv_generic_if(chrome_sandbox_t)
|
|
+corenet_tcp_sendrecv_generic_node(chrome_sandbox_t)
|
|
+
|
|
+domain_dontaudit_read_all_domains_state(chrome_sandbox_t)
|
|
+
|
|
+dev_read_urand(chrome_sandbox_t)
|
|
+dev_read_sysfs(chrome_sandbox_t)
|
|
+dev_rwx_zero(chrome_sandbox_t)
|
|
+dev_dontaudit_getattr_all_chr_files(chrome_sandbox_t)
|
|
+
|
|
+fs_dontaudit_getattr_all_fs(chrome_sandbox_t)
|
|
+
|
|
+libs_legacy_use_shared_libs(chrome_sandbox_t)
|
|
+
|
|
+miscfiles_read_fonts(chrome_sandbox_t)
|
|
+
|
|
+sysnet_dns_name_resolve(chrome_sandbox_t)
|
|
+
|
|
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_t)
|
|
+userdom_execute_user_tmpfs_files(chrome_sandbox_t)
|
|
+
|
|
+userdom_use_user_ptys(chrome_sandbox_t)
|
|
+userdom_write_inherited_user_tmp_files(chrome_sandbox_t)
|
|
+userdom_read_inherited_user_home_content_files(chrome_sandbox_t)
|
|
+userdom_dontaudit_use_user_terminals(chrome_sandbox_t)
|
|
+userdom_search_user_home_content(chrome_sandbox_t)
|
|
+# This one we should figure a way to make it more secure
|
|
+userdom_manage_home_certs(chrome_sandbox_t)
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_rw_inherited_config(chrome_sandbox_t)
|
|
+ gnome_read_home_config(chrome_sandbox_t)
|
|
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chromium")
|
|
+ gnome_cache_filetrans(chrome_sandbox_t, chrome_sandbox_home_t, dir, "chrome")
|
|
+
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mozilla_write_user_home_files(chrome_sandbox_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_use_user_fonts(chrome_sandbox_t)
|
|
+ xserver_user_x_domain_template(chrome_sandbox, chrome_sandbox_t, chrome_sandbox_tmpfs_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`use_nfs_home_dirs',`
|
|
+ fs_search_nfs(chrome_sandbox_t)
|
|
+ fs_exec_nfs_files(chrome_sandbox_t)
|
|
+ fs_read_nfs_files(chrome_sandbox_t)
|
|
+ fs_rw_inherited_nfs_files(chrome_sandbox_t)
|
|
+ fs_read_nfs_symlinks(chrome_sandbox_t)
|
|
+ fs_dontaudit_append_nfs_files(chrome_sandbox_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`use_samba_home_dirs',`
|
|
+ fs_search_cifs(chrome_sandbox_t)
|
|
+ fs_exec_cifs_files(chrome_sandbox_t)
|
|
+ fs_rw_inherited_cifs_files(chrome_sandbox_t)
|
|
+ fs_read_cifs_files(chrome_sandbox_t)
|
|
+ fs_read_cifs_symlinks(chrome_sandbox_t)
|
|
+ fs_dontaudit_append_cifs_files(chrome_sandbox_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`use_fusefs_home_dirs',`
|
|
+ fs_search_fusefs(chrome_sandbox_t)
|
|
+ fs_read_fusefs_files(chrome_sandbox_t)
|
|
+ fs_exec_fusefs_files(chrome_sandbox_t)
|
|
+ fs_read_fusefs_symlinks(chrome_sandbox_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`use_ecryptfs_home_dirs',`
|
|
+ fs_read_ecryptfs_files(chrome_sandbox_t)
|
|
+ fs_dontaudit_append_ecryptfs_files(chrome_sandbox_t)
|
|
+ fs_read_ecryptfs_symlinks(chrome_sandbox_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ cups_stream_connect(chrome_sandbox_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sandbox_use_ptys(chrome_sandbox_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+#
|
|
+# chrome_sandbox_nacl local policy
|
|
+#
|
|
+
|
|
+allow chrome_sandbox_nacl_t self:process { execmem setsched sigkill sigstop signull signal };
|
|
+
|
|
+allow chrome_sandbox_nacl_t self:fifo_file manage_fifo_file_perms;
|
|
+allow chrome_sandbox_nacl_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow chrome_sandbox_nacl_t self:shm create_shm_perms;
|
|
+allow chrome_sandbox_nacl_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_stream_socket { getattr write read };
|
|
+allow chrome_sandbox_t chrome_sandbox_nacl_t:unix_stream_socket { getattr write read };
|
|
+allow chrome_sandbox_nacl_t chrome_sandbox_t:unix_dgram_socket { read write };
|
|
+
|
|
+allow chrome_sandbox_nacl_t chrome_sandbox_t:shm rw_shm_perms;
|
|
+allow chrome_sandbox_nacl_t chrome_sandbox_tmpfs_t:file rw_inherited_file_perms;
|
|
+allow chrome_sandbox_t chrome_sandbox_nacl_t:process { sigkill sigstop signull signal share };
|
|
+
|
|
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, chrome_sandbox_tmpfs_t)
|
|
+fs_tmpfs_filetrans(chrome_sandbox_nacl_t, chrome_sandbox_tmpfs_t, file)
|
|
+
|
|
+domain_use_interactive_fds(chrome_sandbox_nacl_t)
|
|
+
|
|
+dontaudit chrome_sandbox_nacl_t self:memprotect mmap_zero;
|
|
+
|
|
+domtrans_pattern(chrome_sandbox_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_nacl_t)
|
|
+ps_process_pattern(chrome_sandbox_t, chrome_sandbox_nacl_t)
|
|
+ps_process_pattern(chrome_sandbox_nacl_t, chrome_sandbox_t)
|
|
+
|
|
+manage_dirs_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
|
|
+manage_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
|
|
+manage_lnk_files_pattern(chrome_sandbox_nacl_t, chrome_sandbox_home_t, chrome_sandbox_home_t)
|
|
+
|
|
+kernel_read_state(chrome_sandbox_nacl_t)
|
|
+kernel_read_system_state(chrome_sandbox_nacl_t)
|
|
+
|
|
+corecmd_bin_entry_type(chrome_sandbox_nacl_t)
|
|
+
|
|
+dev_read_urand(chrome_sandbox_nacl_t)
|
|
+dev_read_sysfs(chrome_sandbox_nacl_t)
|
|
+dev_rwx_zero(chrome_sandbox_nacl_t)
|
|
+
|
|
+init_read_state(chrome_sandbox_nacl_t)
|
|
+
|
|
+libs_legacy_use_shared_libs(chrome_sandbox_nacl_t)
|
|
+
|
|
+userdom_use_inherited_user_ptys(chrome_sandbox_nacl_t)
|
|
+userdom_rw_inherited_user_tmpfs_files(chrome_sandbox_nacl_t)
|
|
+userdom_execute_user_tmpfs_files(chrome_sandbox_nacl_t)
|
|
+userdom_rw_inherited_user_tmp_files(chrome_sandbox_nacl_t)
|
|
+userdom_dontaudit_read_user_home_content_files(chrome_sandbox_nacl_t)
|
|
+userdom_dontaudit_use_user_terminals(chrome_sandbox_nacl_t)
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_dontaudit_append_config_files(chrome_sandbox_nacl_t)
|
|
+ gnome_dontaudit_write_config_files(chrome_sandbox_nacl_t)
|
|
+')
|
|
diff --git a/chronyd.fc b/chronyd.fc
|
|
index 4e4143e..a665b32 100644
|
|
--- a/chronyd.fc
|
|
+++ b/chronyd.fc
|
|
@@ -2,6 +2,8 @@
|
|
|
|
/etc/rc\.d/init\.d/chronyd -- gen_context(system_u:object_r:chronyd_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/chrony.* -- gen_context(system_u:object_r:chronyd_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/chronyd -- gen_context(system_u:object_r:chronyd_exec_t,s0)
|
|
|
|
/var/lib/chrony(/.*)? gen_context(system_u:object_r:chronyd_var_lib_t,s0)
|
|
diff --git a/chronyd.if b/chronyd.if
|
|
index 32e8265..0de4af3 100644
|
|
--- a/chronyd.if
|
|
+++ b/chronyd.if
|
|
@@ -100,8 +100,7 @@ interface(`chronyd_rw_shm',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to chronyd using a unix
|
|
-## domain stream socket.
|
|
+## Read chronyd keys files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -109,19 +108,17 @@ interface(`chronyd_rw_shm',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`chronyd_stream_connect',`
|
|
+interface(`chronyd_read_keys',`
|
|
gen_require(`
|
|
- type chronyd_t, chronyd_var_run_t;
|
|
+ type chronyd_keys_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
|
|
+ read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send to chronyd using a unix domain
|
|
-## datagram socket.
|
|
+## Append chronyd keys files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -129,18 +126,61 @@ interface(`chronyd_stream_connect',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`chronyd_dgram_send',`
|
|
+interface(`chronyd_append_keys',`
|
|
+ gen_require(`
|
|
+ type chronyd_keys_t;
|
|
+ ')
|
|
+
|
|
+ append_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute chronyd server in the chronyd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`chronyd_systemctl',`
|
|
+ gen_require(`
|
|
+ type chronyd_t;
|
|
+ type chronyd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 chronyd_unit_file_t:file read_file_perms;
|
|
+ allow $1 chronyd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, chronyd_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Connect to chronyd using a unix
|
|
+## domain stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`chronyd_stream_connect',`
|
|
gen_require(`
|
|
type chronyd_t, chronyd_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
|
|
+ stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read chronyd key files.
|
|
+## Send to chronyd using a unix domain
|
|
+## datagram socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -148,13 +188,13 @@ interface(`chronyd_dgram_send',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`chronyd_read_key_files',`
|
|
+interface(`chronyd_dgram_send',`
|
|
gen_require(`
|
|
- type chronyd_keys_t;
|
|
+ type chronyd_t, chronyd_var_run_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
- read_files_pattern($1, chronyd_keys_t, chronyd_keys_t)
|
|
+ files_search_pids($1)
|
|
+ dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t)
|
|
')
|
|
|
|
####################################
|
|
@@ -176,28 +216,38 @@ interface(`chronyd_read_key_files',`
|
|
#
|
|
interface(`chronyd_admin',`
|
|
gen_require(`
|
|
- type chronyd_t, chronyd_var_log_t;
|
|
- type chronyd_var_run_t, chronyd_var_lib_t;
|
|
- type chronyd_initrc_exec_t, chronyd_keys_t;
|
|
+ type chronyd_t, chronyd_var_log_t, chronyd_var_run_t;
|
|
+ type chronyd_var_lib_t, chronyd_tmpfs_t, chronyd_initrc_exec_t;
|
|
+ type chronyd_keys_t, chronyd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 chronyd_t:process { ptrace signal_perms };
|
|
+ allow $1 chronyd_t:process signal_perms;
|
|
ps_process_pattern($1, chronyd_t)
|
|
|
|
- chronyd_initrc_domtrans($1)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 chronyd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, chronyd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 chronyd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_etc($1)
|
|
+ files_list_etc($1)
|
|
admin_pattern($1, chronyd_keys_t)
|
|
|
|
- logging_search_logs($1)
|
|
+ logging_list_logs($1)
|
|
admin_pattern($1, chronyd_var_log_t)
|
|
|
|
- files_search_var_lib($1)
|
|
+ files_list_var_lib($1)
|
|
admin_pattern($1, chronyd_var_lib_t)
|
|
|
|
- files_search_pids($1)
|
|
+ files_list_pids($1)
|
|
admin_pattern($1, chronyd_var_run_t)
|
|
+
|
|
+ admin_pattern($1, chronyd_tmpfs_t)
|
|
+
|
|
+ admin_pattern($1, chronyd_unit_file_t)
|
|
+ chronyd_systemctl($1)
|
|
+ allow $1 chronyd_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/chronyd.te b/chronyd.te
|
|
index e5b621c..2ec82ae 100644
|
|
--- a/chronyd.te
|
|
+++ b/chronyd.te
|
|
@@ -18,6 +18,9 @@ files_type(chronyd_keys_t)
|
|
type chronyd_tmpfs_t;
|
|
files_tmpfs_file(chronyd_tmpfs_t)
|
|
|
|
+type chronyd_unit_file_t;
|
|
+systemd_unit_file(chronyd_unit_file_t)
|
|
+
|
|
type chronyd_var_lib_t;
|
|
files_type(chronyd_var_lib_t)
|
|
|
|
@@ -32,11 +35,15 @@ files_pid_file(chronyd_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow chronyd_t self:capability { dac_override ipc_lock setuid setgid sys_resource sys_time };
|
|
-allow chronyd_t self:process { getcap setcap setrlimit signal };
|
|
+allow chronyd_t self:capability { dac_override ipc_lock fsetid setuid setgid sys_nice sys_resource sys_time };
|
|
+allow chronyd_t self:process { getsched setsched getcap setcap setrlimit signal };
|
|
allow chronyd_t self:shm create_shm_perms;
|
|
+allow chronyd_t self:udp_socket create_socket_perms;
|
|
+allow chronyd_t self:unix_dgram_socket create_socket_perms;
|
|
allow chronyd_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
+allow chronyd_t chronyd_keys_t:file append_file_perms;
|
|
+allow chronyd_t chronyd_keys_t:file setattr_file_perms;
|
|
allow chronyd_t chronyd_keys_t:file read_file_perms;
|
|
|
|
manage_dirs_pattern(chronyd_t, chronyd_tmpfs_t, chronyd_tmpfs_t)
|
|
@@ -76,18 +83,19 @@ corenet_sendrecv_chronyd_server_packets(chronyd_t)
|
|
corenet_udp_bind_chronyd_port(chronyd_t)
|
|
corenet_udp_sendrecv_chronyd_port(chronyd_t)
|
|
|
|
+domain_dontaudit_getsession_all_domains(chronyd_t)
|
|
+
|
|
+dev_read_rand(chronyd_t)
|
|
+dev_read_urand(chronyd_t)
|
|
+
|
|
dev_rw_realtime_clock(chronyd_t)
|
|
|
|
auth_use_nsswitch(chronyd_t)
|
|
|
|
logging_send_syslog_msg(chronyd_t)
|
|
|
|
-miscfiles_read_localization(chronyd_t)
|
|
+mta_send_mail(chronyd_t)
|
|
|
|
optional_policy(`
|
|
gpsd_rw_shm(chronyd_t)
|
|
')
|
|
-
|
|
-optional_policy(`
|
|
- mta_send_mail(chronyd_t)
|
|
-')
|
|
diff --git a/cipe.te b/cipe.te
|
|
index a0aa693..af571ed 100644
|
|
--- a/cipe.te
|
|
+++ b/cipe.te
|
|
@@ -29,7 +29,6 @@ kernel_read_system_state(ciped_t)
|
|
corecmd_exec_shell(ciped_t)
|
|
corecmd_exec_bin(ciped_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ciped_t)
|
|
corenet_all_recvfrom_netlabel(ciped_t)
|
|
corenet_udp_sendrecv_generic_if(ciped_t)
|
|
corenet_udp_sendrecv_generic_node(ciped_t)
|
|
@@ -45,7 +44,6 @@ dev_read_urand(ciped_t)
|
|
|
|
domain_use_interactive_fds(ciped_t)
|
|
|
|
-files_read_etc_files(ciped_t)
|
|
files_read_etc_runtime_files(ciped_t)
|
|
files_dontaudit_search_var(ciped_t)
|
|
|
|
@@ -53,8 +51,6 @@ fs_search_auto_mountpoints(ciped_t)
|
|
|
|
logging_send_syslog_msg(ciped_t)
|
|
|
|
-miscfiles_read_localization(ciped_t)
|
|
-
|
|
sysnet_read_config(ciped_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(ciped_t)
|
|
diff --git a/clamav.fc b/clamav.fc
|
|
index d72afcc..c53b80d 100644
|
|
--- a/clamav.fc
|
|
+++ b/clamav.fc
|
|
@@ -6,6 +6,8 @@
|
|
/usr/bin/clamdscan -- gen_context(system_u:object_r:clamscan_exec_t,s0)
|
|
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/clamd.* -- gen_context(system_u:object_r:clamd_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
|
|
/usr/sbin/clamav-milter -- gen_context(system_u:object_r:clamd_exec_t,s0)
|
|
|
|
diff --git a/clamav.if b/clamav.if
|
|
index 4cc4a5c..99c5cca 100644
|
|
--- a/clamav.if
|
|
+++ b/clamav.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>ClamAV Virus Scanner.</summary>
|
|
+## <summary>ClamAV Virus Scanner</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,14 +15,12 @@ interface(`clamav_domtrans',`
|
|
type clamd_t, clamd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, clamd_exec_t, clamd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to clamd using a unix
|
|
-## domain stream socket.
|
|
+## Connect to run clamd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -41,7 +39,8 @@ interface(`clamav_stream_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Append clamav log files.
|
|
+## Allow the specified domain to append
|
|
+## to clamav log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -61,27 +60,6 @@ interface(`clamav_append_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## clamav pid content.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`clamav_manage_pid_content',`
|
|
- gen_require(`
|
|
- type clamd_var_run_t;
|
|
- ')
|
|
-
|
|
- files_search_pids($1)
|
|
- manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
|
|
- manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
## Read clamav configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -101,7 +79,7 @@ interface(`clamav_read_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search clamav library directories.
|
|
+## Search clamav libraries directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -133,13 +111,12 @@ interface(`clamav_domtrans_clamscan',`
|
|
type clamscan_t, clamscan_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, clamscan_exec_t, clamscan_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute clamscan in the caller domain.
|
|
+## Execute clamscan without a transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -152,13 +129,12 @@ interface(`clamav_exec_clamscan',`
|
|
type clamscan_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, clamscan_exec_t)
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Read clamd process state files.
|
|
+## Manage clamd pid content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -166,21 +142,62 @@ interface(`clamav_exec_clamscan',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`clamav_read_state_clamd',`
|
|
+interface(`clamav_manage_clamd_pid',`
|
|
gen_require(`
|
|
- type clamd_t;
|
|
+ type clamd_var_run_t;
|
|
')
|
|
|
|
- kernel_search_proc($1)
|
|
- allow $1 clamd_t:dir list_dir_perms;
|
|
- read_files_pattern($1, clamd_t, clamd_t)
|
|
- read_lnk_files_pattern($1, clamd_t, clamd_t)
|
|
+ manage_dirs_pattern($1, clamd_var_run_t, clamd_var_run_t)
|
|
+ manage_files_pattern($1, clamd_var_run_t, clamd_var_run_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read clamd state files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`clamav_read_state_clamd',`
|
|
+ gen_require(`
|
|
+ type clamd_t;
|
|
+ ')
|
|
+
|
|
+ kernel_search_proc($1)
|
|
+ ps_process_pattern($1, clamd_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute clamd server in the clamd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`clamd_systemctl',`
|
|
+ gen_require(`
|
|
+ type clamd_t;
|
|
+ type clamd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 clamd_unit_file_t:file read_file_perms;
|
|
+ allow $1 clamd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, clamd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an clamav environment.
|
|
+## All of the rules required to administrate
|
|
+## an clamav environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -189,7 +206,7 @@ interface(`clamav_read_state_clamd',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the clamav domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -197,19 +214,36 @@ interface(`clamav_read_state_clamd',`
|
|
interface(`clamav_admin',`
|
|
gen_require(`
|
|
type clamd_t, clamd_etc_t, clamd_tmp_t;
|
|
- type clamd_var_log_t, clamd_var_lib_t, clamd_initrc_exec_t;
|
|
- type clamd_var_run_t, clamscan_t, clamscan_tmp_t;
|
|
+ type clamd_var_log_t, clamd_var_lib_t, clamd_var_run_t;
|
|
+ type clamscan_t, clamscan_tmp_t, clamd_initrc_exec_t;
|
|
type freshclam_t, freshclam_var_log_t;
|
|
+ type clamd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 { clamd_t clamscan_t freshclam_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { clamd_t clamscan_t freshclam_t })
|
|
+ allow $1 clamd_t:process signal_perms;
|
|
+ ps_process_pattern($1, clamd_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 clamd_t:process ptrace;
|
|
+ allow $1 clamscan_t:process ptrace;
|
|
+ allow $1 freshclam_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 clamscan_t:process signal_perms;
|
|
+ ps_process_pattern($1, clamscan_t)
|
|
+
|
|
+ allow $1 freshclam_t:process signal_perms;
|
|
+ ps_process_pattern($1, freshclam_t)
|
|
|
|
init_labeled_script_domtrans($1, clamd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 clamd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
+ clamd_systemctl($1)
|
|
+ admin_pattern($1, clamd_unit_file_t)
|
|
+ allow $1 clamd_unit_file_t:service all_service_perms;
|
|
+
|
|
files_list_etc($1)
|
|
admin_pattern($1, clamd_etc_t)
|
|
|
|
@@ -217,11 +251,21 @@ interface(`clamav_admin',`
|
|
admin_pattern($1, clamd_var_lib_t)
|
|
|
|
logging_list_logs($1)
|
|
- admin_pattern($1, { clamd_var_log_t freshclam_var_log_t })
|
|
+ admin_pattern($1, clamd_var_log_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, clamd_var_run_t)
|
|
|
|
files_list_tmp($1)
|
|
- admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
|
|
+ admin_pattern($1, clamd_tmp_t)
|
|
+
|
|
+ admin_pattern($1, clamscan_tmp_t)
|
|
+
|
|
+ admin_pattern($1, freshclam_var_log_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+
|
|
')
|
|
diff --git a/clamav.te b/clamav.te
|
|
index ce3836a..94aa8a6 100644
|
|
--- a/clamav.te
|
|
+++ b/clamav.te
|
|
@@ -38,6 +38,9 @@ files_config_file(clamd_etc_t)
|
|
type clamd_initrc_exec_t;
|
|
init_script_file(clamd_initrc_exec_t)
|
|
|
|
+type clamd_unit_file_t;
|
|
+systemd_unit_file(clamd_unit_file_t)
|
|
+
|
|
type clamd_tmp_t;
|
|
files_tmp_file(clamd_tmp_t)
|
|
|
|
@@ -73,6 +76,7 @@ logging_log_file(freshclam_var_log_t)
|
|
allow clamd_t self:capability { kill setgid setuid dac_override };
|
|
dontaudit clamd_t self:capability sys_tty_config;
|
|
allow clamd_t self:process signal;
|
|
+
|
|
allow clamd_t self:fifo_file rw_fifo_file_perms;
|
|
allow clamd_t self:unix_stream_socket { accept connectto listen };
|
|
allow clamd_t self:tcp_socket { listen accept };
|
|
@@ -107,7 +111,6 @@ kernel_read_system_state(clamd_t)
|
|
|
|
corecmd_exec_shell(clamd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(clamd_t)
|
|
corenet_all_recvfrom_netlabel(clamd_t)
|
|
corenet_tcp_sendrecv_generic_if(clamd_t)
|
|
corenet_tcp_sendrecv_generic_node(clamd_t)
|
|
@@ -119,6 +122,7 @@ corenet_tcp_bind_generic_port(clamd_t)
|
|
|
|
corenet_sendrecv_generic_client_packets(clamd_t)
|
|
corenet_tcp_connect_generic_port(clamd_t)
|
|
+corenet_tcp_connect_clamd_port(clamd_t)
|
|
|
|
corenet_sendrecv_clamd_server_packets(clamd_t)
|
|
corenet_tcp_bind_clamd_port(clamd_t)
|
|
@@ -135,18 +139,10 @@ auth_use_nsswitch(clamd_t)
|
|
|
|
logging_send_syslog_msg(clamd_t)
|
|
|
|
-miscfiles_read_localization(clamd_t)
|
|
-
|
|
-tunable_policy(`clamd_use_jit',`
|
|
- allow clamd_t self:process execmem;
|
|
-',`
|
|
- dontaudit clamd_t self:process execmem;
|
|
-')
|
|
-
|
|
optional_policy(`
|
|
amavis_read_lib_files(clamd_t)
|
|
amavis_read_spool_files(clamd_t)
|
|
- amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
|
|
+ amavis_spool_filetrans(clamd_t, clamd_var_run_t, { file dir sock_file })
|
|
amavis_create_pid_files(clamd_t)
|
|
')
|
|
|
|
@@ -165,6 +161,31 @@ optional_policy(`
|
|
mta_send_mail(clamd_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ spamd_stream_connect(clamd_t)
|
|
+ spamassassin_read_pid_files(clamd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`clamd_use_jit',`
|
|
+ allow clamd_t self:process execmem;
|
|
+ allow clamscan_t self:process execmem;
|
|
+',`
|
|
+ dontaudit clamd_t self:process execmem;
|
|
+ dontaudit clamscan_t self:process execmem;
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ antivirus_domain_template(clamd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ antivirus_domain_template(clamscan_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ antivirus_domain_template(freshclam_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
# Freshclam local policy
|
|
@@ -228,7 +249,6 @@ auth_use_nsswitch(freshclam_t)
|
|
|
|
logging_send_syslog_msg(freshclam_t)
|
|
|
|
-miscfiles_read_localization(freshclam_t)
|
|
|
|
tunable_policy(`clamd_use_jit',`
|
|
allow freshclam_t self:process execmem;
|
|
@@ -241,6 +261,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ clamd_systemctl(freshclam_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
cron_system_entry(freshclam_t, freshclam_exec_t)
|
|
')
|
|
|
|
@@ -275,7 +299,6 @@ kernel_dontaudit_list_proc(clamscan_t)
|
|
kernel_read_kernel_sysctls(clamscan_t)
|
|
kernel_read_system_state(clamscan_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(clamscan_t)
|
|
corenet_all_recvfrom_netlabel(clamscan_t)
|
|
corenet_tcp_sendrecv_generic_if(clamscan_t)
|
|
corenet_tcp_sendrecv_generic_node(clamscan_t)
|
|
@@ -286,14 +309,12 @@ corenet_tcp_sendrecv_clamd_port(clamscan_t)
|
|
|
|
corecmd_read_all_executables(clamscan_t)
|
|
|
|
-files_read_etc_files(clamscan_t)
|
|
files_read_etc_runtime_files(clamscan_t)
|
|
files_search_var_lib(clamscan_t)
|
|
|
|
init_read_utmp(clamscan_t)
|
|
init_dontaudit_write_utmp(clamscan_t)
|
|
|
|
-miscfiles_read_localization(clamscan_t)
|
|
miscfiles_read_public_files(clamscan_t)
|
|
|
|
sysnet_dns_name_resolve(clamscan_t)
|
|
@@ -310,10 +331,6 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
|
|
')
|
|
|
|
optional_policy(`
|
|
- amavis_read_spool_files(clamscan_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
apache_read_sys_content(clamscan_t)
|
|
')
|
|
|
|
diff --git a/clockspeed.te b/clockspeed.te
|
|
index d3e2a67..f5b330c 100644
|
|
--- a/clockspeed.te
|
|
+++ b/clockspeed.te
|
|
@@ -29,7 +29,6 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
|
|
|
|
read_files_pattern(clockspeed_cli_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
|
|
corenet_all_recvfrom_netlabel(clockspeed_cli_t)
|
|
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
|
|
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
|
|
@@ -38,11 +37,9 @@ corenet_sendrecv_ntp_client_packets(clockspeed_cli_t)
|
|
corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
|
|
|
|
files_list_var_lib(clockspeed_cli_t)
|
|
-files_read_etc_files(clockspeed_cli_t)
|
|
|
|
-miscfiles_read_localization(clockspeed_cli_t)
|
|
|
|
-userdom_use_user_terminals(clockspeed_cli_t)
|
|
+userdom_use_inherited_user_terminals(clockspeed_cli_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -57,7 +54,6 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
|
|
manage_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
|
|
manage_fifo_files_pattern(clockspeed_srv_t, clockspeed_var_lib_t, clockspeed_var_lib_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
|
|
corenet_all_recvfrom_netlabel(clockspeed_srv_t)
|
|
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
|
|
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
|
|
@@ -68,9 +64,7 @@ corenet_udp_bind_clockspeed_port(clockspeed_srv_t)
|
|
corenet_udp_sendrecv_clockspeed_port(clockspeed_srv_t)
|
|
|
|
files_list_var_lib(clockspeed_srv_t)
|
|
-files_read_etc_files(clockspeed_srv_t)
|
|
|
|
-miscfiles_read_localization(clockspeed_srv_t)
|
|
|
|
optional_policy(`
|
|
daemontools_service_domain(clockspeed_srv_t, clockspeed_srv_exec_t)
|
|
diff --git a/clogd.te b/clogd.te
|
|
index 4a5b3d1..cd146bd 100644
|
|
--- a/clogd.te
|
|
+++ b/clogd.te
|
|
@@ -41,9 +41,6 @@ storage_raw_write_fixed_disk(clogd_t)
|
|
|
|
logging_send_syslog_msg(clogd_t)
|
|
|
|
-miscfiles_read_localization(clogd_t)
|
|
-
|
|
optional_policy(`
|
|
- aisexec_stream_connect(clogd_t)
|
|
- corosync_stream_connect(clogd_t)
|
|
+ rhcs_stream_connect_cluster(clogd_t)
|
|
')
|
|
diff --git a/cloudform.fc b/cloudform.fc
|
|
new file mode 100644
|
|
index 0000000..3a0de96
|
|
--- /dev/null
|
|
+++ b/cloudform.fc
|
|
@@ -0,0 +1,27 @@
|
|
+/etc/rc\.d/init\.d/iwhd -- gen_context(system_u:object_r:iwhd_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/mongod -- gen_context(system_u:object_r:mongod_initrc_exec_t,s0)
|
|
+
|
|
+/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0)
|
|
+/usr/bin/deltacloudd -- gen_context(system_u:object_r:deltacloudd_exec_t,s0)
|
|
+/usr/bin/iwhd -- gen_context(system_u:object_r:iwhd_exec_t,s0)
|
|
+/usr/bin/mongod -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
|
+
|
|
+/usr/share/aeolus-conductor/dbomatic/dbomatic -- gen_context(system_u:object_r:mongod_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/cloud-config.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/cloud-init.* -- gen_context(system_u:object_r:cloud_init_unit_file_t,s0)
|
|
+
|
|
+/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_var_lib_t,s0)
|
|
+/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_log_t,s0)
|
|
+/var/lib/iwhd(/.*)? gen_context(system_u:object_r:iwhd_var_lib_t,s0)
|
|
+/var/lib/mongo.* gen_context(system_u:object_r:mongod_var_lib_t,s0)
|
|
+
|
|
+/var/log/deltacloud-core(/.*)? gen_context(system_u:object_r:deltacloudd_log_t,s0)
|
|
+/var/log/iwhd\.log.* -- gen_context(system_u:object_r:iwhd_log_t,s0)
|
|
+/var/log/mongo.* gen_context(system_u:object_r:mongod_log_t,s0)
|
|
+/var/log/aeolus-conductor/dbomatic\.log.* -- gen_context(system_u:object_r:mongod_log_t,s0)
|
|
+
|
|
+/var/run/mongo.* gen_context(system_u:object_r:mongod_var_run_t,s0)
|
|
+/var/run/aeolus/dbomatic\.pid -- gen_context(system_u:object_r:mongod_var_run_t,s0)
|
|
+/var/run/iwhd\.pid -- gen_context(system_u:object_r:iwhd_var_run_t,s0)
|
|
diff --git a/cloudform.if b/cloudform.if
|
|
new file mode 100644
|
|
index 0000000..8ac848b
|
|
--- /dev/null
|
|
+++ b/cloudform.if
|
|
@@ -0,0 +1,42 @@
|
|
+## <summary>cloudform policy</summary>
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## cloudform daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`cloudform_domain_template',`
|
|
+ gen_require(`
|
|
+ attribute cloudform_domain;
|
|
+ ')
|
|
+
|
|
+ type $1_t, cloudform_domain;
|
|
+ type $1_exec_t;
|
|
+ init_daemon_domain($1_t, $1_exec_t)
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Execute mongod in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cloudform_exec_mongod',`
|
|
+ gen_require(`
|
|
+ type mongod_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, mongod_exec_t)
|
|
+')
|
|
diff --git a/cloudform.te b/cloudform.te
|
|
new file mode 100644
|
|
index 0000000..4e41e84
|
|
--- /dev/null
|
|
+++ b/cloudform.te
|
|
@@ -0,0 +1,298 @@
|
|
+policy_module(cloudform, 1.0)
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+attribute cloudform_domain;
|
|
+
|
|
+cloudform_domain_template(deltacloudd)
|
|
+cloudform_domain_template(iwhd)
|
|
+cloudform_domain_template(mongod)
|
|
+cloudform_domain_template(cloud_init)
|
|
+
|
|
+type cloud_init_tmp_t;
|
|
+files_tmp_file(cloud_init_tmp_t)
|
|
+
|
|
+type cloud_init_unit_file_t;
|
|
+systemd_unit_file(cloud_init_unit_file_t)
|
|
+
|
|
+type cloud_var_lib_t;
|
|
+files_type(cloud_var_lib_t)
|
|
+
|
|
+type cloud_log_t;
|
|
+logging_log_file(cloud_log_t)
|
|
+
|
|
+type deltacloudd_log_t;
|
|
+logging_log_file(deltacloudd_log_t)
|
|
+
|
|
+type deltacloudd_var_run_t;
|
|
+files_pid_file(deltacloudd_var_run_t)
|
|
+
|
|
+type deltacloudd_tmp_t;
|
|
+files_tmp_file(deltacloudd_tmp_t)
|
|
+
|
|
+type iwhd_initrc_exec_t;
|
|
+init_script_file(iwhd_initrc_exec_t)
|
|
+
|
|
+type iwhd_var_lib_t;
|
|
+files_type(iwhd_var_lib_t)
|
|
+
|
|
+type iwhd_var_run_t;
|
|
+files_pid_file(iwhd_var_run_t)
|
|
+
|
|
+type mongod_initrc_exec_t;
|
|
+init_script_file(mongod_initrc_exec_t)
|
|
+
|
|
+type mongod_log_t;
|
|
+logging_log_file(mongod_log_t)
|
|
+
|
|
+type mongod_var_lib_t;
|
|
+files_type(mongod_var_lib_t)
|
|
+
|
|
+type mongod_tmp_t;
|
|
+files_tmp_file(mongod_tmp_t)
|
|
+
|
|
+type mongod_var_run_t;
|
|
+files_pid_file(mongod_var_run_t)
|
|
+
|
|
+type iwhd_log_t;
|
|
+logging_log_file(iwhd_log_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# cloudform_domain local policy
|
|
+#
|
|
+
|
|
+allow cloudform_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow cloudform_domain self:tcp_socket create_stream_socket_perms;
|
|
+
|
|
+dev_read_rand(cloudform_domain)
|
|
+dev_read_urand(cloudform_domain)
|
|
+dev_read_sysfs(cloudform_domain)
|
|
+
|
|
+auth_read_passwd(cloudform_domain)
|
|
+
|
|
+miscfiles_read_certs(cloudform_domain)
|
|
+
|
|
+#################################
|
|
+#
|
|
+# cloud-init local policy
|
|
+#
|
|
+
|
|
+allow cloud_init_t self:capability { fowner chown fsetid dac_override };
|
|
+
|
|
+allow cloud_init_t self:udp_socket create_socket_perms;
|
|
+
|
|
+manage_files_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
|
|
+manage_dirs_pattern(cloud_init_t, cloud_init_tmp_t, cloud_init_tmp_t)
|
|
+files_tmp_filetrans(cloud_init_t, cloud_init_tmp_t, { file dir })
|
|
+
|
|
+manage_dirs_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
|
|
+manage_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
|
|
+manage_lnk_files_pattern(cloud_init_t, cloud_var_lib_t, cloud_var_lib_t)
|
|
+
|
|
+manage_files_pattern(cloud_init_t, cloud_log_t, cloud_log_t)
|
|
+logging_log_filetrans(cloud_init_t, cloud_log_t, { file })
|
|
+
|
|
+kernel_read_network_state(cloud_init_t)
|
|
+
|
|
+corenet_tcp_connect_http_port(cloud_init_t)
|
|
+
|
|
+corecmd_exec_bin(cloud_init_t)
|
|
+corecmd_exec_shell(cloud_init_t)
|
|
+
|
|
+domain_read_all_domains_state(cloud_init_t)
|
|
+
|
|
+fs_getattr_all_fs(cloud_init_t)
|
|
+
|
|
+storage_raw_read_fixed_disk(cloud_init_t)
|
|
+
|
|
+libs_exec_ldconfig(cloud_init_t)
|
|
+
|
|
+logging_send_syslog_msg(cloud_init_t)
|
|
+
|
|
+miscfiles_read_localization(cloud_init_t)
|
|
+
|
|
+selinux_validate_context(cloud_init_t)
|
|
+
|
|
+systemd_dbus_chat_hostnamed(cloud_init_t)
|
|
+systemd_exec_systemctl(cloud_init_t)
|
|
+systemd_start_all_services(cloud_init_t)
|
|
+
|
|
+usermanage_domtrans_passwd(cloud_init_t)
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(cloud_init_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dmidecode_domtrans(cloud_init_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ fstools_domtrans(cloud_init_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ hostname_exec(cloud_init_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mount_domtrans(cloud_init_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ # it check file context and run restorecon
|
|
+ seutil_read_file_contexts(cloud_init_t)
|
|
+ seutil_domtrans_setfiles(cloud_init_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_exec_keygen(cloud_init_t)
|
|
+ ssh_read_user_home_files(cloud_init_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_domtrans_ifconfig(cloud_init_t)
|
|
+ sysnet_read_dhcpc_state(cloud_init_t)
|
|
+ sysnet_dns_name_resolve(cloud_init_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rpm_domtrans(cloud_init_t)
|
|
+ unconfined_domain(cloud_init_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# deltacloudd local policy
|
|
+#
|
|
+
|
|
+allow deltacloudd_t self:capability { dac_override setuid setgid };
|
|
+
|
|
+allow deltacloudd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow deltacloudd_t self:udp_socket create_socket_perms;
|
|
+
|
|
+allow deltacloudd_t self:process signal;
|
|
+
|
|
+allow deltacloudd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow deltacloudd_t self:tcp_socket create_stream_socket_perms;
|
|
+allow deltacloudd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
|
|
+manage_files_pattern(deltacloudd_t, deltacloudd_tmp_t, deltacloudd_tmp_t)
|
|
+files_tmp_filetrans(deltacloudd_t, deltacloudd_tmp_t, { file dir })
|
|
+
|
|
+manage_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
|
|
+manage_dirs_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
|
|
+manage_lnk_files_pattern(deltacloudd_t, deltacloudd_var_run_t, deltacloudd_var_run_t)
|
|
+files_pid_filetrans(deltacloudd_t, deltacloudd_var_run_t, { file dir })
|
|
+
|
|
+manage_files_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
|
|
+manage_dirs_pattern(deltacloudd_t, deltacloudd_log_t, deltacloudd_log_t)
|
|
+logging_log_filetrans(deltacloudd_t, deltacloudd_log_t, { file dir })
|
|
+
|
|
+kernel_read_kernel_sysctls(deltacloudd_t)
|
|
+kernel_read_system_state(deltacloudd_t)
|
|
+
|
|
+corecmd_exec_bin(deltacloudd_t)
|
|
+
|
|
+corenet_tcp_bind_generic_node(deltacloudd_t)
|
|
+corenet_tcp_bind_generic_port(deltacloudd_t)
|
|
+corenet_tcp_connect_http_port(deltacloudd_t)
|
|
+corenet_tcp_connect_keystone_port(deltacloudd_t)
|
|
+
|
|
+auth_use_nsswitch(deltacloudd_t)
|
|
+
|
|
+logging_send_syslog_msg(deltacloudd_t)
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_read_config(deltacloudd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# iwhd local policy
|
|
+#
|
|
+
|
|
+allow iwhd_t self:capability { chown kill };
|
|
+allow iwhd_t self:process { fork };
|
|
+
|
|
+allow iwhd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow iwhd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
|
|
+manage_files_pattern(iwhd_t, iwhd_var_lib_t, iwhd_var_lib_t)
|
|
+
|
|
+manage_files_pattern(iwhd_t, iwhd_log_t, iwhd_log_t)
|
|
+logging_log_filetrans(iwhd_t, iwhd_log_t, { file })
|
|
+
|
|
+manage_dirs_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
|
|
+manage_files_pattern(iwhd_t, iwhd_var_run_t, iwhd_var_run_t)
|
|
+files_pid_filetrans(iwhd_t, iwhd_var_run_t, { dir file })
|
|
+
|
|
+kernel_read_system_state(iwhd_t)
|
|
+
|
|
+corenet_tcp_bind_generic_node(iwhd_t)
|
|
+corenet_tcp_bind_websm_port(iwhd_t)
|
|
+corenet_tcp_connect_all_ports(iwhd_t)
|
|
+
|
|
+dev_read_rand(iwhd_t)
|
|
+dev_read_urand(iwhd_t)
|
|
+
|
|
+userdom_home_manager(iwhd_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# mongod local policy
|
|
+#
|
|
+
|
|
+allow mongod_t self:process { execmem setsched signal };
|
|
+
|
|
+allow mongod_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow mongod_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow mongod_t self:udp_socket create_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(mongod_t, mongod_log_t, mongod_log_t)
|
|
+manage_files_pattern(mongod_t, mongod_log_t, mongod_log_t)
|
|
+logging_log_filetrans(mongod_t, mongod_log_t, file, "dbomatic.log")
|
|
+logging_log_filetrans(mongod_t, mongod_log_t, file, "mongod.log")
|
|
+
|
|
+manage_dirs_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
|
|
+manage_files_pattern(mongod_t, mongod_var_lib_t, mongod_var_lib_t)
|
|
+
|
|
+manage_dirs_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
|
|
+manage_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
|
|
+manage_sock_files_pattern(mongod_t, mongod_tmp_t, mongod_tmp_t)
|
|
+files_tmp_filetrans(mongod_t, mongod_tmp_t, { file dir sock_file })
|
|
+
|
|
+manage_dirs_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
|
|
+manage_files_pattern(mongod_t, mongod_var_run_t, mongod_var_run_t)
|
|
+#needed by dbomatic
|
|
+files_pid_filetrans(mongod_t, mongod_var_run_t, { file })
|
|
+
|
|
+corecmd_exec_bin(mongod_t)
|
|
+corecmd_exec_shell(mongod_t)
|
|
+
|
|
+corenet_tcp_bind_generic_node(mongod_t)
|
|
+corenet_tcp_bind_mongod_port(mongod_t)
|
|
+corenet_tcp_connect_mongod_port(mongod_t)
|
|
+corenet_tcp_connect_postgresql_port(mongod_t)
|
|
+
|
|
+kernel_read_vm_sysctls(mongod_t)
|
|
+kernel_read_system_state(mongod_t)
|
|
+
|
|
+fs_getattr_all_fs(mongod_t)
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_stream_connect(mongod_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ postgresql_stream_connect(mongod_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_dns_name_resolve(mongod_t)
|
|
+')
|
|
diff --git a/cmirrord.if b/cmirrord.if
|
|
index cc4e7cb..f348d27 100644
|
|
--- a/cmirrord.if
|
|
+++ b/cmirrord.if
|
|
@@ -73,10 +73,11 @@ interface(`cmirrord_rw_shm',`
|
|
type cmirrord_t, cmirrord_tmpfs_t;
|
|
')
|
|
|
|
- allow $1 cmirrord_t:shm rw_shm_perms;
|
|
+ allow $1 cmirrord_t:shm { rw_shm_perms destroy };
|
|
|
|
allow $1 cmirrord_tmpfs_t:dir list_dir_perms;
|
|
rw_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
|
|
+ delete_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
|
|
read_lnk_files_pattern($1, cmirrord_tmpfs_t, cmirrord_tmpfs_t)
|
|
fs_search_tmpfs($1)
|
|
')
|
|
@@ -103,9 +104,13 @@ interface(`cmirrord_admin',`
|
|
type cmirrord_t, cmirrord_initrc_exec_t, cmirrord_var_run_t;
|
|
')
|
|
|
|
- allow $1 cmirrord_t:process { ptrace signal_perms };
|
|
+ allow $1 cmirrord_t:process signal_perms;
|
|
ps_process_pattern($1, cmirrord_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cmirrord_t:process ptrace;
|
|
+ ')
|
|
+
|
|
cmirrord_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 cmirrord_initrc_exec_t system_r;
|
|
diff --git a/cmirrord.te b/cmirrord.te
|
|
index bbdd396..fddf8f4 100644
|
|
--- a/cmirrord.te
|
|
+++ b/cmirrord.te
|
|
@@ -23,7 +23,7 @@ files_pid_file(cmirrord_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow cmirrord_t self:capability { net_admin kill };
|
|
+allow cmirrord_t self:capability { sys_admin net_admin kill };
|
|
dontaudit cmirrord_t self:capability sys_tty_config;
|
|
allow cmirrord_t self:process { setfscreate signal };
|
|
allow cmirrord_t self:fifo_file rw_fifo_file_perms;
|
|
@@ -42,16 +42,17 @@ files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file)
|
|
domain_use_interactive_fds(cmirrord_t)
|
|
domain_obj_id_change_exemption(cmirrord_t)
|
|
|
|
-files_read_etc_files(cmirrord_t)
|
|
-
|
|
storage_create_fixed_disk_dev(cmirrord_t)
|
|
+storage_rw_inherited_fixed_disk_dev(cmirrord_t)
|
|
|
|
seutil_read_file_contexts(cmirrord_t)
|
|
|
|
logging_send_syslog_msg(cmirrord_t)
|
|
|
|
-miscfiles_read_localization(cmirrord_t)
|
|
-
|
|
optional_policy(`
|
|
corosync_stream_connect(cmirrord_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ rhcs_rw_cluster_tmpfs(cmirrord_t)
|
|
+')
|
|
diff --git a/cobbler.fc b/cobbler.fc
|
|
index 973d208..2b650a7 100644
|
|
--- a/cobbler.fc
|
|
+++ b/cobbler.fc
|
|
@@ -4,6 +4,7 @@
|
|
|
|
/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
|
|
|
|
+/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
|
/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
|
|
|
/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
|
|
diff --git a/cobbler.if b/cobbler.if
|
|
index c223f81..8b567c1 100644
|
|
--- a/cobbler.if
|
|
+++ b/cobbler.if
|
|
@@ -38,6 +38,28 @@ interface(`cobblerd_initrc_domtrans',`
|
|
init_labeled_script_domtrans($1, cobblerd_initrc_exec_t)
|
|
')
|
|
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read cobbler configuration dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cobbler_list_config',`
|
|
+ gen_require(`
|
|
+ type cobbler_etc_t;
|
|
+ ')
|
|
+
|
|
+ list_dirs_pattern($1, cobbler_etc_t, cobbler_etc_t)
|
|
+ files_search_etc($1)
|
|
+')
|
|
+
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Read cobbler configuration files.
|
|
@@ -112,6 +134,7 @@ interface(`cobbler_read_lib_files',`
|
|
|
|
files_search_var_lib($1)
|
|
read_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
+ read_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -132,6 +155,8 @@ interface(`cobbler_manage_lib_files',`
|
|
|
|
files_search_var_lib($1)
|
|
manage_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
+ manage_lnk_files_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
+ manage_dirs_pattern($1, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -176,8 +201,8 @@ interface(`cobblerd_admin',`
|
|
interface(`cobbler_admin',`
|
|
gen_require(`
|
|
type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
|
|
- type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
|
|
- type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
|
|
+ type cobbler_etc_t, cobblerd_initrc_exec_t;
|
|
+ type cobbler_tmp_t;
|
|
')
|
|
|
|
allow $1 cobblerd_t:process { ptrace signal_perms };
|
|
@@ -199,7 +224,4 @@ interface(`cobbler_admin',`
|
|
|
|
logging_search_logs($1)
|
|
admin_pattern($1, cobbler_var_log_t)
|
|
-
|
|
- apache_search_sys_content($1)
|
|
- admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
|
|
')
|
|
diff --git a/cobbler.te b/cobbler.te
|
|
index 5f306dd..9a5087b 100644
|
|
--- a/cobbler.te
|
|
+++ b/cobbler.te
|
|
@@ -81,6 +81,7 @@ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
|
|
files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
|
|
+files_var_filetrans(cobblerd_t, cobbler_var_lib_t, dir, "cobbler")
|
|
|
|
append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
|
|
create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
|
|
@@ -89,7 +90,7 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
|
|
logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
|
|
|
|
kernel_read_system_state(cobblerd_t)
|
|
-kernel_dontaudit_search_network_state(cobblerd_t)
|
|
+kernel_read_network_state(cobblerd_t)
|
|
|
|
corecmd_exec_bin(cobblerd_t)
|
|
corecmd_exec_shell(cobblerd_t)
|
|
@@ -112,14 +113,13 @@ corenet_tcp_sendrecv_http_port(cobblerd_t)
|
|
corenet_tcp_connect_http_port(cobblerd_t)
|
|
corenet_sendrecv_http_client_packets(cobblerd_t)
|
|
|
|
+dev_read_sysfs(cobblerd_t)
|
|
dev_read_urand(cobblerd_t)
|
|
|
|
files_list_boot(cobblerd_t)
|
|
files_list_tmp(cobblerd_t)
|
|
files_read_boot_files(cobblerd_t)
|
|
-files_read_etc_files(cobblerd_t)
|
|
files_read_etc_runtime_files(cobblerd_t)
|
|
-files_read_usr_files(cobblerd_t)
|
|
|
|
fs_getattr_all_fs(cobblerd_t)
|
|
fs_read_iso9660_files(cobblerd_t)
|
|
@@ -128,6 +128,8 @@ selinux_get_enforce_mode(cobblerd_t)
|
|
|
|
term_use_console(cobblerd_t)
|
|
|
|
+auth_use_nsswitch(cobblerd_t)
|
|
+
|
|
logging_send_syslog_msg(cobblerd_t)
|
|
|
|
miscfiles_read_localization(cobblerd_t)
|
|
@@ -160,6 +162,7 @@ tunable_policy(`cobbler_use_nfs',`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ apache_domtrans(cobblerd_t)
|
|
apache_search_sys_content(cobblerd_t)
|
|
')
|
|
|
|
@@ -188,17 +191,25 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ libs_exec_ldconfig(cobblerd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_stream_connect(cobblerd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
rpm_exec(cobblerd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ rsync_exec(cobblerd_t)
|
|
rsync_read_config(cobblerd_t)
|
|
- rsync_manage_config_files(cobblerd_t)
|
|
+ rsync_manage_config(cobblerd_t)
|
|
rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
|
|
')
|
|
|
|
optional_policy(`
|
|
- tftp_manage_config_files(cobblerd_t)
|
|
- tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
|
|
+ tftp_manage_config(cobblerd_t)
|
|
tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
|
|
')
|
|
diff --git a/collectd.fc b/collectd.fc
|
|
index 79a3abe..2e7d7ed 100644
|
|
--- a/collectd.fc
|
|
+++ b/collectd.fc
|
|
@@ -1,5 +1,7 @@
|
|
/etc/rc\.d/init\.d/collectd -- gen_context(system_u:object_r:collectd_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/collectd.* -- gen_context(system_u:object_r:collectd_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/collectd -- gen_context(system_u:object_r:collectd_exec_t,s0)
|
|
|
|
/var/lib/collectd(/.*)? gen_context(system_u:object_r:collectd_var_lib_t,s0)
|
|
diff --git a/collectd.if b/collectd.if
|
|
index 954309e..f4db2ca 100644
|
|
--- a/collectd.if
|
|
+++ b/collectd.if
|
|
@@ -2,8 +2,144 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an collectd environment.
|
|
+## Transition to collectd.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`collectd_domtrans',`
|
|
+ gen_require(`
|
|
+ type collectd_t, collectd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, collectd_exec_t, collectd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute collectd server in the collectd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`collectd_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type collectd_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, collectd_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search collectd lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`collectd_search_lib',`
|
|
+ gen_require(`
|
|
+ type collectd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 collectd_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read collectd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`collectd_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type collectd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage collectd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`collectd_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type collectd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage collectd lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`collectd_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type collectd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, collectd_var_lib_t, collectd_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute collectd server in the collectd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`collectd_systemctl',`
|
|
+ gen_require(`
|
|
+ type collectd_t;
|
|
+ type collectd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 collectd_unit_file_t:file read_file_perms;
|
|
+ allow $1 collectd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, collectd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an collectd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -20,13 +156,17 @@
|
|
interface(`collectd_admin',`
|
|
gen_require(`
|
|
type collectd_t, collectd_initrc_exec_t, collectd_var_run_t;
|
|
- type collectd_var_lib_t;
|
|
+ type collectd_var_lib_t, collectd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 collectd_t:process { ptrace signal_perms };
|
|
+ allow $1 collectd_t:process signal_perms;
|
|
ps_process_pattern($1, collectd_t)
|
|
|
|
- init_labeled_script_domtrans($1, collectd_initrc_exec_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 collectd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ collectd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 collectd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
@@ -36,4 +176,9 @@ interface(`collectd_admin',`
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, collectd_var_lib_t)
|
|
+
|
|
+ collectd_systemctl($1)
|
|
+ admin_pattern($1, collectd_unit_file_t)
|
|
+ allow $1 collectd_unit_file_t:service all_service_perms;
|
|
')
|
|
+
|
|
diff --git a/collectd.te b/collectd.te
|
|
index 6471fa8..dc0423c 100644
|
|
--- a/collectd.te
|
|
+++ b/collectd.te
|
|
@@ -26,8 +26,14 @@ files_type(collectd_var_lib_t)
|
|
type collectd_var_run_t;
|
|
files_pid_file(collectd_var_run_t)
|
|
|
|
+type collectd_unit_file_t;
|
|
+systemd_unit_file(collectd_unit_file_t)
|
|
+
|
|
apache_content_template(collectd)
|
|
|
|
+type httpd_collectd_script_tmp_t;
|
|
+files_tmp_file(httpd_collectd_script_tmp_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -38,6 +44,9 @@ allow collectd_t self:process { getsched setsched signal };
|
|
allow collectd_t self:fifo_file rw_fifo_file_perms;
|
|
allow collectd_t self:packet_socket create_socket_perms;
|
|
allow collectd_t self:unix_stream_socket { accept listen };
|
|
+allow collectd_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
|
+allow collectd_t self:udp_socket create_socket_perms;
|
|
+allow collectd_t self:rawip_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
manage_files_pattern(collectd_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
@@ -46,23 +55,28 @@ files_var_lib_filetrans(collectd_t, collectd_var_lib_t, dir)
|
|
manage_files_pattern(collectd_t, collectd_var_run_t, collectd_var_run_t)
|
|
files_pid_filetrans(collectd_t, collectd_var_run_t, file)
|
|
|
|
-domain_use_interactive_fds(collectd_t)
|
|
+kernel_read_all_sysctls(collectd_t)
|
|
+kernel_read_all_proc(collectd_t)
|
|
+kernel_list_all_proc(collectd_t)
|
|
+
|
|
+auth_getattr_passwd(collectd_t)
|
|
+auth_read_passwd(collectd_t)
|
|
|
|
-kernel_read_network_state(collectd_t)
|
|
-kernel_read_net_sysctls(collectd_t)
|
|
-kernel_read_system_state(collectd_t)
|
|
+corenet_udp_bind_generic_node(collectd_t)
|
|
+corenet_udp_bind_collectd_port(collectd_t)
|
|
|
|
dev_read_rand(collectd_t)
|
|
dev_read_sysfs(collectd_t)
|
|
dev_read_urand(collectd_t)
|
|
|
|
+domain_use_interactive_fds(collectd_t)
|
|
+domain_read_all_domains_state(collectd_t)
|
|
+
|
|
files_getattr_all_dirs(collectd_t)
|
|
-files_read_etc_files(collectd_t)
|
|
-files_read_usr_files(collectd_t)
|
|
|
|
fs_getattr_all_fs(collectd_t)
|
|
|
|
-miscfiles_read_localization(collectd_t)
|
|
+init_read_utmp(collectd_t)
|
|
|
|
logging_send_syslog_msg(collectd_t)
|
|
|
|
@@ -75,16 +89,26 @@ tunable_policy(`collectd_tcp_network_connect',`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ netutils_domtrans_ping(collectd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
virt_read_config(collectd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Web local policy
|
|
+# Web collectd local policy
|
|
#
|
|
|
|
-optional_policy(`
|
|
- read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
- list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
- miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
|
|
-')
|
|
+
|
|
+files_search_var_lib(httpd_collectd_script_t)
|
|
+read_files_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
+list_dirs_pattern(httpd_collectd_script_t, collectd_var_lib_t, collectd_var_lib_t)
|
|
+miscfiles_setattr_fonts_cache_dirs(httpd_collectd_script_t)
|
|
+
|
|
+manage_dirs_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
|
|
+manage_files_pattern(httpd_collectd_script_t, httpd_collectd_script_tmp_t, httpd_collectd_script_tmp_t)
|
|
+files_tmp_filetrans(httpd_collectd_script_t, httpd_collectd_script_tmp_t, { file dir })
|
|
+
|
|
+auth_read_passwd(httpd_collectd_script_t)
|
|
diff --git a/colord.fc b/colord.fc
|
|
index 71639eb..08ab891 100644
|
|
--- a/colord.fc
|
|
+++ b/colord.fc
|
|
@@ -7,5 +7,7 @@
|
|
/usr/libexec/colord -- gen_context(system_u:object_r:colord_exec_t,s0)
|
|
/usr/libexec/colord-sane -- gen_context(system_u:object_r:colord_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/colord.* -- gen_context(system_u:object_r:colord_unit_file_t,s0)
|
|
+
|
|
/var/lib/color(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
|
|
/var/lib/colord(/.*)? gen_context(system_u:object_r:colord_var_lib_t,s0)
|
|
diff --git a/colord.if b/colord.if
|
|
index 8e27a37..825f537 100644
|
|
--- a/colord.if
|
|
+++ b/colord.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>GNOME color manager.</summary>
|
|
+## <summary>GNOME color manager</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,7 +15,6 @@ interface(`colord_domtrans',`
|
|
type colord_t, colord_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, colord_exec_t, colord_t)
|
|
')
|
|
|
|
@@ -38,6 +37,7 @@ interface(`colord_dbus_chat',`
|
|
|
|
allow $1 colord_t:dbus send_msg;
|
|
allow colord_t $1:dbus send_msg;
|
|
+ ps_process_pattern(colord_t, $1)
|
|
')
|
|
|
|
######################################
|
|
@@ -58,3 +58,26 @@ interface(`colord_read_lib_files',`
|
|
files_search_var_lib($1)
|
|
read_files_pattern($1, colord_var_lib_t, colord_var_lib_t)
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute colord server in the colord domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`colord_systemctl',`
|
|
+ gen_require(`
|
|
+ type colord_t;
|
|
+ type colord_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 colord_unit_file_t:file read_file_perms;
|
|
+ allow $1 colord_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, colord_t)
|
|
+')
|
|
diff --git a/colord.te b/colord.te
|
|
index 9f2dfb2..5425ddf 100644
|
|
--- a/colord.te
|
|
+++ b/colord.te
|
|
@@ -8,6 +8,7 @@ policy_module(colord, 1.1.0)
|
|
type colord_t;
|
|
type colord_exec_t;
|
|
dbus_system_domain(colord_t, colord_exec_t)
|
|
+init_daemon_domain(colord_t, colord_exec_t)
|
|
|
|
type colord_tmp_t;
|
|
files_tmp_file(colord_tmp_t)
|
|
@@ -18,6 +19,9 @@ files_tmpfs_file(colord_tmpfs_t)
|
|
type colord_var_lib_t;
|
|
files_type(colord_var_lib_t)
|
|
|
|
+type colord_unit_file_t;
|
|
+systemd_unit_file(colord_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -26,10 +30,13 @@ files_type(colord_var_lib_t)
|
|
allow colord_t self:capability { dac_read_search dac_override };
|
|
dontaudit colord_t self:capability sys_admin;
|
|
allow colord_t self:process signal;
|
|
+
|
|
allow colord_t self:fifo_file rw_fifo_file_perms;
|
|
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
-allow colord_t self:tcp_socket { accept listen };
|
|
+allow colord_t self:tcp_socket create_stream_socket_perms;
|
|
allow colord_t self:shm create_shm_perms;
|
|
+allow colord_t self:udp_socket create_socket_perms;
|
|
+allow colord_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
|
|
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
|
|
@@ -74,22 +81,21 @@ dev_read_video_dev(colord_t)
|
|
dev_write_video_dev(colord_t)
|
|
dev_rw_printer(colord_t)
|
|
dev_read_rand(colord_t)
|
|
-dev_read_sysfs(colord_t)
|
|
dev_read_urand(colord_t)
|
|
-dev_list_sysfs(colord_t)
|
|
+dev_read_sysfs(colord_t)
|
|
dev_rw_generic_usb_dev(colord_t)
|
|
|
|
domain_use_interactive_fds(colord_t)
|
|
|
|
files_list_mnt(colord_t)
|
|
-files_read_usr_files(colord_t)
|
|
|
|
-fs_getattr_noxattr_fs(colord_t)
|
|
-fs_getattr_tmpfs(colord_t)
|
|
+fs_getattr_all_fs(colord_t)
|
|
fs_list_noxattr_fs(colord_t)
|
|
fs_read_noxattr_fs_files(colord_t)
|
|
fs_search_all(colord_t)
|
|
fs_dontaudit_getattr_all_fs(colord_t)
|
|
+fs_getattr_tmpfs(colord_t)
|
|
+fs_read_cgroup_files(colord_t)
|
|
|
|
storage_getattr_fixed_disk_dev(colord_t)
|
|
storage_getattr_removable_dev(colord_t)
|
|
@@ -100,19 +106,16 @@ init_read_state(colord_t)
|
|
|
|
auth_use_nsswitch(colord_t)
|
|
|
|
+init_read_state(colord_t)
|
|
+
|
|
logging_send_syslog_msg(colord_t)
|
|
|
|
-miscfiles_read_localization(colord_t)
|
|
+systemd_read_logind_sessions_files(colord_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_getattr_nfs(colord_t)
|
|
- fs_read_nfs_files(colord_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_getattr_cifs(colord_t)
|
|
- fs_read_cifs_files(colord_t)
|
|
-')
|
|
+userdom_rw_user_tmpfs_files(colord_t)
|
|
+userdom_home_reader(colord_t)
|
|
+userdom_list_user_home_content(colord_t)
|
|
+userdom_read_inherited_user_home_content_files(colord_t)
|
|
|
|
optional_policy(`
|
|
cups_read_config(colord_t)
|
|
@@ -120,6 +123,13 @@ optional_policy(`
|
|
cups_read_state(colord_t)
|
|
cups_stream_connect(colord_t)
|
|
cups_dbus_chat(colord_t)
|
|
+ cups_read_state(colord_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_read_home_icc_data_content(colord_t)
|
|
+ # Fixes lots of breakage in F16 on upgrade
|
|
+ gnome_read_generic_data_home_files(colord_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -137,3 +147,16 @@ optional_policy(`
|
|
udev_read_db(colord_t)
|
|
udev_read_pid_files(colord_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_dbus_chat_xdm(colord_t)
|
|
+ xserver_read_xdm_state(colord_t)
|
|
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
|
|
+ xserver_read_inherited_xdm_lib_files(colord_t)
|
|
+ # allow to read /run/initial-setup-$username
|
|
+ xserver_read_xdm_pid(colord_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ zoneminder_rw_tmpfs_files(colord_t)
|
|
+')
|
|
diff --git a/comsat.te b/comsat.te
|
|
index c63cf85..dc6998b 100644
|
|
--- a/comsat.te
|
|
+++ b/comsat.te
|
|
@@ -37,6 +37,13 @@ kernel_read_kernel_sysctls(comsat_t)
|
|
kernel_read_network_state(comsat_t)
|
|
kernel_read_system_state(comsat_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(comsat_t)
|
|
+corenet_tcp_sendrecv_generic_if(comsat_t)
|
|
+corenet_udp_sendrecv_generic_if(comsat_t)
|
|
+corenet_tcp_sendrecv_generic_node(comsat_t)
|
|
+corenet_udp_sendrecv_generic_node(comsat_t)
|
|
+corenet_udp_sendrecv_all_ports(comsat_t)
|
|
+
|
|
dev_read_urand(comsat_t)
|
|
|
|
fs_getattr_xattr_fs(comsat_t)
|
|
@@ -52,8 +59,6 @@ init_dontaudit_write_utmp(comsat_t)
|
|
|
|
logging_send_syslog_msg(comsat_t)
|
|
|
|
-miscfiles_read_localization(comsat_t)
|
|
-
|
|
userdom_dontaudit_getattr_user_ttys(comsat_t)
|
|
|
|
mta_getattr_spool(comsat_t)
|
|
diff --git a/condor.fc b/condor.fc
|
|
index ad2b696..28d1af0 100644
|
|
--- a/condor.fc
|
|
+++ b/condor.fc
|
|
@@ -1,6 +1,7 @@
|
|
/etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0)
|
|
|
|
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
|
|
+/usr/lib/systemd/system/condor.* -- gen_context(system_u:object_r:condor_unit_file_t,s0)
|
|
|
|
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
|
|
/usr/sbin/condor_master -- gen_context(system_u:object_r:condor_master_exec_t,s0)
|
|
diff --git a/condor.if b/condor.if
|
|
index 881d92f..eb35613 100644
|
|
--- a/condor.if
|
|
+++ b/condor.if
|
|
@@ -1,75 +1,390 @@
|
|
-## <summary>High-Throughput Computing System.</summary>
|
|
+
|
|
+## <summary>policy for condor</summary>
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## condor init daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`condor_domain_template',`
|
|
+ gen_require(`
|
|
+ type condor_master_t;
|
|
+ attribute condor_domain;
|
|
+ ')
|
|
+
|
|
+ #############################
|
|
+ #
|
|
+ # Declarations
|
|
+ #
|
|
+
|
|
+ type condor_$1_t, condor_domain;
|
|
+ type condor_$1_exec_t;
|
|
+ init_daemon_domain(condor_$1_t, condor_$1_exec_t)
|
|
+ role system_r types condor_$1_t;
|
|
+
|
|
+ domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
|
|
+ allow condor_master_t condor_$1_exec_t:file ioctl;
|
|
+
|
|
+ kernel_read_system_state(condor_$1_t)
|
|
+
|
|
+ corenet_all_recvfrom_netlabel(condor_$1_t)
|
|
+ corenet_all_recvfrom_unlabeled(condor_$1_t)
|
|
+
|
|
+ auth_use_nsswitch(condor_$1_t)
|
|
+
|
|
+ logging_send_syslog_msg(condor_$1_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to condor.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_domtrans',`
|
|
+ gen_require(`
|
|
+ type condor_t, condor_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, condor_exec_t, condor_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allows to start userland processes
|
|
+## by transitioning to the specified domain,
|
|
+## with a range transition.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## The process type entered by condor_startd.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="entrypoint">
|
|
+## <summary>
|
|
+## The executable type for the entrypoint.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="range">
|
|
+## <summary>
|
|
+## Range for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_startd_ranged_domtrans_to',`
|
|
+ gen_require(`
|
|
+ type sshd_t;
|
|
+ ')
|
|
+ condor_startd_domtrans_to($1, $2)
|
|
+
|
|
+
|
|
+ ifdef(`enable_mcs',`
|
|
+ range_transition condor_startd_t $2:process $3;
|
|
+ ')
|
|
+
|
|
+')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## The template to define a condor domain.
|
|
+## Allows to start userlandprocesses
|
|
+## by transitioning to the specified domain.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## The process type entered by condor_startd.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="entrypoint">
|
|
+## <summary>
|
|
+## The executable type for the entrypoint.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_startd_domtrans_to',`
|
|
+ gen_require(`
|
|
+ type condor_startd_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern(condor_startd_t, $2, $1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read condor's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
-template(`condor_domain_template',`
|
|
+interface(`condor_read_log',`
|
|
gen_require(`
|
|
- attribute condor_domain;
|
|
- type condor_master_t;
|
|
+ type condor_log_t;
|
|
')
|
|
|
|
- #############################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, condor_log_t, condor_log_t)
|
|
+')
|
|
|
|
- type condor_$1_t, condor_domain;
|
|
- type condor_$1_exec_t;
|
|
- domain_type(condor_$1_t)
|
|
- domain_entry_file(condor_$1_t, condor_$1_exec_t)
|
|
- role system_r types condor_$1_t;
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to condor log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_append_log',`
|
|
+ gen_require(`
|
|
+ type condor_log_t;
|
|
+ ')
|
|
|
|
- #############################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, condor_log_t, condor_log_t)
|
|
+')
|
|
|
|
- domtrans_pattern(condor_master_t, condor_$1_exec_t, condor_$1_t)
|
|
- allow condor_master_t condor_$1_exec_t:file ioctl;
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage condor log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_manage_log',`
|
|
+ gen_require(`
|
|
+ type condor_log_t;
|
|
+ ')
|
|
|
|
- auth_use_nsswitch(condor_$1_t)
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, condor_log_t, condor_log_t)
|
|
+ manage_files_pattern($1, condor_log_t, condor_log_t)
|
|
+ manage_lnk_files_pattern($1, condor_log_t, condor_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an condor environment.
|
|
+## Search condor lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`condor_search_lib',`
|
|
+ gen_require(`
|
|
+ type condor_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 condor_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read condor lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`condor_admin',`
|
|
+interface(`condor_read_lib_files',`
|
|
gen_require(`
|
|
- attribute condor_domain;
|
|
- type condor_initrc_exec_config_t, condor_log_t;
|
|
- type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
|
|
- type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
|
|
+ type condor_var_lib_t;
|
|
')
|
|
|
|
- allow $1 condor_domain:process { ptrace signal_perms };
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Read and write condor lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_rw_lib_files',`
|
|
+ gen_require(`
|
|
+ type condor_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ rw_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage condor lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type condor_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, condor_var_lib_t, condor_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage condor lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type condor_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, condor_var_lib_t, condor_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read condor PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type condor_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 condor_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute condor server in the condor domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_systemctl',`
|
|
+ gen_require(`
|
|
+ type condor_t;
|
|
+ type condor_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 condor_unit_file_t:file read_file_perms;
|
|
+ allow $1 condor_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, condor_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read and write condor_startd server TCP sockets.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_rw_tcp_sockets_startd',`
|
|
+ gen_require(`
|
|
+ type condor_startd_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 condor_startd_t:tcp_socket rw_socket_perms;
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Read and write condor_schedd server TCP sockets.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_rw_tcp_sockets_schedd',`
|
|
+ gen_require(`
|
|
+ type condor_schedd_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 condor_schedd_t:tcp_socket rw_socket_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an condor environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`condor_admin',`
|
|
+ gen_require(`
|
|
+ attribute condor_domain;
|
|
+ type condor_initrc_exec_t, condor_log_t, condor_conf_t;
|
|
+ type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
|
|
+ type condor_var_run_t, condor_startd_tmp_t;
|
|
+ type condor_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 condor_domain:process { signal_perms };
|
|
ps_process_pattern($1, condor_domain)
|
|
|
|
- init_labeled_script_domtrans($1, condor_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 condor_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ init_labeled_script_domtrans($1, condor_initrc_exec_t)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 condor_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
|
|
files_search_etc($1)
|
|
admin_pattern($1, condor_conf_t)
|
|
@@ -77,8 +392,8 @@ interface(`condor_admin',`
|
|
logging_search_logs($1)
|
|
admin_pattern($1, condor_log_t)
|
|
|
|
- files_search_locks($1)
|
|
- admin_pattern($1, condor_var_lock_t)
|
|
+ files_search_locks($1)
|
|
+ admin_pattern($1, condor_var_lock_t)
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, condor_var_lib_t)
|
|
@@ -88,4 +403,13 @@ interface(`condor_admin',`
|
|
|
|
files_search_tmp($1)
|
|
admin_pattern($1, { condor_schedd_tmp_t condor_startd_tmp_t })
|
|
+
|
|
+ condor_systemctl($1)
|
|
+ admin_pattern($1, condor_unit_file_t)
|
|
+ allow $1 condor_unit_file_t:service all_service_perms;
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/condor.te b/condor.te
|
|
index ce9f040..ae5517a 100644
|
|
--- a/condor.te
|
|
+++ b/condor.te
|
|
@@ -34,7 +34,7 @@ files_tmp_file(condor_startd_tmp_t)
|
|
type condor_startd_tmpfs_t;
|
|
files_tmpfs_file(condor_startd_tmpfs_t)
|
|
|
|
-type condor_conf_t;
|
|
+type condor_conf_t alias condor_etc_rw_t;
|
|
files_config_file(condor_conf_t)
|
|
|
|
type condor_log_t;
|
|
@@ -49,6 +49,9 @@ files_lock_file(condor_var_lock_t)
|
|
type condor_var_run_t;
|
|
files_pid_file(condor_var_run_t)
|
|
|
|
+type condor_unit_file_t;
|
|
+systemd_unit_file(condor_unit_file_t)
|
|
+
|
|
condor_domain_template(collector)
|
|
condor_domain_template(negotiator)
|
|
condor_domain_template(procd)
|
|
@@ -60,10 +63,18 @@ condor_domain_template(startd)
|
|
# Global local policy
|
|
#
|
|
|
|
+allow condor_domain self:capability dac_override;
|
|
+allow condor_domain self:capability2 block_suspend;
|
|
+
|
|
allow condor_domain self:process signal_perms;
|
|
allow condor_domain self:fifo_file rw_fifo_file_perms;
|
|
-allow condor_domain self:tcp_socket { accept listen };
|
|
-allow condor_domain self:unix_stream_socket { accept listen };
|
|
+allow condor_domain self:tcp_socket create_stream_socket_perms;
|
|
+allow condor_domain self:udp_socket create_socket_perms;
|
|
+allow condor_domain self:unix_stream_socket create_stream_socket_perms;
|
|
+allow condor_domain self:netlink_route_socket r_netlink_socket_perms;
|
|
+
|
|
+allow condor_domain condor_etc_rw_t:dir list_dir_perms;
|
|
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
|
|
|
|
rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
|
|
|
|
@@ -89,13 +100,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
|
|
|
|
kernel_read_kernel_sysctls(condor_domain)
|
|
kernel_read_network_state(condor_domain)
|
|
-kernel_read_system_state(condor_domain)
|
|
|
|
corecmd_exec_bin(condor_domain)
|
|
corecmd_exec_shell(condor_domain)
|
|
|
|
-corenet_all_recvfrom_netlabel(condor_domain)
|
|
-corenet_all_recvfrom_unlabeled(condor_domain)
|
|
corenet_tcp_sendrecv_generic_if(condor_domain)
|
|
corenet_tcp_sendrecv_generic_node(condor_domain)
|
|
|
|
@@ -109,9 +117,9 @@ dev_read_rand(condor_domain)
|
|
dev_read_sysfs(condor_domain)
|
|
dev_read_urand(condor_domain)
|
|
|
|
-logging_send_syslog_msg(condor_domain)
|
|
+auth_read_passwd(condor_domain)
|
|
|
|
-miscfiles_read_localization(condor_domain)
|
|
+sysnet_dns_name_resolve(condor_domain)
|
|
|
|
sysnet_dns_name_resolve(condor_domain)
|
|
|
|
@@ -130,7 +138,7 @@ optional_policy(`
|
|
# Master local policy
|
|
#
|
|
|
|
-allow condor_master_t self:capability { setuid setgid dac_override sys_ptrace };
|
|
+allow condor_master_t self:capability { setuid setgid sys_ptrace };
|
|
|
|
allow condor_master_t condor_domain:process { sigkill signal };
|
|
|
|
@@ -138,6 +146,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
|
|
manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
|
|
files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
|
|
|
|
+can_exec(condor_master_t, condor_master_exec_t)
|
|
+
|
|
+kernel_read_system_state(condor_master_t)
|
|
+
|
|
corenet_udp_sendrecv_generic_if(condor_master_t)
|
|
corenet_udp_sendrecv_generic_node(condor_master_t)
|
|
corenet_tcp_bind_generic_node(condor_master_t)
|
|
@@ -157,6 +169,8 @@ domain_read_all_domains_state(condor_master_t)
|
|
|
|
auth_use_nsswitch(condor_master_t)
|
|
|
|
+logging_send_syslog_msg(condor_master_t)
|
|
+
|
|
optional_policy(`
|
|
mta_send_mail(condor_master_t)
|
|
mta_read_config(condor_master_t)
|
|
@@ -174,6 +188,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
|
|
|
|
kernel_read_network_state(condor_collector_t)
|
|
|
|
+corenet_tcp_bind_http_port(condor_collector_t)
|
|
+
|
|
#####################################
|
|
#
|
|
# Negotiator local policy
|
|
@@ -183,6 +199,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
|
|
allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
|
|
allow condor_negotiator_t condor_master_t:udp_socket getattr;
|
|
|
|
+corenet_tcp_connect_all_ephemeral_ports(condor_negotiator_t)
|
|
+
|
|
######################################
|
|
#
|
|
# Procd local policy
|
|
@@ -206,6 +224,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
|
|
|
|
allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
|
|
|
|
+allow condor_schedd_t condor_master_tmp_t:dir getattr;
|
|
+
|
|
domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
|
|
domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
|
|
|
|
@@ -214,6 +234,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
|
|
relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
|
|
files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
|
|
|
|
+corenet_tcp_connect_all_ephemeral_ports(condor_schedd_t)
|
|
+
|
|
#####################################
|
|
#
|
|
# Startd local policy
|
|
@@ -238,11 +260,10 @@ domain_read_all_domains_state(condor_startd_t)
|
|
mcs_process_set_categories(condor_startd_t)
|
|
|
|
init_domtrans_script(condor_startd_t)
|
|
+init_initrc_domain(condor_startd_t)
|
|
|
|
libs_exec_lib_files(condor_startd_t)
|
|
|
|
-files_read_usr_files(condor_startd_t)
|
|
-
|
|
optional_policy(`
|
|
ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
|
|
ssh_domtrans(condor_startd_t)
|
|
@@ -254,3 +275,7 @@ optional_policy(`
|
|
kerberos_use(condor_startd_ssh_t)
|
|
')
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(condor_startd_t)
|
|
+')
|
|
diff --git a/consolekit.fc b/consolekit.fc
|
|
index 23c9558..29e5fd3 100644
|
|
--- a/consolekit.fc
|
|
+++ b/consolekit.fc
|
|
@@ -1,3 +1,5 @@
|
|
+/usr/lib/systemd/system/console-kit.* -- gen_context(system_u:object_r:consolekit_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/console-kit-daemon -- gen_context(system_u:object_r:consolekit_exec_t,s0)
|
|
|
|
/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
|
|
diff --git a/consolekit.if b/consolekit.if
|
|
index 5b830ec..0647a3b 100644
|
|
--- a/consolekit.if
|
|
+++ b/consolekit.if
|
|
@@ -21,6 +21,27 @@ interface(`consolekit_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## dontaudit Send and receive messages from
|
|
+## consolekit over dbus.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`consolekit_dontaudit_dbus_chat',`
|
|
+ gen_require(`
|
|
+ type consolekit_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 consolekit_t:dbus send_msg;
|
|
+ dontaudit consolekit_t $1:dbus send_msg;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Send and receive messages from
|
|
## consolekit over dbus.
|
|
## </summary>
|
|
@@ -42,6 +63,24 @@ interface(`consolekit_dbus_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Dontaudit attempts to read consolekit log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`consolekit_dontaudit_read_log',`
|
|
+ gen_require(`
|
|
+ type consolekit_log_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 consolekit_log_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Read consolekit log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -98,3 +137,64 @@ interface(`consolekit_read_pid_files',`
|
|
allow $1 consolekit_var_run_t:dir list_dir_perms;
|
|
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## List consolekit PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`consolekit_list_pid_files',`
|
|
+ gen_require(`
|
|
+ type consolekit_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ list_dirs_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the domain to read consolekit state files in /proc.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`consolekit_read_state',`
|
|
+ gen_require(`
|
|
+ type consolekit_t;
|
|
+ ')
|
|
+
|
|
+ kernel_search_proc($1)
|
|
+ ps_process_pattern($1, consolekit_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute consolekit server in the consolekit domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`consolekit_systemctl',`
|
|
+ gen_require(`
|
|
+ type consolekit_t;
|
|
+ type consolekit_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 consolekit_unit_file_t:file read_file_perms;
|
|
+ allow $1 consolekit_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, consolekit_t)
|
|
+')
|
|
diff --git a/consolekit.te b/consolekit.te
|
|
index bd18063..926e314 100644
|
|
--- a/consolekit.te
|
|
+++ b/consolekit.te
|
|
@@ -19,12 +19,16 @@ type consolekit_var_run_t;
|
|
files_pid_file(consolekit_var_run_t)
|
|
init_daemon_run_dir(consolekit_var_run_t, "ConsoleKit")
|
|
|
|
+type consolekit_unit_file_t;
|
|
+systemd_unit_file(consolekit_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace };
|
|
+
|
|
allow consolekit_t self:process { getsched signal };
|
|
allow consolekit_t self:fifo_file rw_fifo_file_perms;
|
|
allow consolekit_t self:unix_stream_socket { accept listen };
|
|
@@ -54,38 +58,37 @@ dev_read_sysfs(consolekit_t)
|
|
|
|
domain_read_all_domains_state(consolekit_t)
|
|
domain_use_interactive_fds(consolekit_t)
|
|
-domain_dontaudit_ptrace_all_domains(consolekit_t)
|
|
|
|
-files_read_usr_files(consolekit_t)
|
|
+# needs to read /var/lib/dbus/machine-id
|
|
files_read_var_lib_files(consolekit_t)
|
|
files_search_all_mountpoints(consolekit_t)
|
|
|
|
fs_list_inotifyfs(consolekit_t)
|
|
|
|
-mcs_ptrace_all(consolekit_t)
|
|
-
|
|
term_use_all_terms(consolekit_t)
|
|
|
|
auth_use_nsswitch(consolekit_t)
|
|
auth_manage_pam_console_data(consolekit_t)
|
|
auth_write_login_records(consolekit_t)
|
|
auth_create_pam_console_data_dirs(consolekit_t)
|
|
-auth_pid_filetrans_pam_var_console(consolekit_t, dir, "console")
|
|
+
|
|
+init_read_utmp(consolekit_t)
|
|
|
|
logging_send_syslog_msg(consolekit_t)
|
|
logging_send_audit_msgs(consolekit_t)
|
|
|
|
-miscfiles_read_localization(consolekit_t)
|
|
+systemd_exec_systemctl(consolekit_t)
|
|
+systemd_start_power_services(consolekit_t)
|
|
|
|
+userdom_read_all_users_state(consolekit_t)
|
|
userdom_dontaudit_read_user_home_content_files(consolekit_t)
|
|
+userdom_dontaudit_getattr_admin_home_files(consolekit_t)
|
|
userdom_read_user_tmp_files(consolekit_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_read_nfs_files(consolekit_t)
|
|
-')
|
|
+userdom_home_reader(consolekit_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_read_cifs_files(consolekit_t)
|
|
+optional_policy(`
|
|
+ cron_read_system_job_lib_files(consolekit_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -109,13 +112,6 @@ optional_policy(`
|
|
')
|
|
')
|
|
|
|
-optional_policy(`
|
|
- hal_ptrace(consolekit_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- networkmanager_append_log_files(consolekit_t)
|
|
-')
|
|
|
|
optional_policy(`
|
|
policykit_domtrans_auth(consolekit_t)
|
|
diff --git a/corosync.fc b/corosync.fc
|
|
index da39f0f..6a96733 100644
|
|
--- a/corosync.fc
|
|
+++ b/corosync.fc
|
|
@@ -1,5 +1,7 @@
|
|
/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:corosync_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0)
|
|
/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0)
|
|
|
|
diff --git a/corosync.if b/corosync.if
|
|
index 694a037..b836c07 100644
|
|
--- a/corosync.if
|
|
+++ b/corosync.if
|
|
@@ -77,6 +77,25 @@ interface(`corosync_read_log',`
|
|
read_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Setattr corosync log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`corosync_setattr_log',`
|
|
+ gen_require(`
|
|
+ type corosync_var_log_t;
|
|
+ ')
|
|
+
|
|
+ setattr_files_pattern($1, corosync_var_log_t, corosync_var_log_t)
|
|
+')
|
|
+
|
|
+
|
|
#####################################
|
|
## <summary>
|
|
## Connect to corosync over a unix
|
|
@@ -91,29 +110,54 @@ interface(`corosync_read_log',`
|
|
interface(`corosync_stream_connect',`
|
|
gen_require(`
|
|
type corosync_t, corosync_var_run_t;
|
|
+ type corosync_var_lib_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
+ stream_connect_pattern($1, corosync_var_lib_t, corosync_var_lib_t, corosync_t)
|
|
stream_connect_pattern($1, corosync_var_run_t, corosync_var_run_t, corosync_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Read and write corosync tmpfs files.
|
|
+## Allow the specified domain to read/write corosync's tmpfs files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`corosync_rw_tmpfs',`
|
|
+ gen_require(`
|
|
+ type corosync_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
|
|
+
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute corosync server in the corosync domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`corosync_rw_tmpfs',`
|
|
+interface(`corosync_systemctl',`
|
|
gen_require(`
|
|
- type corosync_tmpfs_t;
|
|
+ type corosync_t;
|
|
+ type corosync_unit_file_t;
|
|
')
|
|
|
|
- fs_search_tmpfs($1)
|
|
- rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 corosync_unit_file_t:file read_file_perms;
|
|
+ allow $1 corosync_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, corosync_t)
|
|
')
|
|
|
|
######################################
|
|
@@ -160,12 +204,17 @@ interface(`corosync_admin',`
|
|
type corosync_t, corosync_var_lib_t, corosync_var_log_t;
|
|
type corosync_var_run_t, corosync_tmp_t, corosync_tmpfs_t;
|
|
type corosync_initrc_exec_t;
|
|
+ type corosync_unit_file_t;
|
|
')
|
|
|
|
- allow $1 corosync_t:process { ptrace signal_perms };
|
|
+ allow $1 corosync_t:process signal_perms;
|
|
ps_process_pattern($1, corosync_t)
|
|
|
|
- corosync_initrc_domtrans($1)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 corosync_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, corosync_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 corosync_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
@@ -183,4 +232,8 @@ interface(`corosync_admin',`
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, corosync_var_run_t)
|
|
+
|
|
+ corosync_systemctl($1)
|
|
+ admin_pattern($1, corosync_unit_file_t)
|
|
+ allow $1 corosync_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/corosync.te b/corosync.te
|
|
index d5aa1e4..e827567 100644
|
|
--- a/corosync.te
|
|
+++ b/corosync.te
|
|
@@ -28,6 +28,9 @@ logging_log_file(corosync_var_log_t)
|
|
type corosync_var_run_t;
|
|
files_pid_file(corosync_var_run_t)
|
|
|
|
+type corosync_unit_file_t;
|
|
+systemd_unit_file(corosync_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -93,7 +96,6 @@ dev_read_urand(corosync_t)
|
|
domain_read_all_domains_state(corosync_t)
|
|
|
|
files_manage_mounttab(corosync_t)
|
|
-files_read_usr_files(corosync_t)
|
|
|
|
auth_use_nsswitch(corosync_t)
|
|
|
|
@@ -106,7 +108,13 @@ logging_send_syslog_msg(corosync_t)
|
|
miscfiles_read_localization(corosync_t)
|
|
|
|
userdom_read_user_tmp_files(corosync_t)
|
|
-userdom_manage_user_tmpfs_files(corosync_t)
|
|
+userdom_delete_user_tmpfs_files(corosync_t)
|
|
+userdom_rw_user_tmpfs_files(corosync_t)
|
|
+
|
|
+optional_policy(`
|
|
+ fs_manage_tmpfs_files(corosync_t)
|
|
+ init_manage_script_status_files(corosync_t)
|
|
+')
|
|
|
|
optional_policy(`
|
|
ccs_read_config(corosync_t)
|
|
@@ -129,20 +137,29 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ lvm_rw_clvmd_tmpfs_files(corosync_t)
|
|
+ lvm_delete_clvmd_tmpfs_files(corosync_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
qpidd_rw_shm(corosync_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- rhcs_getattr_fenced_exec_files(corosync_t)
|
|
+ rhcs_getattr_fenced(corosync_t)
|
|
+ # to communication with RHCS
|
|
rhcs_rw_cluster_shm(corosync_t)
|
|
rhcs_rw_cluster_semaphores(corosync_t)
|
|
rhcs_stream_connect_cluster(corosync_t)
|
|
+ rhcs_read_cluster_lib_files(corosync_t)
|
|
+ rhcs_manage_cluster_lib_files(corosync_t)
|
|
+ rhcs_relabel_cluster_lib_files(corosync_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- rgmanager_manage_tmpfs_files(corosync_t)
|
|
+ rpc_search_nfs_state_data(corosync_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- rpc_search_nfs_state_data(corosync_t)
|
|
-')
|
|
\ No newline at end of file
|
|
+ wdmd_rw_tmpfs(corosync_t)
|
|
+')
|
|
diff --git a/couchdb.fc b/couchdb.fc
|
|
index c086302..4f33119 100644
|
|
--- a/couchdb.fc
|
|
+++ b/couchdb.fc
|
|
@@ -1,3 +1,6 @@
|
|
+
|
|
+/usr/lib/systemd/system/couchdb.* -- gen_context(system_u:object_r:couchdb_unit_file_t,s0)
|
|
+
|
|
/etc/couchdb(/.*)? gen_context(system_u:object_r:couchdb_conf_t,s0)
|
|
|
|
/etc/rc\.d/init\.d/couchdb -- gen_context(system_u:object_r:couchdb_initrc_exec_t,s0)
|
|
diff --git a/couchdb.if b/couchdb.if
|
|
index 715a826..afa2f78 100644
|
|
--- a/couchdb.if
|
|
+++ b/couchdb.if
|
|
@@ -2,7 +2,7 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read couchdb log files.
|
|
+## Allow to read couchdb log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -15,13 +15,13 @@ interface(`couchdb_read_log_files',`
|
|
type couchdb_log_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
+ files_search_var_lib($1)
|
|
read_files_pattern($1, couchdb_log_t, couchdb_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read, write, and create couchdb lib files.
|
|
+## Allow to read couchdb lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -29,7 +29,7 @@ interface(`couchdb_read_log_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`couchdb_manage_lib_files',`
|
|
+interface(`couchdb_read_lib_files',`
|
|
gen_require(`
|
|
type couchdb_var_lib_t;
|
|
')
|
|
@@ -40,7 +40,46 @@ interface(`couchdb_manage_lib_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read couchdb config files.
|
|
+## All of the rules required to
|
|
+## administrate an couchdb environment.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`couchdb_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type couchdb_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage couchdb lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`couchdb_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type couchdb_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, couchdb_var_lib_t, couchdb_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow to read couchdb conf files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -53,13 +92,13 @@ interface(`couchdb_read_conf_files',`
|
|
type couchdb_conf_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
+ files_search_var_lib($1)
|
|
read_files_pattern($1, couchdb_conf_t, couchdb_conf_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read couchdb pid files.
|
|
+## Read couchdb PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -73,19 +112,63 @@ interface(`couchdb_read_pid_files',`
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- read_files_pattern($1, couchdb_var_run_t, couchdb_var_run_t)
|
|
+ allow $1 couchdb_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Search couchdb PID dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`couchdb_search_pid_dirs',`
|
|
+ gen_require(`
|
|
+ type couchdb_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 couchdb_var_run_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an couchdb environment.
|
|
+## Execute couchdb server in the couchdb domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
+#
|
|
+interface(`couchdb_systemctl',`
|
|
+ gen_require(`
|
|
+ type couchdb_t;
|
|
+ type couchdb_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 couchdb_unit_file_t:file read_file_perms;
|
|
+ allow $1 couchdb_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, couchdb_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an couchdb environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
@@ -95,14 +178,19 @@ interface(`couchdb_read_pid_files',`
|
|
#
|
|
interface(`couchdb_admin',`
|
|
gen_require(`
|
|
+ type couchdb_unit_file_t;
|
|
type couchdb_t, couchdb_conf_t, couchdb_initrc_exec_t;
|
|
type couchdb_log_t, couchdb_var_lib_t, couchdb_var_run_t;
|
|
type couchdb_tmp_t;
|
|
')
|
|
|
|
- allow $1 couchdb_t:process { ptrace signal_perms };
|
|
+ allow $1 couchdb_t:process { signal_perms };
|
|
ps_process_pattern($1, couchdb_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 couchdb_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, couchdb_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 couchdb_initrc_exec_t system_r;
|
|
@@ -122,4 +210,13 @@ interface(`couchdb_admin',`
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, couchdb_var_run_t)
|
|
+
|
|
+ admin_pattern($1, couchdb_unit_file_t)
|
|
+ couchdb_systemctl($1)
|
|
+ allow $1 couchdb_unit_file_t:service all_service_perms;
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/couchdb.te b/couchdb.te
|
|
index ae1c1b1..89e5702 100644
|
|
--- a/couchdb.te
|
|
+++ b/couchdb.te
|
|
@@ -27,6 +27,9 @@ files_type(couchdb_var_lib_t)
|
|
type couchdb_var_run_t;
|
|
files_pid_file(couchdb_var_run_t)
|
|
|
|
+type couchdb_unit_file_t;
|
|
+systemd_unit_file(couchdb_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -79,10 +82,7 @@ dev_list_sysfs(couchdb_t)
|
|
dev_read_sysfs(couchdb_t)
|
|
dev_read_urand(couchdb_t)
|
|
|
|
-files_read_usr_files(couchdb_t)
|
|
-
|
|
fs_getattr_xattr_fs(couchdb_t)
|
|
|
|
auth_use_nsswitch(couchdb_t)
|
|
|
|
-miscfiles_read_localization(couchdb_t)
|
|
diff --git a/courier.fc b/courier.fc
|
|
index 2f017a0..defdc87 100644
|
|
--- a/courier.fc
|
|
+++ b/courier.fc
|
|
@@ -11,17 +11,18 @@
|
|
/usr/sbin/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
|
|
|
/usr/lib/courier/authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
|
|
-/usr/lib/courier/courier-authlib/.* -- gen_context(system_u:object_r:courier_authdaemon_exec_t,s0)
|
|
/usr/lib/courier/courier/.* -- gen_context(system_u:object_r:courier_exec_t,s0)
|
|
-/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
|
-/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
|
+/usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
|
+/usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
|
/usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0)
|
|
-/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
|
-/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
|
-/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
|
|
-/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
|
|
-/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
|
|
+/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
|
+/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0)
|
|
+/usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0)
|
|
+/usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:sqwebmail_cron_exec_t,s0)
|
|
|
|
+ifdef(`distro_gentoo',`
|
|
+/usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
|
|
+')
|
|
|
|
/var/lib/courier(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
|
|
/var/lib/courier-imap(/.*)? gen_context(system_u:object_r:courier_var_lib_t,s0)
|
|
diff --git a/courier.if b/courier.if
|
|
index 10f820f..acdb179 100644
|
|
--- a/courier.if
|
|
+++ b/courier.if
|
|
@@ -1,12 +1,12 @@
|
|
-## <summary>Courier IMAP and POP3 email servers.</summary>
|
|
+## <summary>Courier IMAP and POP3 email servers</summary>
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## The template to define a courier domain.
|
|
+## Template for creating courier server processes.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## Prefix name of the server process.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
@@ -15,7 +15,7 @@ template(`courier_domain_template',`
|
|
attribute courier_domain;
|
|
')
|
|
|
|
- ########################################
|
|
+ ##############################
|
|
#
|
|
# Declarations
|
|
#
|
|
@@ -24,18 +24,30 @@ template(`courier_domain_template',`
|
|
type courier_$1_exec_t;
|
|
init_daemon_domain(courier_$1_t, courier_$1_exec_t)
|
|
|
|
- ########################################
|
|
+ ##############################
|
|
#
|
|
- # Policy
|
|
+ # Declarations
|
|
#
|
|
|
|
can_exec(courier_$1_t, courier_$1_exec_t)
|
|
+
|
|
+ kernel_read_system_state(courier_$1_t)
|
|
+
|
|
+ corenet_all_recvfrom_netlabel(courier_$1_t)
|
|
+ corenet_tcp_sendrecv_generic_if(courier_$1_t)
|
|
+ corenet_udp_sendrecv_generic_if(courier_$1_t)
|
|
+ corenet_tcp_sendrecv_generic_node(courier_$1_t)
|
|
+ corenet_udp_sendrecv_generic_node(courier_$1_t)
|
|
+ corenet_tcp_sendrecv_all_ports(courier_$1_t)
|
|
+ corenet_udp_sendrecv_all_ports(courier_$1_t)
|
|
+
|
|
+ logging_send_syslog_msg(courier_$1_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the courier authentication
|
|
-## daemon with a domain transition.
|
|
+## Execute the courier authentication daemon with
|
|
+## a domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -48,34 +60,32 @@ interface(`courier_domtrans_authdaemon',`
|
|
type courier_authdaemon_t, courier_authdaemon_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, courier_authdaemon_exec_t, courier_authdaemon_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Connect to courier-authdaemon over
|
|
-## a unix stream socket.
|
|
+## Connect to courier-authdaemon over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`courier_stream_connect_authdaemon',`
|
|
- gen_require(`
|
|
- type courier_authdaemon_t, courier_spool_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type courier_authdaemon_t, courier_spool_t;
|
|
+ ')
|
|
|
|
files_search_spool($1)
|
|
- stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
|
|
+ stream_connect_pattern($1, courier_spool_t, courier_spool_t, courier_authdaemon_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the courier POP3 and IMAP
|
|
-## server with a domain transition.
|
|
+## Execute the courier POP3 and IMAP server with
|
|
+## a domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -88,13 +98,12 @@ interface(`courier_domtrans_pop',`
|
|
type courier_pop_t, courier_pop_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, courier_pop_exec_t, courier_pop_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read courier config files.
|
|
+## Read courier config files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -127,7 +136,7 @@ interface(`courier_manage_spool_dirs',`
|
|
type courier_spool_t;
|
|
')
|
|
|
|
- files_search_var($1)
|
|
+ files_search_spool($1)
|
|
manage_dirs_pattern($1, courier_spool_t, courier_spool_t)
|
|
')
|
|
|
|
@@ -136,7 +145,7 @@ interface(`courier_manage_spool_dirs',`
|
|
## Create, read, write, and delete courier
|
|
## spool files.
|
|
## </summary>
|
|
-## <param name="domain">
|
|
+## <param name="domains">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
@@ -147,7 +156,7 @@ interface(`courier_manage_spool_files',`
|
|
type courier_spool_t;
|
|
')
|
|
|
|
- files_search_var($1)
|
|
+ files_search_spool($1)
|
|
manage_files_pattern($1, courier_spool_t, courier_spool_t)
|
|
')
|
|
|
|
@@ -166,13 +175,13 @@ interface(`courier_read_spool',`
|
|
type courier_spool_t;
|
|
')
|
|
|
|
- files_search_var($1)
|
|
+ files_search_spool($1)
|
|
read_files_pattern($1, courier_spool_t, courier_spool_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write courier spool pipes.
|
|
+## Read and write to courier spool pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -185,6 +194,5 @@ interface(`courier_rw_spool_pipes',`
|
|
type courier_spool_t;
|
|
')
|
|
|
|
- files_search_var($1)
|
|
allow $1 courier_spool_t:fifo_file rw_fifo_file_perms;
|
|
')
|
|
diff --git a/courier.te b/courier.te
|
|
index ae3bc70..9090d75 100644
|
|
--- a/courier.te
|
|
+++ b/courier.te
|
|
@@ -18,7 +18,7 @@ type courier_etc_t;
|
|
files_config_file(courier_etc_t)
|
|
|
|
type courier_spool_t;
|
|
-files_type(courier_spool_t)
|
|
+files_spool_file(courier_spool_t)
|
|
|
|
type courier_var_lib_t;
|
|
files_type(courier_var_lib_t)
|
|
@@ -51,7 +51,6 @@ manage_sock_files_pattern(courier_domain, courier_var_run_t, courier_var_run_t)
|
|
files_pid_filetrans(courier_domain, courier_var_run_t, dir)
|
|
|
|
kernel_read_kernel_sysctls(courier_domain)
|
|
-kernel_read_system_state(courier_domain)
|
|
|
|
corecmd_exec_bin(courier_domain)
|
|
|
|
@@ -59,15 +58,11 @@ dev_read_sysfs(courier_domain)
|
|
|
|
domain_use_interactive_fds(courier_domain)
|
|
|
|
-files_read_etc_files(courier_domain)
|
|
files_read_etc_runtime_files(courier_domain)
|
|
-files_read_usr_files(courier_domain)
|
|
|
|
fs_getattr_xattr_fs(courier_domain)
|
|
fs_search_auto_mountpoints(courier_domain)
|
|
|
|
-logging_send_syslog_msg(courier_domain)
|
|
-
|
|
sysnet_read_config(courier_domain)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(courier_domain)
|
|
@@ -77,6 +72,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mysql_stream_connect(courier_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
udev_read_db(courier_domain)
|
|
')
|
|
|
|
@@ -91,6 +90,7 @@ allow courier_authdaemon_t self:unix_stream_socket { accept connectto listen };
|
|
create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
|
|
manage_sock_files_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
|
|
|
|
+manage_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
|
|
manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
|
|
|
|
allow courier_authdaemon_t courier_tcpd_t:process sigchld;
|
|
@@ -112,7 +112,6 @@ auth_domtrans_chk_passwd(courier_authdaemon_t)
|
|
|
|
libs_read_lib_files(courier_authdaemon_t)
|
|
|
|
-miscfiles_read_localization(courier_authdaemon_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
|
|
|
|
@@ -135,7 +134,7 @@ allow courier_pop_t courier_authdaemon_t:process sigchld;
|
|
|
|
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
|
|
|
|
-allow courier_pop_t courier_var_lib_t:file { read write };
|
|
+allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
|
|
|
|
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
|
|
|
|
@@ -172,7 +171,6 @@ corenet_tcp_sendrecv_pop_port(courier_tcpd_t)
|
|
dev_read_rand(courier_tcpd_t)
|
|
dev_read_urand(courier_tcpd_t)
|
|
|
|
-miscfiles_read_localization(courier_tcpd_t)
|
|
|
|
########################################
|
|
#
|
|
diff --git a/cpucontrol.te b/cpucontrol.te
|
|
index af72c4e..afab036 100644
|
|
--- a/cpucontrol.te
|
|
+++ b/cpucontrol.te
|
|
@@ -42,8 +42,6 @@ term_dontaudit_use_console(cpucontrol_domain)
|
|
init_use_fds(cpucontrol_domain)
|
|
init_use_script_ptys(cpucontrol_domain)
|
|
|
|
-logging_send_syslog_msg(cpucontrol_domain)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(cpucontrol_domain)
|
|
|
|
optional_policy(`
|
|
@@ -69,12 +67,13 @@ allow cpucontrol_t cpucontrol_conf_t:dir list_dir_perms;
|
|
read_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
|
|
read_lnk_files_pattern(cpucontrol_t, cpucontrol_conf_t, cpucontrol_conf_t)
|
|
|
|
-kernel_list_proc(cpucontrol_t)
|
|
kernel_read_proc_symlinks(cpucontrol_t)
|
|
|
|
dev_read_sysfs(cpucontrol_t)
|
|
dev_rw_cpu_microcode(cpucontrol_t)
|
|
|
|
+logging_send_syslog_msg(cpucontrol_t)
|
|
+
|
|
optional_policy(`
|
|
rhgb_use_ptys(cpucontrol_t)
|
|
')
|
|
@@ -98,7 +97,6 @@ dev_rw_sysfs(cpuspeed_t)
|
|
|
|
domain_read_all_domains_state(cpuspeed_t)
|
|
|
|
-files_read_etc_files(cpuspeed_t)
|
|
files_read_etc_runtime_files(cpuspeed_t)
|
|
|
|
-miscfiles_read_localization(cpuspeed_t)
|
|
+logging_send_syslog_msg(cpuspeed_t)
|
|
diff --git a/cpufreqselector.te b/cpufreqselector.te
|
|
index 6cedb87..530e250 100644
|
|
--- a/cpufreqselector.te
|
|
+++ b/cpufreqselector.te
|
|
@@ -14,21 +14,17 @@ init_daemon_domain(cpufreqselector_t, cpufreqselector_exec_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow cpufreqselector_t self:capability { sys_nice sys_ptrace };
|
|
+allow cpufreqselector_t self:capability sys_nice;
|
|
allow cpufreqselector_t self:process getsched;
|
|
allow cpufreqselector_t self:fifo_file rw_fifo_file_perms;
|
|
+allow cpufreqselector_t self:process getsched;
|
|
|
|
kernel_read_system_state(cpufreqselector_t)
|
|
|
|
-files_read_etc_files(cpufreqselector_t)
|
|
-files_read_usr_files(cpufreqselector_t)
|
|
-
|
|
dev_rw_sysfs(cpufreqselector_t)
|
|
|
|
-miscfiles_read_localization(cpufreqselector_t)
|
|
-
|
|
userdom_read_all_users_state(cpufreqselector_t)
|
|
-userdom_dontaudit_search_user_home_dirs(cpufreqselector_t)
|
|
+userdom_dontaudit_search_admin_dir(cpufreqselector_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
|
|
@@ -51,3 +47,7 @@ optional_policy(`
|
|
policykit_read_lib(cpufreqselector_t)
|
|
policykit_read_reload(cpufreqselector_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_dbus_chat_xdm(cpufreqselector_t)
|
|
+')
|
|
diff --git a/cron.fc b/cron.fc
|
|
index ad0bae9..72c2cda 100644
|
|
--- a/cron.fc
|
|
+++ b/cron.fc
|
|
@@ -1,66 +1,79 @@
|
|
-/etc/rc\.d/init\.d/(anacron|atd) -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/atd -- gen_context(system_u:object_r:crond_initrc_exec_t,s0)
|
|
|
|
-/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
-/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
+/etc/cron\.d(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
+/etc/crontab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
|
|
-/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
|
|
-/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
|
|
+/usr/lib/systemd/system/atd.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/crond.* -- gen_context(system_u:object_r:crond_unit_file_t,s0)
|
|
|
|
-/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
|
|
-/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
|
|
+/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
|
|
+/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
|
|
|
|
-/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
|
|
-/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
|
|
-/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
|
|
-/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
|
|
-/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
|
|
+/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
|
|
+/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
|
|
|
|
-/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
|
|
+/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
|
|
+/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
|
|
+/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
|
|
+/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
|
|
+/usr/sbin/fcronsighup -- gen_context(system_u:object_r:crontab_exec_t,s0)
|
|
|
|
-/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
|
|
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
|
|
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
|
|
|
|
-/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
-/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
-/var/run/cron(d)?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
-/var/run/cron(d)?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
-/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
-/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
-/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
+/var/log/cron.* gen_context(system_u:object_r:cron_log_t,s0)
|
|
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
|
|
|
|
-/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
-/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
|
|
-/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
|
|
+/var/run/anacron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
+/var/run/atd\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
+/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
+/var/run/crond?\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
+/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
+/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
+/var/run/.*cron.* -- gen_context(system_u:object_r:crond_var_run_t,s0)
|
|
|
|
-/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
-#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
|
|
-/var/spool/cron/[^/]* -- <<none>>
|
|
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
+/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
|
|
|
|
-/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
+/var/spool/cron -d gen_context(system_u:object_r:user_cron_spool_t,s0)
|
|
+#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
|
|
+/var/spool/cron/[^/]* -- <<none>>
|
|
+
|
|
+/var/spool/cron/crontabs -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
/var/spool/cron/crontabs/.* -- <<none>>
|
|
#/var/spool/cron/crontabs/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
|
|
|
|
-/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
-/var/spool/fcron/.* <<none>>
|
|
+/var/spool/fcron -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
+/var/spool/fcron/.* <<none>>
|
|
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
-/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
-/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
+/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
-/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
|
|
+
|
|
+ifdef(`distro_gentoo',`
|
|
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
|
|
+/var/spool/cron/lastrun/[^/]* -- <<none>>
|
|
+')
|
|
+
|
|
+ifdef(`distro_suse', `
|
|
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
|
|
+/var/spool/cron/lastrun/[^/]* -- <<none>>
|
|
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
+')
|
|
|
|
ifdef(`distro_debian',`
|
|
-/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
+/var/log/prelink.log.* -- gen_context(system_u:object_r:cron_log_t,s0)
|
|
+
|
|
+/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
/var/spool/cron/atjobs/[^/]* -- <<none>>
|
|
-/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
+/var/spool/cron/atspool -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
')
|
|
|
|
ifdef(`distro_gentoo',`
|
|
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
|
|
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
|
|
/var/spool/cron/lastrun/[^/]* -- <<none>>
|
|
')
|
|
|
|
-ifdef(`distro_suse',`
|
|
-/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
|
|
+ifdef(`distro_suse', `
|
|
+/var/spool/cron/lastrun -d gen_context(system_u:object_r:crond_tmp_t,s0)
|
|
/var/spool/cron/lastrun/[^/]* -- <<none>>
|
|
-/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
+/var/spool/cron/tabs -d gen_context(system_u:object_r:cron_spool_t,s0)
|
|
')
|
|
diff --git a/cron.if b/cron.if
|
|
index 1303b30..72481a7 100644
|
|
--- a/cron.if
|
|
+++ b/cron.if
|
|
@@ -2,11 +2,12 @@
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## The template to define a crontab domain.
|
|
+## The common rules for a crontab domain.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="userdomain_prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## The prefix of the user domain (e.g., user
|
|
+## is the prefix for user_t).
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
@@ -36,22 +37,29 @@ template(`cron_common_crontab_template',`
|
|
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
|
files_tmp_filetrans($1_t, $1_tmp_t, { dir file })
|
|
|
|
+ kernel_read_system_state($1_t)
|
|
+
|
|
auth_domtrans_chk_passwd($1_t)
|
|
auth_use_nsswitch($1_t)
|
|
+
|
|
+ logging_send_syslog_msg($1_t)
|
|
+
|
|
+ userdom_home_reader($1_t)
|
|
+
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for cron.
|
|
+## Role access for cron
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -60,56 +68,66 @@ interface(`cron_role',`
|
|
gen_require(`
|
|
type cronjob_t, crontab_t, crontab_exec_t;
|
|
type user_cron_spool_t, crond_t;
|
|
- bool cron_userdomain_transition;
|
|
+ bool cron_userdomain_transition;
|
|
')
|
|
|
|
- ##############################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
+ ##############################
|
|
+ #
|
|
+ # Declarations
|
|
+ #
|
|
|
|
role $1 types { cronjob_t crontab_t };
|
|
|
|
- ##############################
|
|
- #
|
|
- # Local policy
|
|
- #
|
|
+ ##############################
|
|
+ #
|
|
+ # Local policy
|
|
+ #
|
|
|
|
+ # Transition from the user domain to the derived domain.
|
|
domtrans_pattern($2, crontab_exec_t, crontab_t)
|
|
|
|
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
|
|
allow $2 crond_t:process sigchld;
|
|
|
|
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
|
|
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
|
|
|
|
- allow $2 crontab_t:process { ptrace signal_perms };
|
|
+ # crontab shows up in user ps
|
|
+ allow $2 crontab_t:process signal_perms;
|
|
ps_process_pattern($2, crontab_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 crontab_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ # Run helper programs as the user domain
|
|
+ #corecmd_bin_domtrans(crontab_t, $2)
|
|
+ #corecmd_shell_domtrans(crontab_t, $2)
|
|
corecmd_exec_bin(crontab_t)
|
|
corecmd_exec_shell(crontab_t)
|
|
|
|
- tunable_policy(`cron_userdomain_transition',`
|
|
- allow crond_t $2:process transition;
|
|
- allow crond_t $2:fd use;
|
|
- allow crond_t $2:key manage_key_perms;
|
|
+ tunable_policy(`cron_userdomain_transition',`
|
|
+ allow crond_t $2:process transition;
|
|
+ allow crond_t $2:fd use;
|
|
+ allow crond_t $2:key manage_key_perms;
|
|
|
|
- allow $2 user_cron_spool_t:file entrypoint;
|
|
+ # needs to be authorized SELinux context for cron
|
|
+ allow $2 user_cron_spool_t:file entrypoint;
|
|
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
|
|
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
+ allow $2 cronjob_t:process { signal_perms };
|
|
|
|
- allow $2 cronjob_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($2, cronjob_t)
|
|
- ',`
|
|
- dontaudit crond_t $2:process transition;
|
|
- dontaudit crond_t $2:fd use;
|
|
- dontaudit crond_t $2:key manage_key_perms;
|
|
+ ps_process_pattern($2, cronjob_t)
|
|
+ ',`
|
|
+ dontaudit crond_t $2:process transition;
|
|
+ dontaudit crond_t $2:fd use;
|
|
+ dontaudit crond_t $2:key manage_key_perms;
|
|
|
|
- dontaudit $2 user_cron_spool_t:file entrypoint;
|
|
+ dontaudit $2 user_cron_spool_t:file entrypoint;
|
|
|
|
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
|
|
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
|
|
- ')
|
|
+ dontaudit $2 cronjob_t:process { signal_perms };
|
|
+ ')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
@@ -119,78 +137,87 @@ interface(`cron_role',`
|
|
dbus_stub(cronjob_t)
|
|
|
|
allow cronjob_t $2:dbus send_msg;
|
|
- ')
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for unconfined cron.
|
|
+## Role access for unconfined cronjobs
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
interface(`cron_unconfined_role',`
|
|
gen_require(`
|
|
type unconfined_cronjob_t, crontab_t, crontab_exec_t;
|
|
- type crond_t, user_cron_spool_t;
|
|
- bool cron_userdomain_transition;
|
|
+ type crond_t, user_cron_spool_t;
|
|
+ bool cron_userdomain_transition;
|
|
')
|
|
|
|
- ##############################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
+ ##############################
|
|
+ #
|
|
+ # Declarations
|
|
+ #
|
|
+
|
|
+ role $1 types { unconfined_cronjob_t crontab_t };
|
|
|
|
- role $1 types { unconfined_cronjob_t crontab_t };
|
|
+ ##############################
|
|
+ #
|
|
+ # Local policy
|
|
+ #
|
|
|
|
- ##############################
|
|
- #
|
|
- # Local policy
|
|
- #
|
|
+ domtrans_pattern($2, crontab_exec_t, crontab_t)
|
|
|
|
- domtrans_pattern($2, crontab_exec_t, crontab_t)
|
|
+ dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
|
|
|
|
- dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
|
|
- allow $2 crond_t:process sigchld;
|
|
+ allow $2 crond_t:process sigchld;
|
|
|
|
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
|
|
+ allow $2 user_cron_spool_t:file { getattr read write ioctl };
|
|
|
|
- allow $2 crontab_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($2, crontab_t)
|
|
+ allow $2 crontab_t:process { signal_perms };
|
|
+ ps_process_pattern($2, crontab_t)
|
|
|
|
- corecmd_exec_bin(crontab_t)
|
|
- corecmd_exec_shell(crontab_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 crontab_t:process ptrace;
|
|
+ ')
|
|
|
|
- tunable_policy(`cron_userdomain_transition',`
|
|
- allow crond_t $2:process transition;
|
|
- allow crond_t $2:fd use;
|
|
- allow crond_t $2:key manage_key_perms;
|
|
+ # cronjob shows up in user ps
|
|
+ ps_process_pattern($2, unconfined_cronjob_t)
|
|
+ allow $2 unconfined_cronjob_t:process signal_perms;
|
|
|
|
- allow $2 user_cron_spool_t:file entrypoint;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 unconfined_cronjob_t:process ptrace;
|
|
+ ')
|
|
|
|
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
+ corecmd_exec_bin(crontab_t)
|
|
+ corecmd_exec_shell(crontab_t)
|
|
|
|
- allow $2 unconfined_cronjob_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($2, unconfined_cronjob_t)
|
|
- ',`
|
|
- dontaudit crond_t $2:process transition;
|
|
- dontaudit crond_t $2:fd use;
|
|
- dontaudit crond_t $2:key manage_key_perms;
|
|
+ tunable_policy(`cron_userdomain_transition',`
|
|
+ allow crond_t $2:process transition;
|
|
+ allow crond_t $2:fd use;
|
|
+ allow crond_t $2:key manage_key_perms;
|
|
|
|
- dontaudit $2 user_cron_spool_t:file entrypoint;
|
|
+ allow $2 user_cron_spool_t:file entrypoint;
|
|
|
|
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
+ ',`
|
|
+ dontaudit crond_t $2:process transition;
|
|
+ dontaudit crond_t $2:fd use;
|
|
+ dontaudit crond_t $2:key manage_key_perms;
|
|
|
|
- dontaudit $2 unconfined_cronjob_t:process { ptrace signal_perms };
|
|
-')
|
|
+ dontaudit $2 user_cron_spool_t:file entrypoint;
|
|
+
|
|
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
+ ')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
@@ -198,55 +225,60 @@ interface(`cron_unconfined_role',`
|
|
')
|
|
|
|
dbus_stub(unconfined_cronjob_t)
|
|
-
|
|
allow unconfined_cronjob_t $2:dbus send_msg;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for admin cron.
|
|
+## Role access for cron
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
interface(`cron_admin_role',`
|
|
gen_require(`
|
|
- type cronjob_t, crontab_exec_t, admin_crontab_t;
|
|
+ type cronjob_t, crontab_exec_t, admin_crontab_t, admin_crontab_tmp_t;
|
|
+ type user_cron_spool_t, crond_t;
|
|
class passwd crontab;
|
|
- type crond_t, user_cron_spool_t;
|
|
- bool cron_userdomain_transition;
|
|
+ bool cron_userdomain_transition;
|
|
')
|
|
|
|
- ##############################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
+ ##############################
|
|
+ #
|
|
+ # Declarations
|
|
+ #
|
|
|
|
- role $1 types { cronjob_t admin_crontab_t };
|
|
+ role $1 types { cronjob_t admin_crontab_t admin_crontab_tmp_t };
|
|
|
|
- ##############################
|
|
- #
|
|
- # Local policy
|
|
- #
|
|
+ ##############################
|
|
+ #
|
|
+ # Local policy
|
|
+ #
|
|
|
|
+ # Transition from the user domain to the derived domain.
|
|
domtrans_pattern($2, crontab_exec_t, admin_crontab_t)
|
|
|
|
dontaudit crond_t $2:process { noatsecure siginh rlimitinh };
|
|
- allow $2 crond_t:process sigchld;
|
|
|
|
- allow $2 user_cron_spool_t:file { getattr read write ioctl };
|
|
+ allow $2 crond_t:process sigchld;
|
|
|
|
- allow $2 admin_crontab_t:process { ptrace signal_perms };
|
|
+ # crontab shows up in user ps
|
|
ps_process_pattern($2, admin_crontab_t)
|
|
+ allow $2 admin_crontab_t:process signal_perms;
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 admin_crontab_t:process ptrace;
|
|
+ ')
|
|
|
|
# Manipulate other users crontab.
|
|
allow $2 self:passwd crontab;
|
|
@@ -254,28 +286,26 @@ interface(`cron_admin_role',`
|
|
corecmd_exec_bin(admin_crontab_t)
|
|
corecmd_exec_shell(admin_crontab_t)
|
|
|
|
- tunable_policy(`cron_userdomain_transition',`
|
|
- allow crond_t $2:process transition;
|
|
- allow crond_t $2:fd use;
|
|
- allow crond_t $2:key manage_key_perms;
|
|
+ tunable_policy(`cron_userdomain_transition',`
|
|
+ allow crond_t $2:process transition;
|
|
+ allow crond_t $2:fd use;
|
|
+ allow crond_t $2:key manage_key_perms;
|
|
|
|
- allow $2 user_cron_spool_t:file entrypoint;
|
|
+ allow $2 user_cron_spool_t:file entrypoint;
|
|
|
|
- allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
+ allow $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
|
|
- allow $2 cronjob_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($2, cronjob_t)
|
|
- ',`
|
|
- dontaudit crond_t $2:process transition;
|
|
- dontaudit crond_t $2:fd use;
|
|
- dontaudit crond_t $2:key manage_key_perms;
|
|
+ allow $2 cronjob_t:process { signal_perms };
|
|
+ ps_process_pattern($2, cronjob_t)
|
|
+ ',`
|
|
+ dontaudit crond_t $2:process transition;
|
|
+ dontaudit crond_t $2:fd use;
|
|
+ dontaudit crond_t $2:key manage_key_perms;
|
|
|
|
- dontaudit $2 user_cron_spool_t:file entrypoint;
|
|
-
|
|
- dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
-
|
|
- dontaudit $2 cronjob_t:process { ptrace signal_perms };
|
|
- ')
|
|
+ dontaudit $2 user_cron_spool_t:file entrypoint;
|
|
+ dontaudit $2 crond_t:fifo_file rw_fifo_file_perms;
|
|
+ dontaudit $2 cronjob_t:process { signal_perms };
|
|
+ ')
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
@@ -285,13 +315,13 @@ interface(`cron_admin_role',`
|
|
dbus_stub(admin_cronjob_t)
|
|
|
|
allow cronjob_t $2:dbus send_msg;
|
|
- ')
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Make the specified program domain
|
|
-## accessable from the system cron jobs.
|
|
+## Make the specified program domain accessable
|
|
+## from the system cron jobs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -307,15 +337,15 @@ interface(`cron_admin_role',`
|
|
interface(`cron_system_entry',`
|
|
gen_require(`
|
|
type crond_t, system_cronjob_t;
|
|
- type user_cron_spool_log_t;
|
|
')
|
|
|
|
- rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
|
|
-
|
|
domtrans_pattern(system_cronjob_t, $2, $1)
|
|
domtrans_pattern(crond_t, $2, $1)
|
|
|
|
role system_r types $1;
|
|
+
|
|
+ allow $1 crond_t:fifo_file rw_fifo_file_perms;
|
|
+ allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -333,13 +363,12 @@ interface(`cron_domtrans',`
|
|
type system_cronjob_t, crond_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, crond_exec_t, system_cronjob_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute crond in the caller domain.
|
|
+## Execute crond_exec_t
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -352,7 +381,6 @@ interface(`cron_exec',`
|
|
type crond_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, crond_exec_t)
|
|
')
|
|
|
|
@@ -376,7 +404,31 @@ interface(`cron_initrc_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Use crond file descriptors.
|
|
+## Execute crond server in the crond domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cron_systemctl',`
|
|
+ gen_require(`
|
|
+ type crond_unit_file_t;
|
|
+ type crond_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 crond_unit_file_t:file read_file_perms;
|
|
+ allow $1 crond_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, crond_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Inherit and use a file descriptor
|
|
+## from the cron daemon.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -394,7 +446,7 @@ interface(`cron_use_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send child terminated signals to crond.
|
|
+## Send a SIGCHLD signal to the cron daemon.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -412,7 +464,7 @@ interface(`cron_sigchld',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Set the attributes of cron log files.
|
|
+## Send a generic signal to cron daemon.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -420,17 +472,17 @@ interface(`cron_sigchld',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_setattr_log_files',`
|
|
+interface(`cron_signal',`
|
|
gen_require(`
|
|
- type cron_log_t;
|
|
+ type crond_t;
|
|
')
|
|
|
|
- allow $1 cron_log_t:file setattr_file_perms;
|
|
+ allow $1 crond_t:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create cron log files.
|
|
+## Read a cron daemon unnamed pipe.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -438,17 +490,17 @@ interface(`cron_setattr_log_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_create_log_files',`
|
|
+interface(`cron_read_pipes',`
|
|
gen_require(`
|
|
- type cron_log_t;
|
|
+ type crond_t;
|
|
')
|
|
|
|
- create_files_pattern($1, cron_log_t, cron_log_t)
|
|
+ allow $1 crond_t:fifo_file read_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Write to cron log files.
|
|
+## Read crond state files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -456,18 +508,20 @@ interface(`cron_create_log_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_write_log_files',`
|
|
+interface(`cron_read_state_crond',`
|
|
gen_require(`
|
|
- type cron_log_t;
|
|
+ type crond_t;
|
|
')
|
|
|
|
- allow $1 cron_log_t:file write_file_perms;
|
|
+ kernel_search_proc($1)
|
|
+ ps_process_pattern($1, crond_t)
|
|
')
|
|
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write and delete
|
|
-## cron log files.
|
|
+## Send and receive messages from
|
|
+## crond over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -475,48 +529,37 @@ interface(`cron_write_log_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_manage_log_files',`
|
|
+interface(`cron_dbus_chat_crond',`
|
|
gen_require(`
|
|
- type cron_log_t;
|
|
+ type crond_t;
|
|
+ class dbus send_msg;
|
|
')
|
|
|
|
- manage_files_pattern($1, cron_log_t, cron_log_t)
|
|
-
|
|
- logging_search_logs($1)
|
|
+ allow $1 crond_t:dbus send_msg;
|
|
+ allow crond_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified objects in generic
|
|
-## log directories with the cron log file type.
|
|
+## Do not audit attempts to write cron daemon unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_generic_log_filetrans_log',`
|
|
+interface(`cron_dontaudit_write_pipes',`
|
|
gen_require(`
|
|
- type cron_log_t;
|
|
+ type crond_t;
|
|
')
|
|
|
|
- logging_log_filetrans($1, cron_log_t, $2, $3)
|
|
+ dontaudit $1 crond_t:fifo_file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read cron daemon unnamed pipes.
|
|
+## Read and write a cron daemon unnamed pipe.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -524,36 +567,35 @@ interface(`cron_generic_log_filetrans_log',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_read_pipes',`
|
|
+interface(`cron_rw_pipes',`
|
|
gen_require(`
|
|
type crond_t;
|
|
')
|
|
|
|
- allow $1 crond_t:fifo_file read_fifo_file_perms;
|
|
+ allow $1 crond_t:fifo_file rw_inherited_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to write
|
|
-## cron daemon unnamed pipes.
|
|
+## Read and write inherited user spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain to not audit.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_dontaudit_write_pipes',`
|
|
+interface(`cron_rw_inherited_user_spool_files',`
|
|
gen_require(`
|
|
- type crond_t;
|
|
+ type user_cron_spool_t;
|
|
')
|
|
|
|
- dontaudit $1 crond_t:fifo_file write;
|
|
+ allow $1 user_cron_spool_t:file rw_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write crond unnamed pipes.
|
|
+## Read and write inherited spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -561,17 +603,17 @@ interface(`cron_dontaudit_write_pipes',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_rw_pipes',`
|
|
+interface(`cron_rw_inherited_spool_files',`
|
|
gen_require(`
|
|
- type crond_t;
|
|
+ type cron_spool_t;
|
|
')
|
|
|
|
- allow $1 crond_t:fifo_file rw_fifo_file_perms;
|
|
+ allow $1 cron_spool_t:file rw_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write crond TCP sockets.
|
|
+## Read, and write cron daemon TCP sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -589,8 +631,7 @@ interface(`cron_rw_tcp_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read and
|
|
-## write cron daemon TCP sockets.
|
|
+## Dontaudit Read, and write cron daemon TCP sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -608,7 +649,7 @@ interface(`cron_dontaudit_rw_tcp_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search cron spool directories.
|
|
+## Search the directory containing user cron tables.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -627,8 +668,26 @@ interface(`cron_search_spool',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## crond pid files.
|
|
+## Search the directory containing user cron tables.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cron_manage_system_spool',`
|
|
+ gen_require(`
|
|
+ type cron_system_spool_t;
|
|
+ ')
|
|
+
|
|
+ files_search_spool($1)
|
|
+ manage_files_pattern($1, cron_system_spool_t, cron_system_spool_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage pid files used by cron
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -641,13 +700,13 @@ interface(`cron_manage_pid_files',`
|
|
type crond_var_run_t;
|
|
')
|
|
|
|
+ files_search_pids($1)
|
|
manage_files_pattern($1, crond_var_run_t, crond_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute anacron in the cron
|
|
-## system domain.
|
|
+## Execute anacron in the cron system domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -660,13 +719,13 @@ interface(`cron_anacron_domtrans_system_job',`
|
|
type system_cronjob_t, anacron_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, anacron_exec_t, system_cronjob_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Use system cron job file descriptors.
|
|
+## Inherit and use a file descriptor
|
|
+## from system cron jobs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -684,7 +743,7 @@ interface(`cron_use_system_job_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read system cron job lib files.
|
|
+## Write a system cron job unnamed pipe.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -692,19 +751,17 @@ interface(`cron_use_system_job_fds',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_read_system_job_lib_files',`
|
|
+interface(`cron_write_system_job_pipes',`
|
|
gen_require(`
|
|
- type system_cronjob_var_lib_t;
|
|
+ type system_cronjob_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
- read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
|
+ allow $1 system_cronjob_t:fifo_file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## system cron job lib files.
|
|
+## Read and write a system cron job unnamed pipe.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -712,18 +769,17 @@ interface(`cron_read_system_job_lib_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_manage_system_job_lib_files',`
|
|
+interface(`cron_rw_system_job_pipes',`
|
|
gen_require(`
|
|
- type system_cronjob_var_lib_t;
|
|
+ type system_cronjob_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
- manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
|
+ allow $1 system_cronjob_t:fifo_file rw_inherited_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Write system cron job unnamed pipes.
|
|
+## Allow read/write unix stream sockets from the system cron jobs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -731,18 +787,17 @@ interface(`cron_manage_system_job_lib_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_write_system_job_pipes',`
|
|
+interface(`cron_rw_system_job_stream_sockets',`
|
|
gen_require(`
|
|
type system_cronjob_t;
|
|
')
|
|
|
|
- allow $1 system_cronjob_t:file write;
|
|
+ allow $1 system_cronjob_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write system cron job
|
|
-## unnamed pipes.
|
|
+## Read temporary files from the system cron jobs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -750,86 +805,142 @@ interface(`cron_write_system_job_pipes',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_rw_system_job_pipes',`
|
|
+interface(`cron_read_system_job_tmp_files',`
|
|
gen_require(`
|
|
- type system_cronjob_t;
|
|
+ type system_cronjob_tmp_t, cron_var_run_t;
|
|
')
|
|
|
|
- allow $1 system_cronjob_t:fifo_file rw_fifo_file_perms;
|
|
+ files_search_tmp($1)
|
|
+ allow $1 system_cronjob_tmp_t:file read_file_perms;
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 cron_var_run_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write inherited system cron
|
|
-## job unix domain stream sockets.
|
|
+## Do not audit attempts to append temporary
|
|
+## files from the system cron jobs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_rw_system_job_stream_sockets',`
|
|
+interface(`cron_dontaudit_append_system_job_tmp_files',`
|
|
gen_require(`
|
|
- type system_cronjob_t;
|
|
+ type system_cronjob_tmp_t;
|
|
')
|
|
|
|
- allow $1 system_cronjob_t:unix_stream_socket { read write };
|
|
+ dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read system cron job temporary files.
|
|
+## Do not audit attempts to write temporary
|
|
+## files from the system cron jobs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_read_system_job_tmp_files',`
|
|
+interface(`cron_dontaudit_write_system_job_tmp_files',`
|
|
gen_require(`
|
|
type system_cronjob_tmp_t;
|
|
+ type cron_var_run_t;
|
|
')
|
|
|
|
- files_search_tmp($1)
|
|
- allow $1 system_cronjob_tmp_t:file read_file_perms;
|
|
+ dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
|
|
+ dontaudit $1 cron_var_run_t:file write_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to append temporary
|
|
-## system cron job files.
|
|
+## Read temporary files from the system cron jobs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain to not audit.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_dontaudit_append_system_job_tmp_files',`
|
|
+interface(`cron_read_system_job_lib_files',`
|
|
gen_require(`
|
|
- type system_cronjob_tmp_t;
|
|
+ type system_cronjob_var_lib_t;
|
|
')
|
|
|
|
- dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to write temporary
|
|
-## system cron job files.
|
|
+## Manage files from the system cron jobs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain to not audit.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`cron_dontaudit_write_system_job_tmp_files',`
|
|
+interface(`cron_manage_system_job_lib_files',`
|
|
gen_require(`
|
|
- type system_cronjob_tmp_t;
|
|
+ type system_cronjob_var_lib_t;
|
|
')
|
|
|
|
- dontaudit $1 system_cronjob_tmp_t:file write_file_perms;
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Create, read, write and delete
|
|
+## cron log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cron_manage_log_files',`
|
|
+ gen_require(`
|
|
+ type cron_log_t;
|
|
+ ')
|
|
+
|
|
+ manage_files_pattern($1, cron_log_t, cron_log_t)
|
|
+
|
|
+ logging_search_logs($1)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Create specified objects in generic
|
|
+## log directories with the cron log file type.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="object_class">
|
|
+## <summary>
|
|
+## Class of the object being created.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="name" optional="true">
|
|
+## <summary>
|
|
+## The name of the object being created.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cron_generic_log_filetrans_log',`
|
|
+ gen_require(`
|
|
+ type cron_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_log_filetrans($1, cron_log_t, $2, $3)
|
|
')
|
|
diff --git a/cron.te b/cron.te
|
|
index 7de3859..c4abac0 100644
|
|
--- a/cron.te
|
|
+++ b/cron.te
|
|
@@ -11,46 +11,46 @@ gen_require(`
|
|
|
|
## <desc>
|
|
## <p>
|
|
-## Determine whether system cron jobs
|
|
-## can relabel filesystem for
|
|
-## restoring file contexts.
|
|
+## Allow system cron jobs to relabel filesystem
|
|
+## for restoring file contexts.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(cron_can_relabel, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether crond can execute jobs
|
|
-## in the user domain as opposed to the
|
|
-## the generic cronjob domain.
|
|
-## </p>
|
|
+## <p>
|
|
+## Determine whether crond can execute jobs
|
|
+## in the user domain as opposed to the
|
|
+## the generic cronjob domain.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(cron_userdomain_transition, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
-## Determine whether extra rules
|
|
-## should be enabled to support fcron.
|
|
+## Enable extra rules in the cron domain
|
|
+## to support fcron.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(fcron_crond, false)
|
|
|
|
-attribute cron_spool_type;
|
|
attribute crontab_domain;
|
|
+attribute cron_spool_type;
|
|
|
|
type anacron_exec_t;
|
|
application_executable_file(anacron_exec_t)
|
|
|
|
type cron_spool_t;
|
|
-files_type(cron_spool_t)
|
|
-mta_system_content(cron_spool_t)
|
|
+files_spool_file(cron_spool_t)
|
|
|
|
+# var/lib files
|
|
type cron_var_lib_t;
|
|
files_type(cron_var_lib_t)
|
|
|
|
type cron_var_run_t;
|
|
files_pid_file(cron_var_run_t)
|
|
|
|
+# var/log files
|
|
type cron_log_t;
|
|
logging_log_file(cron_log_t)
|
|
|
|
@@ -71,6 +71,9 @@ domain_cron_exemption_source(crond_t)
|
|
type crond_initrc_exec_t;
|
|
init_script_file(crond_initrc_exec_t)
|
|
|
|
+type crond_unit_file_t;
|
|
+systemd_unit_file(crond_unit_file_t)
|
|
+
|
|
type crond_tmp_t;
|
|
files_tmp_file(crond_tmp_t)
|
|
files_poly_parent(crond_tmp_t)
|
|
@@ -92,15 +95,16 @@ typealias crontab_t alias { user_crontab_t staff_crontab_t };
|
|
typealias crontab_t alias { auditadm_crontab_t secadm_crontab_t };
|
|
typealias crontab_tmp_t alias { user_crontab_tmp_t staff_crontab_tmp_t };
|
|
typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
|
|
+allow admin_crontab_t crond_t:process signal;
|
|
|
|
type system_cron_spool_t, cron_spool_type;
|
|
-files_type(system_cron_spool_t)
|
|
-mta_system_content(system_cron_spool_t)
|
|
+files_spool_file(system_cron_spool_t)
|
|
|
|
type system_cronjob_t alias system_crond_t;
|
|
init_daemon_domain(system_cronjob_t, anacron_exec_t)
|
|
corecmd_shell_entry_type(system_cronjob_t)
|
|
-domain_entry_file(system_cronjob_t, system_cron_spool_t)
|
|
+role system_r types system_cronjob_t;
|
|
+domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
|
|
|
|
type system_cronjob_lock_t alias system_crond_lock_t;
|
|
files_lock_file(system_cronjob_lock_t)
|
|
@@ -108,94 +112,34 @@ files_lock_file(system_cronjob_lock_t)
|
|
type system_cronjob_tmp_t alias system_crond_tmp_t;
|
|
files_tmp_file(system_cronjob_tmp_t)
|
|
|
|
-type system_cronjob_var_lib_t;
|
|
-files_type(system_cronjob_var_lib_t)
|
|
-
|
|
-type system_cronjob_var_run_t;
|
|
-files_pid_file(system_cronjob_var_run_t)
|
|
-
|
|
+# Type of user crontabs once moved to cron spool.
|
|
type user_cron_spool_t, cron_spool_type;
|
|
typealias user_cron_spool_t alias { staff_cron_spool_t sysadm_cron_spool_t unconfined_cron_spool_t };
|
|
typealias user_cron_spool_t alias { auditadm_cron_spool_t secadm_cron_spool_t };
|
|
-files_type(user_cron_spool_t)
|
|
+files_spool_file(user_cron_spool_t)
|
|
ubac_constrained(user_cron_spool_t)
|
|
mta_system_content(user_cron_spool_t)
|
|
|
|
-type user_cron_spool_log_t;
|
|
-logging_log_file(user_cron_spool_log_t)
|
|
-ubac_constrained(user_cron_spool_log_t)
|
|
-mta_system_content(user_cron_spool_log_t)
|
|
+type system_cronjob_var_lib_t;
|
|
+files_type(system_cronjob_var_lib_t)
|
|
+typealias system_cronjob_var_lib_t alias system_crond_var_lib_t;
|
|
+
|
|
+type system_cronjob_var_run_t;
|
|
+files_pid_file(system_cronjob_var_run_t)
|
|
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
|
|
')
|
|
|
|
-##############################
|
|
-#
|
|
-# Common crontab local policy
|
|
-#
|
|
-
|
|
-allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
|
|
-allow crontab_domain self:process { getcap setsched signal_perms };
|
|
-allow crontab_domain self:fifo_file rw_fifo_file_perms;
|
|
-
|
|
-manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
|
|
-filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
|
|
-
|
|
-allow crontab_domain cron_spool_t:dir setattr_dir_perms;
|
|
-
|
|
-allow crontab_domain crond_t:process signal;
|
|
-allow crontab_domain crond_var_run_t:file read_file_perms;
|
|
-
|
|
-kernel_read_system_state(crontab_domain)
|
|
-
|
|
-selinux_dontaudit_search_fs(crontab_domain)
|
|
-
|
|
-files_list_spool(crontab_domain)
|
|
-files_read_etc_files(crontab_domain)
|
|
-files_read_usr_files(crontab_domain)
|
|
-files_search_pids(crontab_domain)
|
|
-
|
|
-fs_getattr_xattr_fs(crontab_domain)
|
|
-fs_manage_cgroup_dirs(crontab_domain)
|
|
-fs_rw_cgroup_files(crontab_domain)
|
|
-
|
|
-domain_use_interactive_fds(crontab_domain)
|
|
-
|
|
-fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
|
|
-
|
|
-auth_rw_var_auth(crontab_domain)
|
|
-
|
|
-logging_send_syslog_msg(crontab_domain)
|
|
-logging_send_audit_msgs(crontab_domain)
|
|
-logging_set_loginuid(crontab_domain)
|
|
-
|
|
-init_dontaudit_write_utmp(crontab_domain)
|
|
-init_read_utmp(crontab_domain)
|
|
-init_read_state(crontab_domain)
|
|
-
|
|
-miscfiles_read_localization(crontab_domain)
|
|
-
|
|
-seutil_read_config(crontab_domain)
|
|
-
|
|
-userdom_manage_user_tmp_dirs(crontab_domain)
|
|
-userdom_manage_user_tmp_files(crontab_domain)
|
|
-userdom_use_user_terminals(crontab_domain)
|
|
-userdom_read_user_home_content_files(crontab_domain)
|
|
-userdom_read_user_home_content_symlinks(crontab_domain)
|
|
-
|
|
-tunable_policy(`fcron_crond',`
|
|
- dontaudit crontab_domain crond_t:process signal;
|
|
-')
|
|
-
|
|
########################################
|
|
#
|
|
-# Admin local policy
|
|
+# Admin crontab local policy
|
|
#
|
|
|
|
-allow admin_crontab_t self:capability fsetid;
|
|
-allow admin_crontab_t crond_t:process signal;
|
|
+# Allow our crontab domain to unlink a user cron spool file.
|
|
+allow admin_crontab_t user_cron_spool_t:file { read_file_perms delete_file_perms };
|
|
|
|
+# Manipulate other users crontab.
|
|
selinux_get_fs_mount(admin_crontab_t)
|
|
selinux_validate_context(admin_crontab_t)
|
|
selinux_compute_access_vector(admin_crontab_t)
|
|
@@ -204,12 +148,14 @@ selinux_compute_relabel_context(admin_crontab_t)
|
|
selinux_compute_user_contexts(admin_crontab_t)
|
|
|
|
tunable_policy(`fcron_crond',`
|
|
+ # fcron wants an instant update of a crontab change for the administrator
|
|
+ # also crontab does a security check for crontab -u
|
|
allow admin_crontab_t self:process setfscreate;
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Daemon local policy
|
|
+# Cron daemon local policy
|
|
#
|
|
|
|
allow crond_t self:capability { dac_override chown fowner setgid setuid sys_nice dac_read_search };
|
|
@@ -218,8 +164,10 @@ allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate execmem exec
|
|
allow crond_t self:process { setexec setfscreate };
|
|
allow crond_t self:fd use;
|
|
allow crond_t self:fifo_file rw_fifo_file_perms;
|
|
+allow crond_t self:unix_dgram_socket create_socket_perms;
|
|
+allow crond_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow crond_t self:unix_dgram_socket sendto;
|
|
-allow crond_t self:unix_stream_socket { accept connectto listen };
|
|
+allow crond_t self:unix_stream_socket connectto;
|
|
allow crond_t self:shm create_shm_perms;
|
|
allow crond_t self:sem create_sem_perms;
|
|
allow crond_t self:msgq create_msgq_perms;
|
|
@@ -227,7 +175,7 @@ allow crond_t self:msg { send receive };
|
|
allow crond_t self:key { search write link };
|
|
dontaudit crond_t self:netlink_audit_socket nlmsg_tty_audit;
|
|
|
|
-allow crond_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+manage_files_pattern(crond_t, cron_log_t, cron_log_t)
|
|
logging_log_filetrans(crond_t, cron_log_t, file)
|
|
|
|
manage_files_pattern(crond_t, crond_var_run_t, crond_var_run_t)
|
|
@@ -237,73 +185,68 @@ manage_files_pattern(crond_t, cron_spool_t, cron_spool_t)
|
|
|
|
manage_dirs_pattern(crond_t, crond_tmp_t, crond_tmp_t)
|
|
manage_files_pattern(crond_t, crond_tmp_t, crond_tmp_t)
|
|
-files_tmp_filetrans(crond_t, crond_tmp_t, { dir file })
|
|
+files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
|
|
|
|
list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
|
|
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
|
|
|
|
-rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
|
-manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
|
-manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
|
-
|
|
-manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
|
|
+kernel_read_kernel_sysctls(crond_t)
|
|
+kernel_read_fs_sysctls(crond_t)
|
|
+kernel_search_key(crond_t)
|
|
|
|
-allow crond_t system_cronjob_t:process transition;
|
|
-allow crond_t system_cronjob_t:fd use;
|
|
-allow crond_t system_cronjob_t:key manage_key_perms;
|
|
+dev_read_sysfs(crond_t)
|
|
+selinux_get_fs_mount(crond_t)
|
|
+selinux_validate_context(crond_t)
|
|
+selinux_compute_access_vector(crond_t)
|
|
+selinux_compute_create_context(crond_t)
|
|
+selinux_compute_relabel_context(crond_t)
|
|
+selinux_compute_user_contexts(crond_t)
|
|
|
|
-dontaudit crond_t { cronjob_t system_cronjob_t }:process { noatsecure siginh rlimitinh };
|
|
+dev_read_urand(crond_t)
|
|
|
|
-domtrans_pattern(crond_t, anacron_exec_t, system_cronjob_t)
|
|
+fs_getattr_all_fs(crond_t)
|
|
+fs_search_auto_mountpoints(crond_t)
|
|
+fs_list_inotifyfs(crond_t)
|
|
|
|
-kernel_read_kernel_sysctls(crond_t)
|
|
-kernel_read_fs_sysctls(crond_t)
|
|
-kernel_search_key(crond_t)
|
|
+# need auth_chkpwd to check for locked accounts.
|
|
+auth_domtrans_chk_passwd(crond_t)
|
|
+auth_manage_var_auth(crond_t)
|
|
|
|
corecmd_exec_shell(crond_t)
|
|
-corecmd_exec_bin(crond_t)
|
|
corecmd_list_bin(crond_t)
|
|
-
|
|
-dev_read_sysfs(crond_t)
|
|
-dev_read_urand(crond_t)
|
|
+corecmd_exec_bin(crond_t)
|
|
+corecmd_read_bin_symlinks(crond_t)
|
|
|
|
domain_use_interactive_fds(crond_t)
|
|
domain_subj_id_change_exemption(crond_t)
|
|
domain_role_change_exemption(crond_t)
|
|
|
|
-fs_getattr_all_fs(crond_t)
|
|
-fs_list_inotifyfs(crond_t)
|
|
-fs_manage_cgroup_dirs(crond_t)
|
|
-fs_rw_cgroup_files(crond_t)
|
|
-fs_search_auto_mountpoints(crond_t)
|
|
-
|
|
-files_read_usr_files(crond_t)
|
|
files_read_etc_runtime_files(crond_t)
|
|
files_read_generic_spool(crond_t)
|
|
files_list_usr(crond_t)
|
|
+# Read from /var/spool/cron.
|
|
files_search_var_lib(crond_t)
|
|
files_search_default(crond_t)
|
|
files_read_all_locks(crond_t)
|
|
|
|
-mls_fd_share_all_levels(crond_t)
|
|
+fs_manage_cgroup_dirs(crond_t)
|
|
+fs_manage_cgroup_files(crond_t)
|
|
+
|
|
+# needed by "crontab -e"
|
|
mls_file_read_all_levels(crond_t)
|
|
mls_file_write_all_levels(crond_t)
|
|
+
|
|
+# needed because of kernel check of transition
|
|
mls_process_set_level(crond_t)
|
|
-mls_trusted_object(crond_t)
|
|
|
|
-selinux_get_fs_mount(crond_t)
|
|
-selinux_validate_context(crond_t)
|
|
-selinux_compute_access_vector(crond_t)
|
|
-selinux_compute_create_context(crond_t)
|
|
-selinux_compute_relabel_context(crond_t)
|
|
-selinux_compute_user_contexts(crond_t)
|
|
+# to make cronjob working
|
|
+mls_fd_share_all_levels(crond_t)
|
|
+mls_trusted_object(crond_t)
|
|
|
|
init_read_state(crond_t)
|
|
init_rw_utmp(crond_t)
|
|
init_spec_domtrans_script(crond_t)
|
|
|
|
-auth_domtrans_chk_passwd(crond_t)
|
|
-auth_manage_var_auth(crond_t)
|
|
auth_use_nsswitch(crond_t)
|
|
|
|
logging_send_audit_msgs(crond_t)
|
|
@@ -312,41 +255,46 @@ logging_set_loginuid(crond_t)
|
|
|
|
seutil_read_config(crond_t)
|
|
seutil_read_default_contexts(crond_t)
|
|
+seutil_sigchld_newrole(crond_t)
|
|
|
|
-miscfiles_read_localization(crond_t)
|
|
|
|
+userdom_use_unpriv_users_fds(crond_t)
|
|
+# Not sure why this is needed
|
|
userdom_list_user_home_dirs(crond_t)
|
|
+userdom_list_admin_dir(crond_t)
|
|
+userdom_manage_all_users_keys(crond_t)
|
|
|
|
-tunable_policy(`cron_userdomain_transition',`
|
|
- dontaudit crond_t cronjob_t:process transition;
|
|
- dontaudit crond_t cronjob_t:fd use;
|
|
- dontaudit crond_t cronjob_t:key manage_key_perms;
|
|
-',`
|
|
- allow crond_t cronjob_t:process transition;
|
|
- allow crond_t cronjob_t:fd use;
|
|
- allow crond_t cronjob_t:key manage_key_perms;
|
|
-')
|
|
+mta_send_mail(crond_t)
|
|
+mta_system_content(cron_spool_t)
|
|
|
|
ifdef(`distro_debian',`
|
|
+ # pam_limits is used
|
|
allow crond_t self:process setrlimit;
|
|
|
|
- optional_policy(`
|
|
- logwatch_search_cache_dir(crond_t)
|
|
- ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ logwatch_search_cache_dir(crond_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ bind_read_config(crond_t)
|
|
')
|
|
|
|
ifdef(`distro_redhat',`
|
|
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
|
+ # via redirection of standard out.
|
|
optional_policy(`
|
|
rpm_manage_log(crond_t)
|
|
')
|
|
')
|
|
|
|
-tunable_policy(`allow_polyinstantiation',`
|
|
+tunable_policy(`polyinstantiation_enabled',`
|
|
files_polyinstantiate_all(crond_t)
|
|
')
|
|
|
|
-tunable_policy(`fcron_crond',`
|
|
- allow crond_t { system_cron_spool_t user_cron_spool_t }:file manage_file_perms;
|
|
+tunable_policy(`fcron_crond', `
|
|
+ allow crond_t system_cron_spool_t:file manage_file_perms;
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -354,103 +302,135 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- dbus_system_bus_client(crond_t)
|
|
-
|
|
- optional_policy(`
|
|
- hal_dbus_chat(crond_t)
|
|
- ')
|
|
-
|
|
- optional_policy(`
|
|
- unconfined_dbus_send(crond_t)
|
|
- ')
|
|
+ djbdns_search_tinydns_keys(crond_t)
|
|
+ djbdns_link_tinydns_keys(crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- amanda_search_var_lib(crond_t)
|
|
+ locallogin_search_keys(crond_t)
|
|
+ locallogin_link_keys(crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- amavis_search_lib(crond_t)
|
|
+ # these should probably be unconfined_crond_t
|
|
+ dbus_system_bus_client(crond_t)
|
|
+ init_dbus_send_script(crond_t)
|
|
+ init_dbus_chat(crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- djbdns_search_tinydns_keys(crond_t)
|
|
- djbdns_link_tinydns_keys(crond_t)
|
|
+ amanda_search_var_lib(crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- hal_write_log(crond_t)
|
|
+ antivirus_search_db(crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- locallogin_search_keys(crond_t)
|
|
- locallogin_link_keys(crond_t)
|
|
+ hal_dbus_chat(crond_t)
|
|
+ hal_write_log(crond_t)
|
|
+ hal_dbus_chat(system_cronjob_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mta_send_mail(crond_t)
|
|
+ # cjp: why?
|
|
+ munin_search_lib(crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- munin_search_lib(crond_t)
|
|
+ rpc_search_nfs_state_data(crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- postgresql_search_db(crond_t)
|
|
+ # Commonly used from postinst scripts
|
|
+ rpm_read_pipes(crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- rpc_search_nfs_state_data(crond_t)
|
|
+ # allow crond to find /usr/lib/postgresql/bin/do.maintenance
|
|
+ postgresql_search_db(crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- rpm_read_pipes(crond_t)
|
|
+ systemd_use_fds_logind(crond_t)
|
|
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- seutil_sigchld_newrole(crond_t)
|
|
+ udev_read_db(crond_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- udev_read_db(crond_t)
|
|
+ vnstatd_search_lib(crond_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# System local policy
|
|
+# System cron process domain
|
|
#
|
|
|
|
allow system_cronjob_t self:capability { dac_override dac_read_search chown setgid setuid fowner net_bind_service fsetid sys_nice };
|
|
+
|
|
allow system_cronjob_t self:process { signal_perms getsched setsched };
|
|
allow system_cronjob_t self:fd use;
|
|
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
|
|
allow system_cronjob_t self:passwd rootok;
|
|
|
|
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+# This is to handle creation of files in /var/log directory.
|
|
+# Used currently by rpm script log files
|
|
+allow system_cronjob_t cron_log_t:file manage_file_perms;
|
|
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
|
|
|
|
+# This is to handle /var/lib/misc directory. Used currently
|
|
+# by prelink var/lib files for cron
|
|
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
|
|
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
|
|
|
|
allow system_cronjob_t cron_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
|
|
|
|
+allow system_cronjob_t system_cron_spool_t:file read_file_perms;
|
|
+
|
|
+# anacron forces the following
|
|
manage_files_pattern(system_cronjob_t, system_cron_spool_t, system_cron_spool_t)
|
|
|
|
+# The entrypoint interface is not used as this is not
|
|
+# a regular entrypoint. Since crontab files are
|
|
+# not directly executed, crond must ensure that
|
|
+# the crontab file has a type that is appropriate
|
|
+# for the domain of the user cron job. It
|
|
+# performs an entrypoint permission check
|
|
+# for this purpose.
|
|
+allow system_cronjob_t system_cron_spool_t:file entrypoint;
|
|
+
|
|
+# Permit a transition from the crond_t domain to this domain.
|
|
+# The transition is requested explicitly by the modified crond
|
|
+# via setexeccon. There is no way to set up an automatic
|
|
+# transition, since crontabs are configuration files, not executables.
|
|
+allow crond_t system_cronjob_t:process transition;
|
|
+dontaudit crond_t system_cronjob_t:process { noatsecure siginh rlimitinh };
|
|
+allow crond_t system_cronjob_t:fd use;
|
|
+allow system_cronjob_t crond_t:fd use;
|
|
+allow system_cronjob_t crond_t:fifo_file rw_file_perms;
|
|
+allow system_cronjob_t crond_t:process sigchld;
|
|
+allow crond_t system_cronjob_t:key manage_key_perms;
|
|
+
|
|
+# Write /var/lock/makewhatis.lock.
|
|
allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, file)
|
|
|
|
+# write temporary files
|
|
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
|
|
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
|
|
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
|
|
-filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
|
|
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
|
|
+filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { dir file lnk_file })
|
|
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { dir file })
|
|
|
|
+# var/lib files for system_crond
|
|
+files_search_var_lib(system_cronjob_t)
|
|
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
|
|
|
|
-allow system_cronjob_t crond_t:fd use;
|
|
-allow system_cronjob_t crond_t:fifo_file rw_fifo_file_perms;
|
|
-allow system_cronjob_t crond_t:process sigchld;
|
|
-
|
|
+# Read from /var/spool/cron.
|
|
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
|
|
allow system_cronjob_t cron_spool_t:file rw_file_perms;
|
|
|
|
@@ -461,11 +441,11 @@ kernel_read_network_state(system_cronjob_t)
|
|
kernel_read_system_state(system_cronjob_t)
|
|
kernel_read_software_raid_state(system_cronjob_t)
|
|
|
|
+# ps does not need to access /boot when run from cron
|
|
files_dontaudit_search_boot(system_cronjob_t)
|
|
|
|
corecmd_exec_all_executables(system_cronjob_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(system_cronjob_t)
|
|
corenet_all_recvfrom_netlabel(system_cronjob_t)
|
|
corenet_tcp_sendrecv_generic_if(system_cronjob_t)
|
|
corenet_udp_sendrecv_generic_if(system_cronjob_t)
|
|
@@ -485,6 +465,7 @@ fs_getattr_all_symlinks(system_cronjob_t)
|
|
fs_getattr_all_pipes(system_cronjob_t)
|
|
fs_getattr_all_sockets(system_cronjob_t)
|
|
|
|
+# quiet other ps operations
|
|
domain_dontaudit_read_all_domains_state(system_cronjob_t)
|
|
|
|
files_exec_etc_files(system_cronjob_t)
|
|
@@ -495,17 +476,22 @@ files_getattr_all_files(system_cronjob_t)
|
|
files_getattr_all_symlinks(system_cronjob_t)
|
|
files_getattr_all_pipes(system_cronjob_t)
|
|
files_getattr_all_sockets(system_cronjob_t)
|
|
-files_read_usr_files(system_cronjob_t)
|
|
files_read_var_files(system_cronjob_t)
|
|
+# for nscd:
|
|
files_dontaudit_search_pids(system_cronjob_t)
|
|
+# Access other spool directories like
|
|
+# /var/spool/anacron and /var/spool/slrnpull.
|
|
files_manage_generic_spool(system_cronjob_t)
|
|
files_create_boot_flag(system_cronjob_t)
|
|
|
|
mls_file_read_to_clearance(system_cronjob_t)
|
|
|
|
init_domtrans_script(system_cronjob_t)
|
|
-init_read_utmp(system_cronjob_t)
|
|
init_use_script_fds(system_cronjob_t)
|
|
+init_read_utmp(system_cronjob_t)
|
|
+init_dontaudit_rw_utmp(system_cronjob_t)
|
|
+# prelink tells init to restart it self, we either need to allow or dontaudit
|
|
+init_telinit(system_cronjob_t)
|
|
|
|
auth_use_nsswitch(system_cronjob_t)
|
|
|
|
@@ -516,20 +502,26 @@ logging_read_generic_logs(system_cronjob_t)
|
|
logging_send_audit_msgs(system_cronjob_t)
|
|
logging_send_syslog_msg(system_cronjob_t)
|
|
|
|
-miscfiles_read_localization(system_cronjob_t)
|
|
-
|
|
seutil_read_config(system_cronjob_t)
|
|
|
|
+userdom_manage_tmpfs_files(system_cronjob_t, file)
|
|
+userdom_tmpfs_filetrans(system_cronjob_t, file)
|
|
+
|
|
ifdef(`distro_redhat',`
|
|
+ # Run the rpm program in the rpm_t domain. Allow creation of RPM log files
|
|
+ allow crond_t system_cron_spool_t:file manage_file_perms;
|
|
+
|
|
+ # via redirection of standard out.
|
|
optional_policy(`
|
|
rpm_manage_log(system_cronjob_t)
|
|
')
|
|
')
|
|
|
|
+selinux_get_fs_mount(system_cronjob_t)
|
|
+
|
|
tunable_policy(`cron_can_relabel',`
|
|
seutil_domtrans_setfiles(system_cronjob_t)
|
|
',`
|
|
- selinux_get_fs_mount(system_cronjob_t)
|
|
selinux_validate_context(system_cronjob_t)
|
|
selinux_compute_access_vector(system_cronjob_t)
|
|
selinux_compute_create_context(system_cronjob_t)
|
|
@@ -539,10 +531,17 @@ tunable_policy(`cron_can_relabel',`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # Needed for certwatch
|
|
apache_exec_modules(system_cronjob_t)
|
|
apache_read_config(system_cronjob_t)
|
|
apache_read_log(system_cronjob_t)
|
|
apache_read_sys_content(system_cronjob_t)
|
|
+ apache_delete_cache_dirs(system_cronjob_t)
|
|
+ apache_delete_cache_files(system_cronjob_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ bind_read_config(system_cronjob_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -551,10 +550,6 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(system_cronjob_t)
|
|
-
|
|
- optional_policy(`
|
|
- networkmanager_dbus_chat(system_cronjob_t)
|
|
- ')
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -591,6 +586,7 @@ optional_policy(`
|
|
optional_policy(`
|
|
mta_read_config(system_cronjob_t)
|
|
mta_send_mail(system_cronjob_t)
|
|
+ mta_system_content(system_cron_spool_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -598,7 +594,19 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ networkmanager_dbus_chat(system_cronjob_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
postfix_read_config(system_cronjob_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ prelink_delete_cache(system_cronjob_t)
|
|
+ prelink_manage_lib(system_cronjob_t)
|
|
+ prelink_manage_log(system_cronjob_t)
|
|
+ prelink_read_cache(system_cronjob_t)
|
|
+ prelink_relabel_lib(system_cronjob_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -608,6 +616,7 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
spamassassin_manage_lib_files(system_cronjob_t)
|
|
+ spamassassin_manage_home_client(system_cronjob_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -615,12 +624,24 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
|
|
+ systemd_dbus_chat_logind(system_cronjob_t)
|
|
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(crond_t)
|
|
+ unconfined_domain(system_cronjob_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_shell_domtrans(crond_t)
|
|
+ unconfined_dbus_send(crond_t)
|
|
+ userdom_filetrans_home_content(crond_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Cronjob local policy
|
|
+# User cronjobs local policy
|
|
#
|
|
|
|
allow cronjob_t self:process { signal_perms setsched };
|
|
@@ -628,12 +649,32 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
|
|
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow cronjob_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
+# The entrypoint interface is not used as this is not
|
|
+# a regular entrypoint. Since crontab files are
|
|
+# not directly executed, crond must ensure that
|
|
+# the crontab file has a type that is appropriate
|
|
+# for the domain of the user cron job. It
|
|
+# performs an entrypoint permission check
|
|
+# for this purpose.
|
|
+allow cronjob_t user_cron_spool_t:file entrypoint;
|
|
+
|
|
+# Permit a transition from the crond_t domain to this domain.
|
|
+# The transition is requested explicitly by the modified crond
|
|
+# via setexeccon. There is no way to set up an automatic
|
|
+# transition, since crontabs are configuration files, not executables.
|
|
+allow crond_t cronjob_t:process transition;
|
|
+dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
|
|
+allow crond_t cronjob_t:fd use;
|
|
+allow cronjob_t crond_t:fd use;
|
|
+allow cronjob_t crond_t:fifo_file rw_file_perms;
|
|
+allow cronjob_t crond_t:process sigchld;
|
|
+
|
|
kernel_read_system_state(cronjob_t)
|
|
kernel_read_kernel_sysctls(cronjob_t)
|
|
|
|
+# ps does not need to access /boot when run from cron
|
|
files_dontaudit_search_boot(cronjob_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(cronjob_t)
|
|
corenet_all_recvfrom_netlabel(cronjob_t)
|
|
corenet_tcp_sendrecv_generic_if(cronjob_t)
|
|
corenet_udp_sendrecv_generic_if(cronjob_t)
|
|
@@ -641,66 +682,138 @@ corenet_tcp_sendrecv_generic_node(cronjob_t)
|
|
corenet_udp_sendrecv_generic_node(cronjob_t)
|
|
corenet_tcp_sendrecv_all_ports(cronjob_t)
|
|
corenet_udp_sendrecv_all_ports(cronjob_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(cronjob_t)
|
|
corenet_tcp_connect_all_ports(cronjob_t)
|
|
-
|
|
-corecmd_exec_all_executables(cronjob_t)
|
|
+corenet_sendrecv_all_client_packets(cronjob_t)
|
|
|
|
dev_read_urand(cronjob_t)
|
|
|
|
fs_getattr_all_fs(cronjob_t)
|
|
|
|
+corecmd_exec_all_executables(cronjob_t)
|
|
+
|
|
+# quiet other ps operations
|
|
domain_dontaudit_read_all_domains_state(cronjob_t)
|
|
domain_dontaudit_getattr_all_domains(cronjob_t)
|
|
|
|
files_exec_etc_files(cronjob_t)
|
|
-files_read_etc_runtime_files(cronjob_t)
|
|
-files_read_var_files(cronjob_t)
|
|
-files_read_usr_files(cronjob_t)
|
|
-files_search_spool(cronjob_t)
|
|
+# for nscd:
|
|
files_dontaudit_search_pids(cronjob_t)
|
|
|
|
libs_exec_lib_files(cronjob_t)
|
|
libs_exec_ld_so(cronjob_t)
|
|
|
|
+files_read_etc_runtime_files(cronjob_t)
|
|
+files_read_var_files(cronjob_t)
|
|
+files_search_spool(cronjob_t)
|
|
+
|
|
logging_search_logs(cronjob_t)
|
|
|
|
seutil_read_config(cronjob_t)
|
|
|
|
-miscfiles_read_localization(cronjob_t)
|
|
|
|
userdom_manage_user_tmp_files(cronjob_t)
|
|
userdom_manage_user_tmp_symlinks(cronjob_t)
|
|
userdom_manage_user_tmp_pipes(cronjob_t)
|
|
userdom_manage_user_tmp_sockets(cronjob_t)
|
|
+# Run scripts in user home directory and access shared libs.
|
|
userdom_exec_user_home_content_files(cronjob_t)
|
|
+# Access user files and dirs.
|
|
userdom_manage_user_home_content_files(cronjob_t)
|
|
userdom_manage_user_home_content_symlinks(cronjob_t)
|
|
userdom_manage_user_home_content_pipes(cronjob_t)
|
|
userdom_manage_user_home_content_sockets(cronjob_t)
|
|
|
|
-tunable_policy(`cron_userdomain_transition',`
|
|
- dontaudit cronjob_t crond_t:fd use;
|
|
- dontaudit cronjob_t crond_t:fifo_file rw_fifo_file_perms;
|
|
- dontaudit cronjob_t crond_t:process sigchld;
|
|
-
|
|
- dontaudit cronjob_t user_cron_spool_t:file entrypoint;
|
|
-',`
|
|
- allow cronjob_t crond_t:fd use;
|
|
- allow cronjob_t crond_t:fifo_file rw_fifo_file_perms;
|
|
- allow cronjob_t crond_t:process sigchld;
|
|
+list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
|
+rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
|
+read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
|
+read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
|
|
+allow crond_t user_cron_spool_t:file manage_lnk_file_perms;
|
|
|
|
- allow cronjob_t user_cron_spool_t:file entrypoint;
|
|
+tunable_policy(`fcron_crond',`
|
|
+ allow crond_t user_cron_spool_t:file manage_file_perms;
|
|
')
|
|
|
|
+# need a per-role version of this:
|
|
+#optional_policy(`
|
|
+# mono_domtrans(cronjob_t)
|
|
+#')
|
|
+
|
|
optional_policy(`
|
|
nis_use_ypbind(cronjob_t)
|
|
')
|
|
|
|
+##############################
|
|
+#
|
|
+# crontab common policy
|
|
+#
|
|
+
|
|
+# dac_override is to create the file in the directory under /tmp
|
|
+allow crontab_domain self:capability { fowner setuid setgid chown dac_override };
|
|
+allow crontab_domain self:process { getcap setsched signal_perms };
|
|
+allow crontab_domain self:fifo_file rw_fifo_file_perms;
|
|
+
|
|
+allow crontab_domain crond_t:process signal;
|
|
+allow crontab_domain crond_var_run_t:file read_file_perms;
|
|
+
|
|
+# create files in /var/spool/cron
|
|
+manage_files_pattern(crontab_domain, { cron_spool_t user_cron_spool_t }, user_cron_spool_t)
|
|
+filetrans_pattern(crontab_domain, cron_spool_t, user_cron_spool_t, file)
|
|
+files_list_spool(crontab_domain)
|
|
+
|
|
+# crontab signals crond by updating the mtime on the spooldir
|
|
+allow crontab_domain cron_spool_t:dir setattr_dir_perms;
|
|
+
|
|
+# for the checks used by crontab -u
|
|
+selinux_dontaudit_search_fs(crontab_domain)
|
|
+
|
|
+fs_getattr_xattr_fs(crontab_domain)
|
|
+fs_manage_cgroup_dirs(crontab_domain)
|
|
+fs_manage_cgroup_files(crontab_domain)
|
|
+
|
|
+domain_use_interactive_fds(crontab_domain)
|
|
+
|
|
+files_dontaudit_search_pids(crontab_domain)
|
|
+
|
|
+fs_dontaudit_rw_anon_inodefs_files(crontab_domain)
|
|
+
|
|
+auth_rw_var_auth(crontab_domain)
|
|
+
|
|
+logging_send_audit_msgs(crontab_domain)
|
|
+logging_set_loginuid(crontab_domain)
|
|
+
|
|
+init_dontaudit_write_utmp(crontab_domain)
|
|
+init_read_utmp(crontab_domain)
|
|
+init_read_state(crontab_domain)
|
|
+
|
|
+
|
|
+seutil_read_config(crontab_domain)
|
|
+
|
|
+userdom_manage_user_tmp_dirs(crontab_domain)
|
|
+userdom_manage_user_tmp_files(crontab_domain)
|
|
+# Access terminals.
|
|
+userdom_use_inherited_user_terminals(crontab_domain)
|
|
+# Read user crontabs
|
|
+userdom_read_user_home_content_files(crontab_domain)
|
|
+userdom_read_user_home_content_symlinks(crontab_domain)
|
|
+
|
|
+tunable_policy(`fcron_crond',`
|
|
+ # fcron wants an instant update of a crontab change for the administrator
|
|
+ # also crontab does a security check for crontab -u
|
|
+ dontaudit crontab_domain crond_t:process signal;
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_dontaudit_use_ptys(crontab_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ openshift_dontaudit_rw_inherited_fifo_files(crontab_domain)
|
|
+ openshift_transition(system_cronjob_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
-# Unconfined local policy
|
|
+# Unconfined cronjobs local policy
|
|
#
|
|
|
|
type unconfined_cronjob_t;
|
|
diff --git a/ctdb.fc b/ctdb.fc
|
|
index 8401fe6..507804b 100644
|
|
--- a/ctdb.fc
|
|
+++ b/ctdb.fc
|
|
@@ -2,6 +2,8 @@
|
|
|
|
/usr/sbin/ctdbd -- gen_context(system_u:object_r:ctdbd_exec_t,s0)
|
|
|
|
+/var/ctdb(/.*)? gen_context(system_u:object_r:ctdbd_var_t,s0)
|
|
+
|
|
/var/lib/ctdbd(/.*)? gen_context(system_u:object_r:ctdbd_var_lib_t,s0)
|
|
|
|
/var/log/ctdb\.log.* -- gen_context(system_u:object_r:ctdbd_log_t,s0)
|
|
diff --git a/ctdb.if b/ctdb.if
|
|
index b25b01d..e99c5c6 100644
|
|
--- a/ctdb.if
|
|
+++ b/ctdb.if
|
|
@@ -1,9 +1,144 @@
|
|
-## <summary>Clustered Database based on Samba Trivial Database.</summary>
|
|
+
|
|
+## <summary>policy for ctdbd</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to ctdbd.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ctdbd_domtrans',`
|
|
+ gen_require(`
|
|
+ type ctdbd_t, ctdbd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, ctdbd_exec_t, ctdbd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute ctdbd server in the ctdbd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ctdbd_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type ctdbd_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read ctdbd's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`ctdbd_read_log',`
|
|
+ gen_require(`
|
|
+ type ctdbd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to ctdbd log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ctdbd_append_log',`
|
|
+ gen_require(`
|
|
+ type ctdbd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
|
|
+')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## ctdbd lib files.
|
|
+## Manage ctdbd log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ctdbd_manage_log',`
|
|
+ gen_require(`
|
|
+ type ctdbd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, ctdbd_log_t, ctdbd_log_t)
|
|
+ manage_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
|
|
+ manage_lnk_files_pattern($1, ctdbd_log_t, ctdbd_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search ctdbd lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ctdbd_search_lib',`
|
|
+ gen_require(`
|
|
+ type ctdbd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 ctdbd_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read ctdbd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ctdbd_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type ctdbd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage ctdbd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -17,13 +152,12 @@ interface(`ctdbd_manage_lib_files',`
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
- manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
|
|
+ manage_files_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Connect to ctdbd with a unix
|
|
-## domain stream socket.
|
|
+## Manage ctdbd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -31,19 +165,77 @@ interface(`ctdbd_manage_lib_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`ctdbd_stream_connect',`
|
|
+interface(`ctdbd_manage_var_files',`
|
|
gen_require(`
|
|
- type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
|
|
+ type ctdbd_var_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, ctdbd_var_t, ctdbd_var_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage ctdbd lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ctdbd_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type ctdbd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, ctdbd_var_lib_t, ctdbd_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read ctdbd PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ctdbd_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type ctdbd_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- stream_connect_pattern($1, { ctdbd_tmp_t ctdbd_var_run_t }, { ctdbd_tmp_t ctdbd_var_run_t }, ctdbd_t)
|
|
+ allow $1 ctdbd_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Connect to ctdbd over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ctdbd_stream_connect',`
|
|
+ gen_require(`
|
|
+ type ctdbd_t, ctdbd_var_run_t, ctdbd_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, ctdbd_var_run_t, ctdbd_var_run_t, ctdbd_t)
|
|
+ stream_connect_pattern($1, ctdbd_tmp_t, ctdbd_tmp_t, ctdbd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an ctdb environment.
|
|
+## All of the rules required to administrate
|
|
+## an ctdbd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -57,16 +249,19 @@ interface(`ctdbd_stream_connect',`
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
-interface(`ctdb_admin',`
|
|
+interface(`ctdbd_admin',`
|
|
gen_require(`
|
|
- type ctdbd_t, ctdbd_initrc_exec_t, ctdbd_tmp_t;
|
|
+ type ctdbd_t, ctdbd_initrc_exec_t;
|
|
type ctdbd_log_t, ctdbd_var_lib_t, ctdbd_var_run_t;
|
|
')
|
|
|
|
- allow $1 ctdbd_t:process { ptrace signal_perms };
|
|
+ allow $1 ctdbd_t:process signal_perms;
|
|
ps_process_pattern($1, ctdbd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ctdbd_t:process ptrace;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, ctdbd_initrc_exec_t)
|
|
+ ctdbd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 ctdbd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
@@ -74,12 +269,10 @@ interface(`ctdb_admin',`
|
|
logging_search_logs($1)
|
|
admin_pattern($1, ctdbd_log_t)
|
|
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, ctdbd_tmp_t)
|
|
-
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, ctdbd_var_lib_t)
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, ctdbd_var_run_t)
|
|
')
|
|
+
|
|
diff --git a/ctdb.te b/ctdb.te
|
|
index 001b502..fa6a022 100644
|
|
--- a/ctdb.te
|
|
+++ b/ctdb.te
|
|
@@ -24,6 +24,9 @@ files_tmp_file(ctdbd_tmp_t)
|
|
type ctdbd_var_lib_t;
|
|
files_type(ctdbd_var_lib_t)
|
|
|
|
+type ctdbd_var_t;
|
|
+files_type(ctdbd_var_t)
|
|
+
|
|
type ctdbd_var_run_t;
|
|
files_pid_file(ctdbd_var_run_t)
|
|
|
|
@@ -33,12 +36,14 @@ files_pid_file(ctdbd_var_run_t)
|
|
#
|
|
|
|
allow ctdbd_t self:capability { chown ipc_lock net_admin net_raw sys_nice };
|
|
+allow ctdbd_t self:capability2 block_suspend;
|
|
allow ctdbd_t self:process { setpgid signal_perms setsched };
|
|
allow ctdbd_t self:fifo_file rw_fifo_file_perms;
|
|
allow ctdbd_t self:unix_stream_socket { accept connectto listen };
|
|
allow ctdbd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow ctdbd_t self:packet_socket create_socket_perms;
|
|
allow ctdbd_t self:tcp_socket create_stream_socket_perms;
|
|
+allow ctdbd_t self:udp_socket create_socket_perms;
|
|
|
|
append_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
|
|
create_files_pattern(ctdbd_t, ctdbd_log_t, ctdbd_log_t)
|
|
@@ -59,6 +64,11 @@ manage_dirs_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
|
|
manage_files_pattern(ctdbd_t, ctdbd_var_lib_t, ctdbd_var_lib_t)
|
|
files_var_lib_filetrans(ctdbd_t, ctdbd_var_lib_t, dir)
|
|
|
|
+manage_dirs_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
|
|
+manage_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
|
|
+manage_lnk_files_pattern(ctdbd_t, ctdbd_var_t, ctdbd_var_t)
|
|
+files_var_filetrans(ctdbd_t, ctdbd_var_t, dir, "ctdb")
|
|
+
|
|
manage_dirs_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
|
|
manage_files_pattern(ctdbd_t, ctdbd_var_run_t, ctdbd_var_run_t)
|
|
files_pid_filetrans(ctdbd_t, ctdbd_var_run_t, dir)
|
|
@@ -72,9 +82,11 @@ corenet_all_recvfrom_netlabel(ctdbd_t)
|
|
corenet_tcp_sendrecv_generic_if(ctdbd_t)
|
|
corenet_tcp_sendrecv_generic_node(ctdbd_t)
|
|
corenet_tcp_bind_generic_node(ctdbd_t)
|
|
+corenet_udp_bind_generic_node(ctdbd_t)
|
|
|
|
corenet_sendrecv_ctdb_server_packets(ctdbd_t)
|
|
corenet_tcp_bind_ctdb_port(ctdbd_t)
|
|
+corenet_udp_bind_ctdb_port(ctdbd_t)
|
|
corenet_tcp_sendrecv_ctdb_port(ctdbd_t)
|
|
|
|
corecmd_exec_bin(ctdbd_t)
|
|
@@ -85,12 +97,12 @@ dev_read_urand(ctdbd_t)
|
|
|
|
domain_dontaudit_read_all_domains_state(ctdbd_t)
|
|
|
|
-files_read_etc_files(ctdbd_t)
|
|
files_search_all_mountpoints(ctdbd_t)
|
|
|
|
+auth_read_passwd(ctdbd_t)
|
|
+
|
|
logging_send_syslog_msg(ctdbd_t)
|
|
|
|
-miscfiles_read_localization(ctdbd_t)
|
|
miscfiles_read_public_files(ctdbd_t)
|
|
|
|
optional_policy(`
|
|
@@ -109,6 +121,7 @@ optional_policy(`
|
|
samba_initrc_domtrans(ctdbd_t)
|
|
samba_domtrans_net(ctdbd_t)
|
|
samba_rw_var_files(ctdbd_t)
|
|
+ samba_systemctl(ctdbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/cups.fc b/cups.fc
|
|
index 949011e..afe482b 100644
|
|
--- a/cups.fc
|
|
+++ b/cups.fc
|
|
@@ -1,77 +1,87 @@
|
|
-/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
|
|
-/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
|
|
-/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
-/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
-/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
-/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/etc/alchemist/namespace/printconf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+
|
|
+/etc/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
|
|
+/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
-/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
-/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
-/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
/etc/rc\.d/init\.d/cups -- gen_context(system_u:object_r:cupsd_initrc_exec_t,s0)
|
|
|
|
/etc/cups/interfaces(/.*)? gen_context(system_u:object_r:cupsd_interface_t,s0)
|
|
|
|
-/etc/hp(/.*)? gen_context(system_u:object_r:hplip_etc_t,s0)
|
|
-
|
|
-/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/etc/hp(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
|
|
|
|
-/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
+/etc/printcap.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
|
|
-/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
-/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/usr/lib/systemd/system/cups.* -- gen_context(system_u:object_r:cupsd_unit_file_t,s0)
|
|
|
|
-/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
-/usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0)
|
|
+/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
|
|
-/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
|
-/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
-/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/opt/gutenprint/ppds(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
|
|
-/usr/lib/cups-pk-helper/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
-/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
|
|
-/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
|
|
-/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:hplip_exec_t,s0)
|
|
-/usr/lib/udev/udev-configure-printer -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
+/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
+/usr/bin/hpijs -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
|
|
|
-/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
-/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
+/usr/lib/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
|
|
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
|
|
+/usr/lib/cups/backend/hp.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
|
|
|
-/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/usr/libexec/cups-pk-helper-mechanism -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
+/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
|
|
-/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:hplip_exec_t,s0)
|
|
-/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
|
-/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
-/usr/sbin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0)
|
|
-/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
+/usr/sbin/hp-[^/]+ -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
|
+/usr/sbin/cupsd -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
|
+/usr/sbin/cups-browsed -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
|
+/usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
+/usr/sbin/hpiod -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
|
+/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
|
|
/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0)
|
|
/usr/sbin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0)
|
|
/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0)
|
|
|
|
-/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
|
|
-/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
-/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:hplip_exec_t,s0)
|
|
+/usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0)
|
|
+/usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/usr/share/hplip/.*\.py -- gen_context(system_u:object_r:cupsd_exec_t,s0)
|
|
|
|
-/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
-/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
-/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
|
|
+/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/var/cache/cups(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
|
|
|
|
/var/lib/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
|
|
+
|
|
+/var/lib/hp(/.*)? gen_context(system_u:object_r:cupsd_var_lib_t,s0)
|
|
+/var/lib/iscan(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
|
|
-/var/lib/hp(/.*)? gen_context(system_u:object_r:hplip_var_lib_t,s0)
|
|
+/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
|
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
|
|
|
-/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
|
-/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
|
+/var/log/hp(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
|
|
|
|
-/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
|
-/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
|
-/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
|
-/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
|
|
-/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
|
|
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
|
+/var/ekpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
|
+/var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,mls_systemhigh)
|
|
+/var/run/hplip(/.*) gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
|
+/var/run/hp.*\.pid -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
|
+/var/run/hp.*\.port -- gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
|
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
|
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
|
|
-/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
|
|
-/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
|
+/var/run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_var_run_t,s0)
|
|
+/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
|
|
+
|
|
+/usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0)
|
|
+/usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/etc/opt/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/usr/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+
|
|
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+
|
|
+/etc/opt/brother/Printers/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
+/opt/brother/Printers(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
|
|
diff --git a/cups.if b/cups.if
|
|
index 3023be7..20e370b 100644
|
|
--- a/cups.if
|
|
+++ b/cups.if
|
|
@@ -200,10 +200,13 @@ interface(`cups_dbus_chat_config',`
|
|
interface(`cups_read_config',`
|
|
gen_require(`
|
|
type cupsd_etc_t, cupsd_rw_etc_t;
|
|
+ type hplip_etc_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
- read_files_pattern($1, cupsd_etc_t, { cupsd_etc_t cupsd_rw_etc_t })
|
|
+ read_files_pattern($1, cupsd_etc_t, cupsd_etc_t)
|
|
+ read_files_pattern($1, hplip_etc_t, hplip_etc_t)
|
|
+ read_files_pattern($1, cupsd_etc_t, cupsd_rw_etc_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -306,6 +309,29 @@ interface(`cups_stream_connect_ptal',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute cupsd server in the cupsd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cupsd_systemctl',`
|
|
+ gen_require(`
|
|
+ type cupsd_t;
|
|
+ type cupsd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 cupsd_unit_file_t:file read_file_perms;
|
|
+ allow $1 cupsd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, cupsd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Read the process state (/proc/pid) of cupsd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -344,18 +370,23 @@ interface(`cups_read_state',`
|
|
interface(`cups_admin',`
|
|
gen_require(`
|
|
type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
|
|
- type cupsd_etc_t, cupsd_log_t, cupsd_spool_t;
|
|
+ type cupsd_etc_t, cupsd_log_t;
|
|
type cupsd_config_var_run_t, cupsd_lpd_var_run_t;
|
|
type cupsd_var_run_t, ptal_etc_t, cupsd_rw_etc_t;
|
|
type ptal_var_run_t, hplip_var_run_t, cupsd_initrc_exec_t;
|
|
type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
|
|
- type hplip_t, ptal_t;
|
|
+ type ptal_t;
|
|
+ type cupsd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
|
|
- allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
|
|
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { signal_perms };
|
|
+ allow $1 { cups_pdf_t ptal_t }:process { signal_perms };
|
|
ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
|
|
- ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
|
|
+ ps_process_pattern($1, { cups_pdf_t ptal_t })
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, cupsd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -368,13 +399,44 @@ interface(`cups_admin',`
|
|
logging_list_logs($1)
|
|
admin_pattern($1, cupsd_log_t)
|
|
|
|
- files_list_spool($1)
|
|
- admin_pattern($1, cupsd_spool_t)
|
|
-
|
|
files_list_tmp($1)
|
|
admin_pattern($1, { cupsd_tmp_t cupsd_lpd_tmp_t })
|
|
-
|
|
- files_list_pids($1)
|
|
admin_pattern($1, { cupsd_config_var_run_t cupsd_var_run_t hplip_var_run_t })
|
|
admin_pattern($1, { ptal_var_run_t cupsd_lpd_var_run_t })
|
|
+
|
|
+ cupsd_systemctl($1)
|
|
+ admin_pattern($1, cupsd_unit_file_t)
|
|
+ allow $1 cupsd_unit_file_t:service all_service_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to cups named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cups_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type cupsd_rw_etc_t;
|
|
+ type cupsd_etc_t;
|
|
+ ')
|
|
+
|
|
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "classes.conf")
|
|
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf")
|
|
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "printers.conf.O")
|
|
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf")
|
|
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "cupsd.conf.default")
|
|
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "lpoptions")
|
|
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf")
|
|
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.O")
|
|
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "subscriptions.conf.N")
|
|
+ filetrans_pattern($1, cupsd_etc_t, cupsd_rw_etc_t, file, "ppds.dat")
|
|
+ files_etc_filetrans($1, cupsd_rw_etc_t, file, "ppds.dat")
|
|
+ files_etc_filetrans($1, cupsd_rw_etc_t, dir, "inf")
|
|
+ files_usr_filetrans($1, cupsd_rw_etc_t, dir, "inf")
|
|
+ corecmd_bin_filetrans($1, cupsd_rw_etc_t, dir, "inf")
|
|
')
|
|
diff --git a/cups.te b/cups.te
|
|
index c91813c..f31fa44 100644
|
|
--- a/cups.te
|
|
+++ b/cups.te
|
|
@@ -5,19 +5,24 @@ policy_module(cups, 1.16.2)
|
|
# Declarations
|
|
#
|
|
|
|
-type cupsd_config_t;
|
|
+attribute cups_domain;
|
|
+
|
|
+type cupsd_config_t, cups_domain;
|
|
type cupsd_config_exec_t;
|
|
init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
|
|
|
|
type cupsd_config_var_run_t;
|
|
files_pid_file(cupsd_config_var_run_t)
|
|
|
|
-type cupsd_t;
|
|
+type cupsd_t, cups_domain;
|
|
type cupsd_exec_t;
|
|
+typealias cupsd_t alias hplip_t;
|
|
+typealias cupsd_exec_t alias hplip_exec_t;
|
|
init_daemon_domain(cupsd_t, cupsd_exec_t)
|
|
mls_trusted_object(cupsd_t)
|
|
|
|
type cupsd_etc_t;
|
|
+typealias cupsd_etc_t alias hplip_etc_t;
|
|
files_config_file(cupsd_etc_t)
|
|
|
|
type cupsd_initrc_exec_t;
|
|
@@ -33,13 +38,15 @@ type cupsd_lock_t;
|
|
files_lock_file(cupsd_lock_t)
|
|
|
|
type cupsd_log_t;
|
|
+typealias cupsd_log_t alias hplip_var_log_t;
|
|
logging_log_file(cupsd_log_t)
|
|
|
|
-type cupsd_lpd_t;
|
|
+type cupsd_var_lib_t alias hplip_var_lib_t;
|
|
+files_type(cupsd_var_lib_t)
|
|
+
|
|
+type cupsd_lpd_t, cups_domain;
|
|
type cupsd_lpd_exec_t;
|
|
-domain_type(cupsd_lpd_t)
|
|
-domain_entry_file(cupsd_lpd_t, cupsd_lpd_exec_t)
|
|
-role system_r types cupsd_lpd_t;
|
|
+init_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
|
|
|
|
type cupsd_lpd_tmp_t;
|
|
files_tmp_file(cupsd_lpd_tmp_t)
|
|
@@ -47,7 +54,7 @@ files_tmp_file(cupsd_lpd_tmp_t)
|
|
type cupsd_lpd_var_run_t;
|
|
files_pid_file(cupsd_lpd_var_run_t)
|
|
|
|
-type cups_pdf_t;
|
|
+type cups_pdf_t, cups_domain;
|
|
type cups_pdf_exec_t;
|
|
cups_backend(cups_pdf_t, cups_pdf_exec_t)
|
|
|
|
@@ -55,29 +62,17 @@ type cups_pdf_tmp_t;
|
|
files_tmp_file(cups_pdf_tmp_t)
|
|
|
|
type cupsd_tmp_t;
|
|
+typealias cupsd_tmp_t alias hplip_tmp_t;
|
|
files_tmp_file(cupsd_tmp_t)
|
|
|
|
type cupsd_var_run_t;
|
|
+typealias cupsd_var_run_t alias hplip_var_run_t;
|
|
files_pid_file(cupsd_var_run_t)
|
|
init_daemon_run_dir(cupsd_var_run_t, "cups")
|
|
mls_trusted_object(cupsd_var_run_t)
|
|
|
|
-type hplip_t;
|
|
-type hplip_exec_t;
|
|
-init_daemon_domain(hplip_t, hplip_exec_t)
|
|
-cups_backend(hplip_t, hplip_exec_t)
|
|
-
|
|
-type hplip_etc_t;
|
|
-files_config_file(hplip_etc_t)
|
|
-
|
|
-type hplip_tmp_t;
|
|
-files_tmp_file(hplip_tmp_t)
|
|
-
|
|
-type hplip_var_lib_t;
|
|
-files_type(hplip_var_lib_t)
|
|
-
|
|
-type hplip_var_run_t;
|
|
-files_pid_file(hplip_var_run_t)
|
|
+type cupsd_unit_file_t;
|
|
+systemd_unit_file(cupsd_unit_file_t)
|
|
|
|
type ptal_t;
|
|
type ptal_exec_t;
|
|
@@ -97,21 +92,49 @@ ifdef(`enable_mls',`
|
|
init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
|
|
')
|
|
|
|
+#######################################
|
|
+#
|
|
+# Cups general local policy
|
|
+#
|
|
+
|
|
+allow cups_domain self:capability { setuid setgid sys_nice };
|
|
+allow cups_domain self:process { getsched setsched signal_perms };
|
|
+allow cups_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow cups_domain self:tcp_socket { accept listen };
|
|
+allow cups_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
|
+
|
|
+kernel_read_kernel_sysctls(cups_domain)
|
|
+kernel_read_network_state(cups_domain)
|
|
+
|
|
+corecmd_exec_bin(cups_domain)
|
|
+corecmd_exec_shell(cups_domain)
|
|
+
|
|
+dev_read_urand(cups_domain)
|
|
+dev_read_rand(cups_domain)
|
|
+dev_read_sysfs(cups_domain)
|
|
+
|
|
+fs_getattr_all_fs(cups_domain)
|
|
+
|
|
+miscfiles_read_fonts(cups_domain)
|
|
+miscfiles_setattr_fonts_cache_dirs(cups_domain)
|
|
+
|
|
+optional_policy(`
|
|
+ lpd_manage_spool(cups_domain)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
# Cups local policy
|
|
#
|
|
|
|
-allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill setgid setuid fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
|
|
+allow cupsd_t self:capability { ipc_lock sys_admin dac_override dac_read_search kill fsetid fowner chown dac_override sys_rawio sys_resource sys_tty_config };
|
|
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
|
|
allow cupsd_t self:capability2 block_suspend;
|
|
-allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
|
|
-allow cupsd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow cupsd_t self:process { getpgid setpgid setsched };
|
|
allow cupsd_t self:unix_stream_socket { accept connectto listen };
|
|
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
|
|
allow cupsd_t self:shm create_shm_perms;
|
|
allow cupsd_t self:sem create_sem_perms;
|
|
-allow cupsd_t self:tcp_socket { accept listen };
|
|
allow cupsd_t self:appletalk_socket create_socket_perms;
|
|
|
|
allow cupsd_t cupsd_etc_t:dir setattr_dir_perms;
|
|
@@ -120,11 +143,13 @@ read_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
|
|
read_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_etc_t)
|
|
|
|
manage_files_pattern(cupsd_t, cupsd_interface_t, cupsd_interface_t)
|
|
+can_exec(cupsd_t, cupsd_interface_t)
|
|
|
|
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
|
|
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
|
|
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
|
|
files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
|
|
+cups_filetrans_named_content(cupsd_t)
|
|
|
|
allow cupsd_t cupsd_exec_t:dir search_dir_perms;
|
|
allow cupsd_t cupsd_exec_t:lnk_file read_lnk_file_perms;
|
|
@@ -136,22 +161,23 @@ manage_dirs_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
|
|
manage_files_pattern(cupsd_t, cupsd_log_t, cupsd_log_t)
|
|
logging_log_filetrans(cupsd_t, cupsd_log_t, { file dir })
|
|
|
|
+manage_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
|
|
+manage_lnk_files_pattern(cupsd_t, cupsd_var_lib_t, cupsd_var_lib_t)
|
|
+
|
|
manage_dirs_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
|
|
manage_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
|
|
manage_fifo_files_pattern(cupsd_t, cupsd_tmp_t, cupsd_tmp_t)
|
|
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { dir fifo_file file })
|
|
|
|
+allow cupsd_t cupsd_var_run_t:dir setattr_dir_perms;
|
|
manage_dirs_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
|
|
manage_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
|
|
manage_sock_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
|
|
manage_fifo_files_pattern(cupsd_t, cupsd_var_run_t, cupsd_var_run_t)
|
|
files_pid_filetrans(cupsd_t, cupsd_var_run_t, { dir fifo_file file })
|
|
|
|
-allow cupsd_t hplip_t:process { signal sigkill };
|
|
-
|
|
-read_files_pattern(cupsd_t, hplip_etc_t, hplip_etc_t)
|
|
+allow cupsd_t cupsd_unit_file_t:file read_file_perms;
|
|
|
|
-allow cupsd_t hplip_var_run_t:file read_file_perms;
|
|
|
|
stream_connect_pattern(cupsd_t, ptal_var_run_t, ptal_var_run_t, ptal_t)
|
|
allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
|
|
@@ -159,11 +185,9 @@ allow cupsd_t ptal_var_run_t:sock_file setattr_sock_file_perms;
|
|
can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
|
|
|
|
kernel_read_system_state(cupsd_t)
|
|
-kernel_read_network_state(cupsd_t)
|
|
kernel_read_all_sysctls(cupsd_t)
|
|
kernel_request_load_module(cupsd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(cupsd_t)
|
|
corenet_all_recvfrom_netlabel(cupsd_t)
|
|
corenet_tcp_sendrecv_generic_if(cupsd_t)
|
|
corenet_udp_sendrecv_generic_if(cupsd_t)
|
|
@@ -186,12 +210,20 @@ corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
|
|
corenet_tcp_bind_all_rpc_ports(cupsd_t)
|
|
corenet_tcp_connect_all_ports(cupsd_t)
|
|
|
|
-corecmd_exec_bin(cupsd_t)
|
|
-corecmd_exec_shell(cupsd_t)
|
|
+corenet_sendrecv_hplip_client_packets(cupsd_t)
|
|
+corenet_receive_hplip_server_packets(cupsd_t)
|
|
+corenet_tcp_bind_hplip_port(cupsd_t)
|
|
+corenet_tcp_connect_hplip_port(cupsd_t)
|
|
+corenet_tcp_bind_glance_port(cupsd_t)
|
|
+corenet_tcp_connect_glance_port(cupsd_t)
|
|
+
|
|
+corenet_sendrecv_ipp_client_packets(cupsd_t)
|
|
+corenet_tcp_connect_ipp_port(cupsd_t)
|
|
+
|
|
+corenet_sendrecv_howl_server_packets(cupsd_t)
|
|
+corenet_udp_bind_howl_port(cupsd_t)
|
|
|
|
dev_rw_printer(cupsd_t)
|
|
-dev_read_urand(cupsd_t)
|
|
-dev_read_sysfs(cupsd_t)
|
|
dev_rw_input_dev(cupsd_t)
|
|
dev_rw_generic_usb_dev(cupsd_t)
|
|
dev_rw_usbfs(cupsd_t)
|
|
@@ -203,7 +235,6 @@ domain_use_interactive_fds(cupsd_t)
|
|
files_getattr_boot_dirs(cupsd_t)
|
|
files_list_spool(cupsd_t)
|
|
files_read_etc_runtime_files(cupsd_t)
|
|
-files_read_usr_files(cupsd_t)
|
|
files_exec_usr_files(cupsd_t)
|
|
# for /var/lib/defoma
|
|
files_read_var_lib_files(cupsd_t)
|
|
@@ -212,16 +243,17 @@ files_read_world_readable_files(cupsd_t)
|
|
files_read_world_readable_symlinks(cupsd_t)
|
|
files_read_var_files(cupsd_t)
|
|
files_read_var_symlinks(cupsd_t)
|
|
-files_write_generic_pid_pipes(cupsd_t)
|
|
files_dontaudit_getattr_all_tmp_files(cupsd_t)
|
|
files_dontaudit_list_home(cupsd_t)
|
|
# for /etc/printcap
|
|
files_dontaudit_write_etc_files(cupsd_t)
|
|
+files_dontaudit_write_usr_dirs(cupsd_t)
|
|
|
|
-fs_getattr_all_fs(cupsd_t)
|
|
fs_search_auto_mountpoints(cupsd_t)
|
|
fs_search_fusefs(cupsd_t)
|
|
fs_read_anon_inodefs_files(cupsd_t)
|
|
+fs_rw_anon_inodefs_files(cupsd_t)
|
|
+fs_rw_inherited_tmpfs_files(cupsd_t)
|
|
|
|
mls_fd_use_all_levels(cupsd_t)
|
|
mls_file_downgrade(cupsd_t)
|
|
@@ -232,6 +264,8 @@ mls_socket_write_all_levels(cupsd_t)
|
|
|
|
term_search_ptys(cupsd_t)
|
|
term_use_unallocated_ttys(cupsd_t)
|
|
+term_use_ptmx(cupsd_t)
|
|
+term_use_usb_ttys(cupsd_t)
|
|
|
|
selinux_compute_access_vector(cupsd_t)
|
|
selinux_validate_context(cupsd_t)
|
|
@@ -244,21 +278,20 @@ auth_dontaudit_read_pam_pid(cupsd_t)
|
|
auth_rw_faillog(cupsd_t)
|
|
auth_use_nsswitch(cupsd_t)
|
|
|
|
-libs_read_lib_files(cupsd_t)
|
|
libs_exec_lib_files(cupsd_t)
|
|
|
|
logging_send_audit_msgs(cupsd_t)
|
|
logging_send_syslog_msg(cupsd_t)
|
|
|
|
-miscfiles_read_localization(cupsd_t)
|
|
-miscfiles_read_fonts(cupsd_t)
|
|
-miscfiles_setattr_fonts_cache_dirs(cupsd_t)
|
|
-
|
|
seutil_read_config(cupsd_t)
|
|
|
|
sysnet_exec_ifconfig(cupsd_t)
|
|
+sysnet_dns_name_resolve(cupsd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
|
|
+userdom_dontaudit_search_user_home_dirs(cupsd_t)
|
|
+userdom_dontaudit_search_user_home_content(cupsd_t)
|
|
+userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
|
|
userdom_dontaudit_search_user_home_content(cupsd_t)
|
|
|
|
optional_policy(`
|
|
@@ -272,6 +305,8 @@ optional_policy(`
|
|
optional_policy(`
|
|
dbus_system_bus_client(cupsd_t)
|
|
|
|
+ init_dbus_chat(cupsd_t)
|
|
+
|
|
userdom_dbus_send_all_users(cupsd_t)
|
|
|
|
optional_policy(`
|
|
@@ -282,8 +317,10 @@ optional_policy(`
|
|
hal_dbus_chat(cupsd_t)
|
|
')
|
|
|
|
+ # talk to processes that do not have policy
|
|
optional_policy(`
|
|
unconfined_dbus_chat(cupsd_t)
|
|
+ files_write_generic_pid_pipes(cupsd_t)
|
|
')
|
|
')
|
|
|
|
@@ -296,8 +333,8 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ kerberos_tmp_filetrans_host_rcache(cupsd_t, "host_0")
|
|
kerberos_manage_host_rcache(cupsd_t)
|
|
- kerberos_tmp_filetrans_host_rcache(cupsd_t, file, "host_0")
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -306,7 +343,6 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
lpd_exec_lpr(cupsd_t)
|
|
- lpd_manage_spool(cupsd_t)
|
|
lpd_read_config(cupsd_t)
|
|
lpd_relabel_spool(cupsd_t)
|
|
')
|
|
@@ -334,7 +370,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- virt_rw_all_image_chr_files(cupsd_t)
|
|
+ virt_rw_chr_files(cupsd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ vmware_read_system_config(cupsd_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -342,12 +382,11 @@ optional_policy(`
|
|
# Configuration daemon local policy
|
|
#
|
|
|
|
-allow cupsd_config_t self:capability { chown dac_override sys_tty_config setuid setgid };
|
|
+allow cupsd_config_t self:capability { chown dac_override sys_tty_config };
|
|
dontaudit cupsd_config_t self:capability sys_tty_config;
|
|
-allow cupsd_config_t self:process { getsched signal_perms };
|
|
-allow cupsd_config_t self:fifo_file rw_fifo_file_perms;
|
|
-allow cupsd_config_t self:tcp_socket { accept listen };
|
|
+allow cupsd_config_t self:process { getsched };
|
|
|
|
+domtrans_pattern(cupsd_config_t, cupsd_exec_t, cupsd_t)
|
|
allow cupsd_config_t cupsd_t:process signal;
|
|
ps_process_pattern(cupsd_config_t, cupsd_t)
|
|
|
|
@@ -372,18 +411,16 @@ manage_dirs_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run
|
|
manage_files_pattern(cupsd_config_t, cupsd_config_var_run_t, cupsd_config_var_run_t)
|
|
files_pid_filetrans(cupsd_config_t, cupsd_config_var_run_t, { dir file })
|
|
|
|
-read_files_pattern(cupsd_config_t, hplip_etc_t, hplip_etc_t)
|
|
+read_files_pattern(cupsd_config_t, cupsd_etc_t, cupsd_etc_t)
|
|
|
|
stream_connect_pattern(cupsd_config_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
|
|
|
|
can_exec(cupsd_config_t, cupsd_config_exec_t)
|
|
-
|
|
-domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t)
|
|
+can_exec(cupsd_config_t, cupsd_exec_t)
|
|
|
|
kernel_read_system_state(cupsd_config_t)
|
|
kernel_read_all_sysctls(cupsd_config_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(cupsd_config_t)
|
|
corenet_all_recvfrom_netlabel(cupsd_config_t)
|
|
corenet_tcp_sendrecv_generic_if(cupsd_config_t)
|
|
corenet_tcp_sendrecv_generic_node(cupsd_config_t)
|
|
@@ -392,20 +429,12 @@ corenet_tcp_sendrecv_all_ports(cupsd_config_t)
|
|
corenet_sendrecv_all_client_packets(cupsd_config_t)
|
|
corenet_tcp_connect_all_ports(cupsd_config_t)
|
|
|
|
-corecmd_exec_bin(cupsd_config_t)
|
|
-corecmd_exec_shell(cupsd_config_t)
|
|
-
|
|
-dev_read_sysfs(cupsd_config_t)
|
|
-dev_read_urand(cupsd_config_t)
|
|
-dev_read_rand(cupsd_config_t)
|
|
dev_rw_generic_usb_dev(cupsd_config_t)
|
|
|
|
files_read_etc_runtime_files(cupsd_config_t)
|
|
-files_read_usr_files(cupsd_config_t)
|
|
files_read_var_symlinks(cupsd_config_t)
|
|
files_search_all_mountpoints(cupsd_config_t)
|
|
|
|
-fs_getattr_all_fs(cupsd_config_t)
|
|
fs_search_auto_mountpoints(cupsd_config_t)
|
|
|
|
domain_use_interactive_fds(cupsd_config_t)
|
|
@@ -417,11 +446,6 @@ auth_use_nsswitch(cupsd_config_t)
|
|
|
|
logging_send_syslog_msg(cupsd_config_t)
|
|
|
|
-miscfiles_read_localization(cupsd_config_t)
|
|
-miscfiles_read_hwdata(cupsd_config_t)
|
|
-
|
|
-seutil_dontaudit_search_config(cupsd_config_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t)
|
|
userdom_dontaudit_search_user_home_dirs(cupsd_config_t)
|
|
userdom_read_all_users_state(cupsd_config_t)
|
|
@@ -449,9 +473,12 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_dontaudit_search_config(cupsd_config_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
hal_domtrans(cupsd_config_t)
|
|
hal_read_tmp_files(cupsd_config_t)
|
|
- hal_dontaudit_use_fds(hplip_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -487,10 +514,6 @@ optional_policy(`
|
|
# Lpd local policy
|
|
#
|
|
|
|
-allow cupsd_lpd_t self:capability { setuid setgid };
|
|
-allow cupsd_lpd_t self:process signal_perms;
|
|
-allow cupsd_lpd_t self:fifo_file rw_fifo_file_perms;
|
|
-allow cupsd_lpd_t self:tcp_socket { accept listen };
|
|
allow cupsd_lpd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
|
|
allow cupsd_lpd_t { cupsd_etc_t cupsd_rw_etc_t }:dir list_dir_perms;
|
|
@@ -508,15 +531,15 @@ stream_connect_pattern(cupsd_lpd_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
|
|
|
|
kernel_read_kernel_sysctls(cupsd_lpd_t)
|
|
kernel_read_system_state(cupsd_lpd_t)
|
|
-kernel_read_network_state(cupsd_lpd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
|
|
corenet_all_recvfrom_netlabel(cupsd_lpd_t)
|
|
corenet_tcp_sendrecv_generic_if(cupsd_lpd_t)
|
|
corenet_tcp_sendrecv_generic_node(cupsd_lpd_t)
|
|
|
|
corenet_sendrecv_ipp_client_packets(cupsd_lpd_t)
|
|
corenet_tcp_connect_ipp_port(cupsd_lpd_t)
|
|
+corenet_tcp_bind_printer_port(cupsd_lpd_t)
|
|
+corenet_tcp_connect_printer_port(cupsd_lpd_t)
|
|
corenet_tcp_sendrecv_ipp_port(cupsd_lpd_t)
|
|
|
|
corenet_sendrecv_printer_server_packets(cupsd_lpd_t)
|
|
@@ -537,9 +560,6 @@ auth_use_nsswitch(cupsd_lpd_t)
|
|
|
|
logging_send_syslog_msg(cupsd_lpd_t)
|
|
|
|
-miscfiles_read_localization(cupsd_lpd_t)
|
|
-miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
|
|
-
|
|
optional_policy(`
|
|
inetd_service_domain(cupsd_lpd_t, cupsd_lpd_exec_t)
|
|
')
|
|
@@ -550,7 +570,6 @@ optional_policy(`
|
|
#
|
|
|
|
allow cups_pdf_t self:capability { chown fowner fsetid setuid setgid dac_override };
|
|
-allow cups_pdf_t self:fifo_file rw_fifo_file_perms;
|
|
allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
append_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
|
|
@@ -566,148 +585,23 @@ fs_search_auto_mountpoints(cups_pdf_t)
|
|
|
|
kernel_read_system_state(cups_pdf_t)
|
|
|
|
-files_read_usr_files(cups_pdf_t)
|
|
-
|
|
-corecmd_exec_bin(cups_pdf_t)
|
|
-corecmd_exec_shell(cups_pdf_t)
|
|
-
|
|
auth_use_nsswitch(cups_pdf_t)
|
|
|
|
-miscfiles_read_localization(cups_pdf_t)
|
|
-miscfiles_read_fonts(cups_pdf_t)
|
|
-miscfiles_setattr_fonts_cache_dirs(cups_pdf_t)
|
|
-
|
|
userdom_manage_user_home_content_dirs(cups_pdf_t)
|
|
userdom_manage_user_home_content_files(cups_pdf_t)
|
|
-userdom_home_filetrans_user_home_dir(cups_pdf_t)
|
|
+userdom_filetrans_home_content(cups_pdf_t)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_manage_nfs_dirs(cups_pdf_t)
|
|
fs_manage_nfs_files(cups_pdf_t)
|
|
')
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(cups_pdf_t)
|
|
- fs_manage_cifs_files(cups_pdf_t)
|
|
-')
|
|
+userdom_home_manager(cups_pdf_t)
|
|
|
|
optional_policy(`
|
|
- lpd_manage_spool(cups_pdf_t)
|
|
+ gnome_read_config(cups_pdf_t)
|
|
')
|
|
|
|
-########################################
|
|
-#
|
|
-# HPLIP local policy
|
|
-#
|
|
-
|
|
-allow hplip_t self:capability { dac_override dac_read_search net_raw };
|
|
-dontaudit hplip_t self:capability sys_tty_config;
|
|
-allow hplip_t self:fifo_file rw_fifo_file_perms;
|
|
-allow hplip_t self:process signal_perms;
|
|
-allow hplip_t self:tcp_socket { accept listen };
|
|
-allow hplip_t self:rawip_socket create_socket_perms;
|
|
-
|
|
-allow hplip_t cupsd_etc_t:dir search_dir_perms;
|
|
-
|
|
-manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
|
|
-manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
|
|
-files_tmp_filetrans(hplip_t, cupsd_tmp_t, { dir file })
|
|
-
|
|
-allow hplip_t hplip_etc_t:dir list_dir_perms;
|
|
-allow hplip_t hplip_etc_t:file read_file_perms;
|
|
-allow hplip_t hplip_etc_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
-manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
|
|
-manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
|
|
-
|
|
-manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t)
|
|
-files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file)
|
|
-
|
|
-manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
|
|
-files_pid_filetrans(hplip_t, hplip_var_run_t, file)
|
|
-
|
|
-stream_connect_pattern(hplip_t, cupsd_var_run_t, cupsd_var_run_t, cupsd_t)
|
|
-
|
|
-kernel_read_system_state(hplip_t)
|
|
-kernel_read_kernel_sysctls(hplip_t)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(hplip_t)
|
|
-corenet_all_recvfrom_netlabel(hplip_t)
|
|
-corenet_tcp_sendrecv_generic_if(hplip_t)
|
|
-corenet_udp_sendrecv_generic_if(hplip_t)
|
|
-corenet_raw_sendrecv_generic_if(hplip_t)
|
|
-corenet_tcp_sendrecv_generic_node(hplip_t)
|
|
-corenet_udp_sendrecv_generic_node(hplip_t)
|
|
-corenet_raw_sendrecv_generic_node(hplip_t)
|
|
-corenet_tcp_sendrecv_all_ports(hplip_t)
|
|
-corenet_udp_sendrecv_all_ports(hplip_t)
|
|
-corenet_tcp_bind_generic_node(hplip_t)
|
|
-corenet_udp_bind_generic_node(hplip_t)
|
|
-
|
|
-corenet_sendrecv_hplip_client_packets(hplip_t)
|
|
-corenet_receive_hplip_server_packets(hplip_t)
|
|
-corenet_tcp_bind_hplip_port(hplip_t)
|
|
-corenet_tcp_connect_hplip_port(hplip_t)
|
|
-
|
|
-corenet_sendrecv_ipp_client_packets(hplip_t)
|
|
-corenet_tcp_connect_ipp_port(hplip_t)
|
|
-
|
|
-corenet_sendrecv_howl_server_packets(hplip_t)
|
|
-corenet_udp_bind_howl_port(hplip_t)
|
|
-
|
|
-corecmd_exec_bin(hplip_t)
|
|
-
|
|
-dev_read_sysfs(hplip_t)
|
|
-dev_rw_printer(hplip_t)
|
|
-dev_read_urand(hplip_t)
|
|
-dev_read_rand(hplip_t)
|
|
-dev_rw_generic_usb_dev(hplip_t)
|
|
-dev_rw_usbfs(hplip_t)
|
|
-
|
|
-domain_use_interactive_fds(hplip_t)
|
|
-
|
|
-files_read_etc_files(hplip_t)
|
|
-files_read_etc_runtime_files(hplip_t)
|
|
-files_read_usr_files(hplip_t)
|
|
-
|
|
-fs_getattr_all_fs(hplip_t)
|
|
-fs_search_auto_mountpoints(hplip_t)
|
|
-fs_rw_anon_inodefs_files(hplip_t)
|
|
-
|
|
-logging_send_syslog_msg(hplip_t)
|
|
-
|
|
-miscfiles_read_localization(hplip_t)
|
|
-
|
|
-sysnet_dns_name_resolve(hplip_t)
|
|
-
|
|
-userdom_dontaudit_use_unpriv_user_fds(hplip_t)
|
|
-userdom_dontaudit_search_user_home_dirs(hplip_t)
|
|
-userdom_dontaudit_search_user_home_content(hplip_t)
|
|
-
|
|
-optional_policy(`
|
|
- dbus_system_bus_client(hplip_t)
|
|
-
|
|
- optional_policy(`
|
|
- userdom_dbus_send_all_users(hplip_t)
|
|
- ')
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- lpd_read_config(hplip_t)
|
|
- lpd_manage_spool(hplip_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- seutil_sigchld_newrole(hplip_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- snmp_read_snmp_var_lib_files(hplip_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- udev_read_db(hplip_t)
|
|
-')
|
|
|
|
########################################
|
|
#
|
|
@@ -735,7 +629,6 @@ kernel_read_kernel_sysctls(ptal_t)
|
|
kernel_list_proc(ptal_t)
|
|
kernel_read_proc_symlinks(ptal_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ptal_t)
|
|
corenet_all_recvfrom_netlabel(ptal_t)
|
|
corenet_tcp_sendrecv_generic_if(ptal_t)
|
|
corenet_tcp_sendrecv_generic_node(ptal_t)
|
|
@@ -745,13 +638,11 @@ corenet_sendrecv_ptal_server_packets(ptal_t)
|
|
corenet_tcp_bind_ptal_port(ptal_t)
|
|
corenet_tcp_sendrecv_ptal_port(ptal_t)
|
|
|
|
-dev_read_sysfs(ptal_t)
|
|
dev_read_usbfs(ptal_t)
|
|
dev_rw_printer(ptal_t)
|
|
|
|
domain_use_interactive_fds(ptal_t)
|
|
|
|
-files_read_etc_files(ptal_t)
|
|
files_read_etc_runtime_files(ptal_t)
|
|
|
|
fs_getattr_all_fs(ptal_t)
|
|
@@ -759,8 +650,6 @@ fs_search_auto_mountpoints(ptal_t)
|
|
|
|
logging_send_syslog_msg(ptal_t)
|
|
|
|
-miscfiles_read_localization(ptal_t)
|
|
-
|
|
sysnet_read_config(ptal_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(ptal_t)
|
|
@@ -773,3 +662,4 @@ optional_policy(`
|
|
optional_policy(`
|
|
udev_read_db(ptal_t)
|
|
')
|
|
+
|
|
diff --git a/cvs.if b/cvs.if
|
|
index 64775fd..bff3111 100644
|
|
--- a/cvs.if
|
|
+++ b/cvs.if
|
|
@@ -1,5 +1,23 @@
|
|
## <summary>Concurrent versions system.</summary>
|
|
|
|
+######################################
|
|
+## <summary>
|
|
+## Dontaudit Attempts to list the CVS data and metadata.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cvs_dontaudit_list_data',`
|
|
+ gen_require(`
|
|
+ type cvs_data_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 cvs_data_t:dir list_dir_perms;
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Read CVS data and metadata content.
|
|
@@ -62,9 +80,14 @@ interface(`cvs_admin',`
|
|
type cvs_data_t, cvs_var_run_t, cvs_keytab_t;
|
|
')
|
|
|
|
- allow $1 cvs_t:process { ptrace signal_perms };
|
|
+ allow $1 cvs_t:process signal_perms;
|
|
ps_process_pattern($1, cvs_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cvs_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ # Allow cvs_t to restart the apache service
|
|
init_labeled_script_domtrans($1, cvs_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 cvs_initrc_exec_t system_r;
|
|
diff --git a/cvs.te b/cvs.te
|
|
index 0f77550..f98a932 100644
|
|
--- a/cvs.te
|
|
+++ b/cvs.te
|
|
@@ -11,7 +11,7 @@ policy_module(cvs, 1.10.2)
|
|
## password files.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_cvs_read_shadow, false)
|
|
+gen_tunable(cvs_read_shadow, false)
|
|
|
|
type cvs_t;
|
|
type cvs_exec_t;
|
|
@@ -74,6 +74,15 @@ corenet_tcp_sendrecv_cvs_port(cvs_t)
|
|
corecmd_exec_bin(cvs_t)
|
|
corecmd_exec_shell(cvs_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(cvs_t)
|
|
+corenet_tcp_sendrecv_generic_if(cvs_t)
|
|
+corenet_udp_sendrecv_generic_if(cvs_t)
|
|
+corenet_tcp_sendrecv_generic_node(cvs_t)
|
|
+corenet_udp_sendrecv_generic_node(cvs_t)
|
|
+corenet_tcp_sendrecv_all_ports(cvs_t)
|
|
+corenet_udp_sendrecv_all_ports(cvs_t)
|
|
+corenet_tcp_bind_cvs_port(cvs_t)
|
|
+
|
|
dev_read_urand(cvs_t)
|
|
|
|
files_read_etc_runtime_files(cvs_t)
|
|
@@ -86,18 +95,18 @@ auth_use_nsswitch(cvs_t)
|
|
|
|
init_read_utmp(cvs_t)
|
|
|
|
+init_dontaudit_read_utmp(cvs_t)
|
|
+
|
|
logging_send_syslog_msg(cvs_t)
|
|
logging_send_audit_msgs(cvs_t)
|
|
|
|
-miscfiles_read_localization(cvs_t)
|
|
-
|
|
mta_send_mail(cvs_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(cvs_t)
|
|
|
|
# cjp: typeattribute doesnt work in conditionals yet
|
|
auth_can_read_shadow_passwords(cvs_t)
|
|
-tunable_policy(`allow_cvs_read_shadow',`
|
|
+tunable_policy(`cvs_read_shadow',`
|
|
allow cvs_t self:capability dac_override;
|
|
auth_tunable_read_shadow(cvs_t)
|
|
')
|
|
@@ -120,4 +129,5 @@ optional_policy(`
|
|
read_files_pattern(httpd_cvs_script_t, cvs_data_t, cvs_data_t)
|
|
manage_dirs_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
|
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
|
|
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
|
|
')
|
|
diff --git a/cyphesis.te b/cyphesis.te
|
|
index 77ffc73..86e11f5 100644
|
|
--- a/cyphesis.te
|
|
+++ b/cyphesis.te
|
|
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(cyphesis_t)
|
|
corecmd_search_bin(cyphesis_t)
|
|
corecmd_getattr_bin_files(cyphesis_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(cyphesis_t)
|
|
corenet_tcp_sendrecv_generic_if(cyphesis_t)
|
|
corenet_tcp_sendrecv_generic_node(cyphesis_t)
|
|
corenet_tcp_bind_generic_node(cyphesis_t)
|
|
@@ -61,13 +60,9 @@ dev_read_urand(cyphesis_t)
|
|
|
|
domain_use_interactive_fds(cyphesis_t)
|
|
|
|
-files_read_etc_files(cyphesis_t)
|
|
-files_read_usr_files(cyphesis_t)
|
|
|
|
logging_send_syslog_msg(cyphesis_t)
|
|
|
|
-miscfiles_read_localization(cyphesis_t)
|
|
-
|
|
sysnet_dns_name_resolve(cyphesis_t)
|
|
|
|
optional_policy(`
|
|
diff --git a/cyrus.if b/cyrus.if
|
|
index 83bfda6..92d9fb2 100644
|
|
--- a/cyrus.if
|
|
+++ b/cyrus.if
|
|
@@ -20,6 +20,25 @@ interface(`cyrus_manage_data',`
|
|
manage_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow write cyrus data files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`cyrus_write_data',`
|
|
+ gen_require(`
|
|
+ type cyrus_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ write_files_pattern($1, cyrus_var_lib_t, cyrus_var_lib_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Connect to Cyrus using a unix
|
|
@@ -64,9 +83,13 @@ interface(`cyrus_admin',`
|
|
type cyrus_keytab_t;
|
|
')
|
|
|
|
- allow $1 cyrus_t:process { ptrace signal_perms };
|
|
+ allow $1 cyrus_t:process signal_perms;
|
|
ps_process_pattern($1, cyrus_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cyrus_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, cyrus_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 cyrus_initrc_exec_t system_r;
|
|
diff --git a/cyrus.te b/cyrus.te
|
|
index 4283f2d..0632ef7 100644
|
|
--- a/cyrus.te
|
|
+++ b/cyrus.te
|
|
@@ -29,7 +29,7 @@ files_pid_file(cyrus_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow cyrus_t self:capability { dac_override setgid setuid sys_resource };
|
|
+allow cyrus_t self:capability { fsetid dac_override net_bind_service setgid setuid sys_resource };
|
|
dontaudit cyrus_t self:capability sys_tty_config;
|
|
allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow cyrus_t self:process setrlimit;
|
|
@@ -63,7 +63,6 @@ kernel_read_kernel_sysctls(cyrus_t)
|
|
kernel_read_system_state(cyrus_t)
|
|
kernel_read_all_sysctls(cyrus_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(cyrus_t)
|
|
corenet_all_recvfrom_netlabel(cyrus_t)
|
|
corenet_tcp_sendrecv_generic_if(cyrus_t)
|
|
corenet_tcp_sendrecv_generic_node(cyrus_t)
|
|
@@ -76,6 +75,9 @@ corenet_tcp_bind_mail_port(cyrus_t)
|
|
corenet_sendrecv_lmtp_server_packets(cyrus_t)
|
|
corenet_tcp_bind_lmtp_port(cyrus_t)
|
|
|
|
+corenet_sendrecv_innd_server_packets(cyrus_t)
|
|
+corenet_tcp_bind_innd_port(cyrus_t)
|
|
+
|
|
corenet_sendrecv_pop_server_packets(cyrus_t)
|
|
corenet_tcp_bind_pop_port(cyrus_t)
|
|
|
|
@@ -95,8 +97,6 @@ domain_use_interactive_fds(cyrus_t)
|
|
|
|
files_list_var_lib(cyrus_t)
|
|
files_read_etc_runtime_files(cyrus_t)
|
|
-files_read_usr_files(cyrus_t)
|
|
-files_dontaudit_write_usr_dirs(cyrus_t)
|
|
|
|
fs_getattr_all_fs(cyrus_t)
|
|
fs_search_auto_mountpoints(cyrus_t)
|
|
@@ -107,7 +107,6 @@ libs_exec_lib_files(cyrus_t)
|
|
|
|
logging_send_syslog_msg(cyrus_t)
|
|
|
|
-miscfiles_read_localization(cyrus_t)
|
|
miscfiles_read_generic_certs(cyrus_t)
|
|
|
|
userdom_use_unpriv_users_fds(cyrus_t)
|
|
@@ -121,6 +120,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ dirsrv_stream_connect(cyrus_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
kerberos_read_keytab(cyrus_t)
|
|
kerberos_use(cyrus_t)
|
|
')
|
|
@@ -134,8 +137,8 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- snmp_read_snmp_var_lib_files(cyrus_t)
|
|
- snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
|
|
+ files_dontaudit_write_usr_dirs(cyrus_t)
|
|
+ snmp_manage_var_lib_files(cyrus_t)
|
|
snmp_stream_connect(cyrus_t)
|
|
')
|
|
|
|
diff --git a/daemontools.if b/daemontools.if
|
|
index 3b3d9a0..6c8106a 100644
|
|
--- a/daemontools.if
|
|
+++ b/daemontools.if
|
|
@@ -218,3 +218,4 @@ interface(`daemontools_manage_svc',`
|
|
allow $1 svc_svc_t:file manage_file_perms;
|
|
allow $1 svc_svc_t:lnk_file manage_lnk_file_perms;
|
|
')
|
|
+
|
|
diff --git a/daemontools.te b/daemontools.te
|
|
index ee1b4aa..2fd746e 100644
|
|
--- a/daemontools.te
|
|
+++ b/daemontools.te
|
|
@@ -44,7 +44,10 @@ allow svc_multilog_t svc_start_t:process sigchld;
|
|
allow svc_multilog_t svc_start_t:fd use;
|
|
allow svc_multilog_t svc_start_t:fifo_file rw_fifo_file_perms;
|
|
|
|
+term_write_console(svc_multilog_t)
|
|
+
|
|
init_use_fds(svc_multilog_t)
|
|
+init_dontaudit_use_script_fds(svc_multilog_t)
|
|
|
|
logging_manage_generic_logs(svc_multilog_t)
|
|
|
|
@@ -77,7 +80,8 @@ dev_read_urand(svc_run_t)
|
|
corecmd_exec_bin(svc_run_t)
|
|
corecmd_exec_shell(svc_run_t)
|
|
|
|
-files_read_etc_files(svc_run_t)
|
|
+term_write_console(svc_run_t)
|
|
+
|
|
files_read_etc_runtime_files(svc_run_t)
|
|
files_search_pids(svc_run_t)
|
|
files_search_var_lib(svc_run_t)
|
|
@@ -109,6 +113,7 @@ allow svc_start_t svc_run_t:process { signal setrlimit };
|
|
|
|
can_exec(svc_start_t, svc_start_exec_t)
|
|
|
|
+mmap_files_pattern(svc_start_t, svc_svc_t, svc_svc_t)
|
|
domtrans_pattern(svc_start_t, svc_run_exec_t, svc_run_t)
|
|
|
|
kernel_read_kernel_sysctls(svc_start_t)
|
|
@@ -117,11 +122,13 @@ kernel_read_system_state(svc_start_t)
|
|
corecmd_exec_bin(svc_start_t)
|
|
corecmd_exec_shell(svc_start_t)
|
|
|
|
-files_read_etc_files(svc_start_t)
|
|
+corenet_tcp_bind_generic_node(svc_start_t)
|
|
+corenet_tcp_bind_generic_port(svc_start_t)
|
|
+
|
|
+term_write_console(svc_start_t)
|
|
+
|
|
files_read_etc_runtime_files(svc_start_t)
|
|
files_search_var(svc_start_t)
|
|
files_search_pids(svc_start_t)
|
|
|
|
logging_send_syslog_msg(svc_start_t)
|
|
-
|
|
-miscfiles_read_localization(svc_start_t)
|
|
diff --git a/dante.te b/dante.te
|
|
index 5a5e290..6321a1d 100644
|
|
--- a/dante.te
|
|
+++ b/dante.te
|
|
@@ -53,7 +53,6 @@ dev_read_sysfs(dante_t)
|
|
|
|
domain_use_interactive_fds(dante_t)
|
|
|
|
-files_read_etc_files(dante_t)
|
|
files_read_etc_runtime_files(dante_t)
|
|
|
|
fs_getattr_all_fs(dante_t)
|
|
diff --git a/dbadm.te b/dbadm.te
|
|
index b60c464..3a5246a 100644
|
|
--- a/dbadm.te
|
|
+++ b/dbadm.te
|
|
@@ -23,14 +23,14 @@ gen_tunable(dbadm_read_user_files, false)
|
|
|
|
role dbadm_r;
|
|
|
|
-userdom_base_user_template(dbadm)
|
|
+userdom_confined_admin_template(dbadm)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
-allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
|
|
+allow dbadm_t self:capability { dac_override dac_read_search };
|
|
|
|
files_dontaudit_search_all_dirs(dbadm_t)
|
|
files_delete_generic_locks(dbadm_t)
|
|
@@ -39,6 +39,7 @@ files_list_var(dbadm_t)
|
|
selinux_get_enforce_mode(dbadm_t)
|
|
|
|
logging_send_syslog_msg(dbadm_t)
|
|
+logging_send_audit_msgs(dbadm_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(dbadm_t)
|
|
|
|
@@ -60,3 +61,7 @@ optional_policy(`
|
|
optional_policy(`
|
|
postgresql_admin(dbadm_t, dbadm_r)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
|
|
+')
|
|
diff --git a/dbskk.te b/dbskk.te
|
|
index f55c420..e9d64ab 100644
|
|
--- a/dbskk.te
|
|
+++ b/dbskk.te
|
|
@@ -36,7 +36,6 @@ kernel_read_kernel_sysctls(dbskkd_t)
|
|
kernel_read_system_state(dbskkd_t)
|
|
kernel_read_network_state(dbskkd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(dbskkd_t)
|
|
corenet_all_recvfrom_netlabel(dbskkd_t)
|
|
corenet_tcp_sendrecv_generic_if(dbskkd_t)
|
|
corenet_udp_sendrecv_generic_if(dbskkd_t)
|
|
@@ -49,10 +48,7 @@ dev_read_urand(dbskkd_t)
|
|
|
|
fs_getattr_xattr_fs(dbskkd_t)
|
|
|
|
-files_read_etc_files(dbskkd_t)
|
|
|
|
auth_use_nsswitch(dbskkd_t)
|
|
|
|
logging_send_syslog_msg(dbskkd_t)
|
|
-
|
|
-miscfiles_read_localization(dbskkd_t)
|
|
diff --git a/dbus.fc b/dbus.fc
|
|
index dda905b..31f269b 100644
|
|
--- a/dbus.fc
|
|
+++ b/dbus.fc
|
|
@@ -1,20 +1,26 @@
|
|
-HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:session_dbusd_home_t,s0)
|
|
+/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
|
|
|
|
-/etc/dbus-.*(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
|
|
+/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
|
|
|
|
-/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
|
|
+ifdef(`distro_redhat',`
|
|
+/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
|
|
+/usr/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
|
|
+')
|
|
|
|
-/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
|
|
+/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
|
|
|
|
-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
|
|
+ifdef(`distro_debian',`
|
|
+/usr/lib/dbus-1.0/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
|
|
+')
|
|
|
|
-/usr/lib/dbus-.*/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
|
|
+ifdef(`distro_gentoo',`
|
|
+/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
|
|
+')
|
|
|
|
-/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
|
|
+/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
|
|
|
|
-/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
|
|
-
|
|
-/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
|
-/var/run/messagebus\.pid -- gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
|
+/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
|
|
|
+ifdef(`distro_redhat',`
|
|
/var/named/chroot/var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
|
|
+')
|
|
diff --git a/dbus.if b/dbus.if
|
|
index 62d22cb..fefd4b4 100644
|
|
--- a/dbus.if
|
|
+++ b/dbus.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Desktop messaging bus.</summary>
|
|
+## <summary>Desktop messaging bus</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -19,7 +19,7 @@ interface(`dbus_stub',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for dbus.
|
|
+## Role access for dbus
|
|
## </summary>
|
|
## <param name="role_prefix">
|
|
## <summary>
|
|
@@ -41,59 +41,68 @@ interface(`dbus_stub',`
|
|
template(`dbus_role_template',`
|
|
gen_require(`
|
|
class dbus { send_msg acquire_svc };
|
|
- attribute session_bus_type;
|
|
- type system_dbusd_t, dbusd_exec_t;
|
|
- type session_dbusd_tmp_t, session_dbusd_home_t;
|
|
+ attribute dbusd_unconfined, session_bus_type;
|
|
+ type system_dbusd_t, session_dbusd_tmp_t, dbusd_exec_t, dbusd_etc_t;
|
|
+ type $1_t;
|
|
')
|
|
|
|
##############################
|
|
#
|
|
- # Declarations
|
|
+ # Delcarations
|
|
#
|
|
|
|
type $1_dbusd_t, session_bus_type;
|
|
- domain_type($1_dbusd_t)
|
|
- domain_entry_file($1_dbusd_t, dbusd_exec_t)
|
|
+ application_domain($1_dbusd_t, dbusd_exec_t)
|
|
ubac_constrained($1_dbusd_t)
|
|
-
|
|
role $2 types $1_dbusd_t;
|
|
|
|
+ kernel_read_system_state($1_dbusd_t)
|
|
+
|
|
+ selinux_get_fs_mount($1_dbusd_t)
|
|
+
|
|
+ userdom_home_manager($1_dbusd_t)
|
|
+
|
|
##############################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
+ # For connecting to the bus
|
|
allow $3 $1_dbusd_t:unix_stream_socket connectto;
|
|
- allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
|
|
- allow $3 $1_dbusd_t:fd use;
|
|
-
|
|
- allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
|
|
|
|
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $3 { session_dbusd_home_t session_dbusd_tmp_t }:file { manage_file_perms relabel_file_perms };
|
|
- userdom_user_home_dir_filetrans($3, session_dbusd_home_t, dir, ".dbus")
|
|
+ # SE-DBus specific permissions
|
|
+ allow { dbusd_unconfined $3 } $1_dbusd_t:dbus { send_msg acquire_svc };
|
|
+ allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
|
|
|
|
domtrans_pattern($3, dbusd_exec_t, $1_dbusd_t)
|
|
|
|
ps_process_pattern($3, $1_dbusd_t)
|
|
- allow $3 $1_dbusd_t:process { ptrace signal_perms };
|
|
+ allow $3 $1_dbusd_t:process signal_perms;
|
|
|
|
- allow $1_dbusd_t $3:process sigkill;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $3 $1_dbusd_t:process ptrace;
|
|
+ ')
|
|
|
|
- corecmd_bin_domtrans($1_dbusd_t, $3)
|
|
- corecmd_shell_domtrans($1_dbusd_t, $3)
|
|
+ # cjp: this seems very broken
|
|
+ corecmd_bin_domtrans($1_dbusd_t, $1_t)
|
|
+ corecmd_shell_domtrans($1_dbusd_t, $1_t)
|
|
+ allow $1_dbusd_t $3:process sigkill;
|
|
+ allow $3 $1_dbusd_t:fd use;
|
|
+ allow $3 $1_dbusd_t:fifo_file rw_fifo_file_perms;
|
|
|
|
auth_use_nsswitch($1_dbusd_t)
|
|
|
|
- ifdef(`hide_broken_symptoms',`
|
|
- dontaudit $3 $1_dbusd_t:netlink_selinux_socket { read write };
|
|
+ logging_send_syslog_msg($1_dbusd_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ mozilla_domtrans_spec($1_dbusd_t, $1_t)
|
|
')
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Template for creating connections to
|
|
-## the system bus.
|
|
+## the system DBUS.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -103,65 +112,29 @@ template(`dbus_role_template',`
|
|
#
|
|
interface(`dbus_system_bus_client',`
|
|
gen_require(`
|
|
- attribute dbusd_system_bus_client;
|
|
- type system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_lib_t;
|
|
+ type system_dbusd_t, system_dbusd_t;
|
|
+ type system_dbusd_var_run_t, system_dbusd_var_lib_t;
|
|
class dbus send_msg;
|
|
+ attribute dbusd_unconfined;
|
|
')
|
|
|
|
- typeattribute $1 dbusd_system_bus_client;
|
|
-
|
|
+ # SE-DBus specific permissions
|
|
allow $1 { system_dbusd_t self }:dbus send_msg;
|
|
- allow system_dbusd_t $1:dbus send_msg;
|
|
+ allow { system_dbusd_t dbusd_unconfined } $1:dbus send_msg;
|
|
|
|
- files_search_var_lib($1)
|
|
read_files_pattern($1, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
|
+ files_search_var_lib($1)
|
|
|
|
+ # For connecting to the bus
|
|
files_search_pids($1)
|
|
stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
|
|
-
|
|
dbus_read_config($1)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Acquire service on DBUS
|
|
-## session bus.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`dbus_connect_session_bus',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use dbus_connect_all_session_bus() instead.')
|
|
- dbus_connect_all_session_bus($1)
|
|
-')
|
|
-
|
|
-#######################################
|
|
-## <summary>
|
|
-## Acquire service on all DBUS
|
|
-## session busses.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`dbus_connect_all_session_bus',`
|
|
- gen_require(`
|
|
- attribute session_bus_type;
|
|
- class dbus acquire_svc;
|
|
- ')
|
|
-
|
|
- allow $1 session_bus_type:dbus acquire_svc;
|
|
-')
|
|
-
|
|
-#######################################
|
|
-## <summary>
|
|
-## Acquire service on specified
|
|
-## DBUS session bus.
|
|
+## Creating connections to specified
|
|
+## DBUS sessions.
|
|
## </summary>
|
|
## <param name="role_prefix">
|
|
## <summary>
|
|
@@ -175,19 +148,21 @@ interface(`dbus_connect_all_session_bus',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`dbus_connect_spec_session_bus',`
|
|
+interface(`dbus_session_client',`
|
|
gen_require(`
|
|
+ class dbus send_msg;
|
|
type $1_dbusd_t;
|
|
- class dbus acquire_svc;
|
|
')
|
|
|
|
- allow $2 $1_dbusd_t:dbus acquire_svc;
|
|
+ allow $2 $1_dbusd_t:fd use;
|
|
+ allow $2 { $1_dbusd_t self }:dbus send_msg;
|
|
+ allow $2 $1_dbusd_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Creating connections to DBUS
|
|
-## session bus.
|
|
+## Template for creating connections to
|
|
+## a user DBUS.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -196,72 +171,23 @@ interface(`dbus_connect_spec_session_bus',`
|
|
## </param>
|
|
#
|
|
interface(`dbus_session_bus_client',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_bus_client() instead.')
|
|
- dbus_all_session_bus_client($1)
|
|
-')
|
|
-
|
|
-#######################################
|
|
-## <summary>
|
|
-## Creating connections to all
|
|
-## DBUS session busses.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`dbus_all_session_bus_client',`
|
|
gen_require(`
|
|
- attribute session_bus_type, dbusd_session_bus_client;
|
|
+ attribute session_bus_type;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
- typeattribute $1 dbusd_session_bus_client;
|
|
-
|
|
+ # SE-DBus specific permissions
|
|
allow $1 { session_bus_type self }:dbus send_msg;
|
|
- allow session_bus_type $1:dbus send_msg;
|
|
-
|
|
- allow $1 session_bus_type:unix_stream_socket connectto;
|
|
- allow $1 session_bus_type:fd use;
|
|
-')
|
|
|
|
-#######################################
|
|
-## <summary>
|
|
-## Creating connections to specified
|
|
-## DBUS session bus.
|
|
-## </summary>
|
|
-## <param name="role_prefix">
|
|
-## <summary>
|
|
-## The prefix of the user role (e.g., user
|
|
-## is the prefix for user_r).
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`dbus_spec_session_bus_client',`
|
|
- gen_require(`
|
|
- attribute dbusd_session_bus_client;
|
|
- type $1_dbusd_t;
|
|
- class dbus send_msg;
|
|
- ')
|
|
-
|
|
- typeattribute $2 dbusd_session_bus_client;
|
|
-
|
|
- allow $2 { $1_dbusd_t self }:dbus send_msg;
|
|
- allow $1_dbusd_t $2:dbus send_msg;
|
|
+ # For connecting to the bus
|
|
+ allow $1 session_bus_type:unix_stream_socket connectto;
|
|
|
|
- allow $2 $1_dbusd_t:unix_stream_socket connectto;
|
|
- allow $2 $1_dbusd_t:fd use;
|
|
+ allow session_bus_type $1:process sigkill;
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Send messages to DBUS session bus.
|
|
+## Send a message the session DBUS.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -270,59 +196,17 @@ interface(`dbus_spec_session_bus_client',`
|
|
## </param>
|
|
#
|
|
interface(`dbus_send_session_bus',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use dbus_send_all_session_bus() instead.')
|
|
- dbus_send_all_session_bus($1)
|
|
-')
|
|
-
|
|
-#######################################
|
|
-## <summary>
|
|
-## Send messages to all DBUS
|
|
-## session busses.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`dbus_send_all_session_bus',`
|
|
gen_require(`
|
|
attribute session_bus_type;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
- allow $1 dbus_session_bus_type:dbus send_msg;
|
|
-')
|
|
-
|
|
-#######################################
|
|
-## <summary>
|
|
-## Send messages to specified
|
|
-## DBUS session busses.
|
|
-## </summary>
|
|
-## <param name="role_prefix">
|
|
-## <summary>
|
|
-## The prefix of the user role (e.g., user
|
|
-## is the prefix for user_r).
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`dbus_send_spec_session_bus',`
|
|
- gen_require(`
|
|
- type $1_dbusd_t;
|
|
- class dbus send_msg;
|
|
- ')
|
|
-
|
|
- allow $2 $1_dbusd_t:dbus send_msg;
|
|
+ allow $1 session_bus_type:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read dbus configuration content.
|
|
+## Read dbus configuration.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -381,69 +265,32 @@ interface(`dbus_manage_lib_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Allow a application domain to be
|
|
-## started by the specified session bus.
|
|
-## </summary>
|
|
-## <param name="role_prefix">
|
|
-## <summary>
|
|
-## The prefix of the user role (e.g., user
|
|
-## is the prefix for user_r).
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Type to be used as a domain.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="entry_point">
|
|
-## <summary>
|
|
-## Type of the program to be used as an
|
|
-## entry point to this domain.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`dbus_session_domain',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use dbus_all_session_domain() instead.')
|
|
- dbus_all_session_domain($1, $2)
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Allow a application domain to be
|
|
-## started by the specified session bus.
|
|
+## Connect to the system DBUS
|
|
+## for service (acquire_svc).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Type to be used as a domain.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="entry_point">
|
|
-## <summary>
|
|
-## Type of the program to be used as an
|
|
-## entry point to this domain.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`dbus_all_session_domain',`
|
|
+interface(`dbus_connect_session_bus',`
|
|
gen_require(`
|
|
- type session_bus_type;
|
|
+ attribute session_bus_type;
|
|
+ class dbus acquire_svc;
|
|
')
|
|
|
|
- domtrans_pattern(session_bus_type, $2, $1)
|
|
-
|
|
- dbus_all_session_bus_client($1)
|
|
- dbus_connect_all_session_bus($1)
|
|
+ allow $1 session_bus_type:dbus acquire_svc;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Allow a application domain to be
|
|
-## started by the specified session bus.
|
|
+## Allow a application domain to be started
|
|
+## by the session dbus.
|
|
## </summary>
|
|
-## <param name="role_prefix">
|
|
+## <param name="domain_prefix">
|
|
## <summary>
|
|
-## The prefix of the user role (e.g., user
|
|
-## is the prefix for user_r).
|
|
+## User domain prefix to be used.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
@@ -458,20 +305,21 @@ interface(`dbus_all_session_domain',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`dbus_spec_session_domain',`
|
|
+interface(`dbus_session_domain',`
|
|
gen_require(`
|
|
type $1_dbusd_t;
|
|
')
|
|
|
|
domtrans_pattern($1_dbusd_t, $2, $3)
|
|
|
|
- dbus_spec_session_bus_client($1, $2)
|
|
- dbus_connect_spec_session_bus($1, $2)
|
|
+ dbus_session_bus_client($3)
|
|
+ dbus_connect_session_bus($3)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Acquire service on the DBUS system bus.
|
|
+## Connect to the system DBUS
|
|
+## for service (acquire_svc).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -490,7 +338,7 @@ interface(`dbus_connect_system_bus',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send messages to the DBUS system bus.
|
|
+## Send a message on the system DBUS.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -509,7 +357,7 @@ interface(`dbus_send_system_bus',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Unconfined access to DBUS system bus.
|
|
+## Allow unconfined access to the system DBUS.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -528,8 +376,8 @@ interface(`dbus_system_bus_unconfined',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create a domain for processes which
|
|
-## can be started by the DBUS system bus.
|
|
+## Create a domain for processes
|
|
+## which can be started by the system dbus
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -544,33 +392,24 @@ interface(`dbus_system_bus_unconfined',`
|
|
#
|
|
interface(`dbus_system_domain',`
|
|
gen_require(`
|
|
+ attribute system_bus_type;
|
|
type system_dbusd_t;
|
|
role system_r;
|
|
')
|
|
+ typeattribute $1 system_bus_type;
|
|
|
|
domain_type($1)
|
|
domain_entry_file($1, $2)
|
|
|
|
- role system_r types $1;
|
|
-
|
|
domtrans_pattern(system_dbusd_t, $2, $1)
|
|
|
|
- dbus_system_bus_client($1)
|
|
- dbus_connect_system_bus($1)
|
|
-
|
|
- ps_process_pattern(system_dbusd_t, $1)
|
|
-
|
|
- userdom_read_all_users_state($1)
|
|
+ ps_process_pattern($1, system_dbusd_t)
|
|
|
|
- ifdef(`hide_broken_symptoms', `
|
|
- dontaudit $1 system_dbusd_t:netlink_selinux_socket { read write };
|
|
- ')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Use and inherit DBUS system bus
|
|
-## file descriptors.
|
|
+## Use and inherit system DBUS file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -588,26 +427,25 @@ interface(`dbus_use_system_bus_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read and
|
|
-## write DBUS system bus TCP sockets.
|
|
+## Allow unconfined access to the system DBUS.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain to not audit.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
|
|
+interface(`dbus_unconfined',`
|
|
gen_require(`
|
|
- type system_dbusd_t;
|
|
+ attribute dbusd_unconfined;
|
|
')
|
|
|
|
- dontaudit $1 system_dbusd_t:tcp_socket { read write };
|
|
+ typeattribute $1 dbusd_unconfined;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Unconfined access to DBUS.
|
|
+## Delete all dbus pid files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -615,10 +453,91 @@ interface(`dbus_dontaudit_system_bus_rw_tcp_sockets',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`dbus_unconfined',`
|
|
+interface(`dbus_delete_pid_files',`
|
|
gen_require(`
|
|
- attribute dbusd_unconfined;
|
|
+ type system_dbusd_var_run_t;
|
|
')
|
|
|
|
- typeattribute $1 dbusd_unconfined;
|
|
+ files_search_pids($1)
|
|
+ delete_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read all dbus pid files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dbus_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type system_dbusd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Do not audit attempts to connect to
|
|
+## session bus types with a unix
|
|
+## stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dbus_dontaudit_stream_connect_session_bus',`
|
|
+ gen_require(`
|
|
+ attribute session_bus_type;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 session_bus_type:unix_stream_socket connectto;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Do not audit attempts to send dbus
|
|
+## messages to session bus types.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dbus_dontaudit_chat_session_bus',`
|
|
+ gen_require(`
|
|
+ attribute session_bus_type;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 session_bus_type:dbus send_msg;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Do not audit attempts to send dbus
|
|
+## messages to system bus types.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dbus_dontaudit_chat_system_bus',`
|
|
+ gen_require(`
|
|
+ attribute system_bus_type;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 system_bus_type:dbus send_msg;
|
|
+ dontaudit system_bus_type $1:dbus send_msg;
|
|
')
|
|
diff --git a/dbus.te b/dbus.te
|
|
index c9998c8..fa4f188 100644
|
|
--- a/dbus.te
|
|
+++ b/dbus.te
|
|
@@ -4,17 +4,15 @@ gen_require(`
|
|
class dbus all_dbus_perms;
|
|
')
|
|
|
|
-########################################
|
|
+##############################
|
|
#
|
|
-# Declarations
|
|
+# Delcarations
|
|
#
|
|
|
|
attribute dbusd_unconfined;
|
|
+attribute system_bus_type;
|
|
attribute session_bus_type;
|
|
|
|
-attribute dbusd_system_bus_client;
|
|
-attribute dbusd_session_bus_client;
|
|
-
|
|
type dbusd_etc_t;
|
|
files_config_file(dbusd_etc_t)
|
|
|
|
@@ -22,9 +20,6 @@ type dbusd_exec_t;
|
|
corecmd_executable_file(dbusd_exec_t)
|
|
typealias dbusd_exec_t alias system_dbusd_exec_t;
|
|
|
|
-type session_dbusd_home_t;
|
|
-userdom_user_home_content(session_dbusd_home_t)
|
|
-
|
|
type session_dbusd_tmp_t;
|
|
typealias session_dbusd_tmp_t alias { user_dbusd_tmp_t staff_dbusd_tmp_t sysadm_dbusd_tmp_t };
|
|
typealias session_dbusd_tmp_t alias { auditadm_dbusd_tmp_t secadm_dbusd_tmp_t };
|
|
@@ -41,7 +36,8 @@ files_type(system_dbusd_var_lib_t)
|
|
|
|
type system_dbusd_var_run_t;
|
|
files_pid_file(system_dbusd_var_run_t)
|
|
-init_daemon_run_dir(system_dbusd_var_run_t, "dbus")
|
|
+init_sock_file(system_dbusd_var_run_t)
|
|
+mls_trusted_object(system_dbusd_var_run_t)
|
|
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mcs_systemhigh)
|
|
@@ -51,59 +47,58 @@ ifdef(`enable_mls',`
|
|
init_ranged_system_domain(system_dbusd_t, dbusd_exec_t, s0 - mls_systemhigh)
|
|
')
|
|
|
|
-########################################
|
|
+##############################
|
|
#
|
|
-# Local policy
|
|
+# System bus local policy
|
|
#
|
|
|
|
+# dac_override: /var/run/dbus is owned by messagebus on Debian
|
|
+# cjp: dac_override should probably go in a distro_debian
|
|
+allow system_dbusd_t self:capability2 block_suspend;
|
|
allow system_dbusd_t self:capability { sys_resource dac_override setgid setpcap setuid };
|
|
dontaudit system_dbusd_t self:capability sys_tty_config;
|
|
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
|
|
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
|
|
allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
|
-allow system_dbusd_t self:unix_stream_socket { accept connectto listen };
|
|
+allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
|
+allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
|
|
+# Receive notifications of policy reloads and enforcing status changes.
|
|
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
|
|
|
|
+can_exec(system_dbusd_t, dbusd_exec_t)
|
|
+
|
|
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
|
read_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
|
|
read_lnk_files_pattern(system_dbusd_t, dbusd_etc_t, dbusd_etc_t)
|
|
|
|
manage_dirs_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
|
|
manage_files_pattern(system_dbusd_t, system_dbusd_tmp_t, system_dbusd_tmp_t)
|
|
-files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { dir file })
|
|
+files_tmp_filetrans(system_dbusd_t, system_dbusd_tmp_t, { file dir })
|
|
|
|
read_files_pattern(system_dbusd_t, system_dbusd_var_lib_t, system_dbusd_var_lib_t)
|
|
|
|
manage_dirs_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
|
manage_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
|
manage_sock_files_pattern(system_dbusd_t, system_dbusd_var_run_t, system_dbusd_var_run_t)
|
|
-files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
|
|
-
|
|
-can_exec(system_dbusd_t, dbusd_exec_t)
|
|
+files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { file dir })
|
|
|
|
kernel_read_system_state(system_dbusd_t)
|
|
kernel_read_kernel_sysctls(system_dbusd_t)
|
|
|
|
-corecmd_list_bin(system_dbusd_t)
|
|
-corecmd_read_bin_pipes(system_dbusd_t)
|
|
-corecmd_read_bin_sockets(system_dbusd_t)
|
|
-corecmd_exec_shell(system_dbusd_t)
|
|
-
|
|
dev_read_urand(system_dbusd_t)
|
|
dev_read_sysfs(system_dbusd_t)
|
|
|
|
-domain_use_interactive_fds(system_dbusd_t)
|
|
-domain_read_all_domains_state(system_dbusd_t)
|
|
-
|
|
-files_list_home(system_dbusd_t)
|
|
-files_read_usr_files(system_dbusd_t)
|
|
+files_rw_inherited_non_security_files(system_dbusd_t)
|
|
|
|
fs_getattr_all_fs(system_dbusd_t)
|
|
fs_list_inotifyfs(system_dbusd_t)
|
|
fs_search_auto_mountpoints(system_dbusd_t)
|
|
-fs_search_cgroup_dirs(system_dbusd_t)
|
|
fs_dontaudit_list_nfs(system_dbusd_t)
|
|
|
|
+storage_rw_inherited_fixed_disk_dev(system_dbusd_t)
|
|
+storage_rw_inherited_removable_device(system_dbusd_t)
|
|
+
|
|
+mls_trusted_object(system_dbusd_t)
|
|
mls_fd_use_all_levels(system_dbusd_t)
|
|
mls_rangetrans_target(system_dbusd_t)
|
|
mls_file_read_all_levels(system_dbusd_t)
|
|
@@ -123,66 +118,159 @@ term_dontaudit_use_console(system_dbusd_t)
|
|
auth_use_nsswitch(system_dbusd_t)
|
|
auth_read_pam_console_data(system_dbusd_t)
|
|
|
|
+corecmd_list_bin(system_dbusd_t)
|
|
+corecmd_read_bin_pipes(system_dbusd_t)
|
|
+corecmd_read_bin_sockets(system_dbusd_t)
|
|
+# needed for system-tools-backends
|
|
+corecmd_exec_shell(system_dbusd_t)
|
|
+
|
|
+domain_use_interactive_fds(system_dbusd_t)
|
|
+domain_read_all_domains_state(system_dbusd_t)
|
|
+
|
|
+files_list_home(system_dbusd_t)
|
|
+
|
|
init_use_fds(system_dbusd_t)
|
|
init_use_script_ptys(system_dbusd_t)
|
|
-init_all_labeled_script_domtrans(system_dbusd_t)
|
|
+init_bin_domtrans_spec(system_dbusd_t)
|
|
+init_domtrans_script(system_dbusd_t)
|
|
+init_rw_stream_sockets(system_dbusd_t)
|
|
+init_status(system_dbusd_t)
|
|
|
|
logging_send_audit_msgs(system_dbusd_t)
|
|
logging_send_syslog_msg(system_dbusd_t)
|
|
|
|
-miscfiles_read_localization(system_dbusd_t)
|
|
miscfiles_read_generic_certs(system_dbusd_t)
|
|
|
|
seutil_read_config(system_dbusd_t)
|
|
seutil_read_default_contexts(system_dbusd_t)
|
|
+seutil_sigchld_newrole(system_dbusd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
|
|
userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
|
|
|
|
+userdom_home_reader(system_dbusd_t)
|
|
+
|
|
+optional_policy(`
|
|
+ bind_domtrans(system_dbusd_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
bluetooth_stream_connect(system_dbusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- policykit_read_lib(system_dbusd_t)
|
|
+ cpufreqselector_dbus_chat(system_dbusd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ getty_start_services(system_dbusd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_exec_gconf(system_dbusd_t)
|
|
+ gnome_read_inherited_home_icc_data_files(system_dbusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- seutil_sigchld_newrole(system_dbusd_t)
|
|
+ nis_use_ypbind(system_dbusd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ networkmanager_initrc_domtrans(system_dbusd_t)
|
|
+ networkmanager_systemctl(system_dbusd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ policykit_dbus_chat(system_dbusd_t)
|
|
+ policykit_domtrans_auth(system_dbusd_t)
|
|
+ policykit_search_lib(system_dbusd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_domtrans_dhcpc(system_dbusd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ systemd_use_fds_logind(system_dbusd_t)
|
|
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
|
|
+ systemd_write_inhibit_pipes(system_dbusd_t)
|
|
+# These are caused by broken systemd patch
|
|
+ systemd_start_power_services(system_dbusd_t)
|
|
+ systemd_config_all_services(system_dbusd_t)
|
|
+ files_config_all_files(system_dbusd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(system_dbusd_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ # /var/lib/gdm/.local/share/icc/edid-0a027915105823af34f99b1704e80336.icc
|
|
+ xserver_read_inherited_xdm_lib_files(system_dbusd_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
-# Common session bus local policy
|
|
+# system_bus_type rules
|
|
#
|
|
+role system_r types system_bus_type;
|
|
+
|
|
+fs_search_all(system_bus_type)
|
|
+
|
|
+dbus_system_bus_client(system_bus_type)
|
|
+dbus_connect_system_bus(system_bus_type)
|
|
+
|
|
+init_status(system_bus_type)
|
|
+init_stream_connect(system_bus_type)
|
|
+init_dgram_send(system_bus_type)
|
|
+init_use_fds(system_bus_type)
|
|
+init_rw_stream_sockets(system_bus_type)
|
|
+
|
|
+ps_process_pattern(system_dbusd_t, system_bus_type)
|
|
+
|
|
+userdom_dontaudit_search_admin_dir(system_bus_type)
|
|
+userdom_read_all_users_state(system_bus_type)
|
|
+
|
|
+optional_policy(`
|
|
+ abrt_stream_connect(system_bus_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rpm_script_dbus_chat(system_bus_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_dbus_send(system_bus_type)
|
|
+')
|
|
|
|
+ifdef(`hide_broken_symptoms',`
|
|
+ dontaudit system_bus_type system_dbusd_t:netlink_selinux_socket { read write };
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# session_bus_type rules
|
|
+#
|
|
+allow session_bus_type self:capability2 block_suspend;
|
|
dontaudit session_bus_type self:capability sys_resource;
|
|
allow session_bus_type self:process { getattr sigkill signal };
|
|
-dontaudit session_bus_type self:process { ptrace setrlimit };
|
|
+dontaudit session_bus_type self:process setrlimit;
|
|
allow session_bus_type self:file { getattr read write };
|
|
allow session_bus_type self:fifo_file rw_fifo_file_perms;
|
|
allow session_bus_type self:dbus { send_msg acquire_svc };
|
|
-allow session_bus_type self:unix_stream_socket { accept listen };
|
|
-allow session_bus_type self:tcp_socket { accept listen };
|
|
+allow session_bus_type self:unix_stream_socket create_stream_socket_perms;
|
|
+allow session_bus_type self:unix_dgram_socket create_socket_perms;
|
|
+allow session_bus_type self:tcp_socket create_stream_socket_perms;
|
|
allow session_bus_type self:netlink_selinux_socket create_socket_perms;
|
|
|
|
allow session_bus_type dbusd_etc_t:dir list_dir_perms;
|
|
read_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
|
|
read_lnk_files_pattern(session_bus_type, dbusd_etc_t, dbusd_etc_t)
|
|
|
|
-manage_dirs_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
|
|
-manage_files_pattern(session_bus_type, session_dbusd_home_t, session_dbusd_home_t)
|
|
-userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".dbus")
|
|
-
|
|
manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
|
|
manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
|
|
-files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
|
|
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { file dir })
|
|
|
|
-kernel_read_system_state(session_bus_type)
|
|
kernel_read_kernel_sysctls(session_bus_type)
|
|
|
|
corecmd_list_bin(session_bus_type)
|
|
@@ -191,23 +279,18 @@ corecmd_read_bin_files(session_bus_type)
|
|
corecmd_read_bin_pipes(session_bus_type)
|
|
corecmd_read_bin_sockets(session_bus_type)
|
|
|
|
-corenet_all_recvfrom_unlabeled(session_bus_type)
|
|
-corenet_all_recvfrom_netlabel(session_bus_type)
|
|
corenet_tcp_sendrecv_generic_if(session_bus_type)
|
|
corenet_tcp_sendrecv_generic_node(session_bus_type)
|
|
corenet_tcp_sendrecv_all_ports(session_bus_type)
|
|
corenet_tcp_bind_generic_node(session_bus_type)
|
|
-
|
|
-corenet_sendrecv_all_server_packets(session_bus_type)
|
|
corenet_tcp_bind_reserved_port(session_bus_type)
|
|
|
|
dev_read_urand(session_bus_type)
|
|
|
|
-domain_read_all_domains_state(session_bus_type)
|
|
domain_use_interactive_fds(session_bus_type)
|
|
+domain_read_all_domains_state(session_bus_type)
|
|
|
|
files_list_home(session_bus_type)
|
|
-files_read_usr_files(session_bus_type)
|
|
files_dontaudit_search_var(session_bus_type)
|
|
|
|
fs_getattr_romfs(session_bus_type)
|
|
@@ -215,7 +298,6 @@ fs_getattr_xattr_fs(session_bus_type)
|
|
fs_list_inotifyfs(session_bus_type)
|
|
fs_dontaudit_list_nfs(session_bus_type)
|
|
|
|
-selinux_get_fs_mount(session_bus_type)
|
|
selinux_validate_context(session_bus_type)
|
|
selinux_compute_access_vector(session_bus_type)
|
|
selinux_compute_create_context(session_bus_type)
|
|
@@ -225,18 +307,36 @@ selinux_compute_user_contexts(session_bus_type)
|
|
auth_read_pam_console_data(session_bus_type)
|
|
|
|
logging_send_audit_msgs(session_bus_type)
|
|
-logging_send_syslog_msg(session_bus_type)
|
|
-
|
|
-miscfiles_read_localization(session_bus_type)
|
|
|
|
seutil_read_config(session_bus_type)
|
|
seutil_read_default_contexts(session_bus_type)
|
|
|
|
-term_use_all_terms(session_bus_type)
|
|
+term_use_all_inherited_terms(session_bus_type)
|
|
+
|
|
+userdom_dontaudit_search_admin_dir(session_bus_type)
|
|
+userdom_manage_user_home_content_dirs(session_bus_type)
|
|
+userdom_manage_user_home_content_files(session_bus_type)
|
|
+userdom_manage_tmpfs_files(session_bus_type, file)
|
|
+userdom_tmpfs_filetrans(session_bus_type, file)
|
|
|
|
optional_policy(`
|
|
- xserver_use_xdm_fds(session_bus_type)
|
|
+ gnome_read_config(session_bus_type)
|
|
+ gnome_read_gconf_home_files(session_bus_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ hal_dbus_chat(session_bus_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ thumb_domtrans(session_bus_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_search_xdm_lib(session_bus_type)
|
|
xserver_rw_xdm_pipes(session_bus_type)
|
|
+ xserver_use_xdm_fds(session_bus_type)
|
|
+ xserver_append_xdm_home_files(session_bus_type)
|
|
')
|
|
|
|
########################################
|
|
@@ -244,5 +344,6 @@ optional_policy(`
|
|
# Unconfined access to this module
|
|
#
|
|
|
|
-allow dbusd_unconfined { system_dbusd_t session_bus_type dbusd_session_bus_client dbusd_system_bus_client }:dbus all_dbus_perms;
|
|
-allow { dbusd_session_bus_client dbusd_system_bus_client } dbusd_unconfined:dbus send_msg;
|
|
+allow dbusd_unconfined session_bus_type:dbus all_dbus_perms;
|
|
+allow dbusd_unconfined dbusd_unconfined:dbus all_dbus_perms;
|
|
+allow session_bus_type dbusd_unconfined:dbus send_msg;
|
|
diff --git a/dcc.fc b/dcc.fc
|
|
index 62d3c4e..cef59a7 100644
|
|
--- a/dcc.fc
|
|
+++ b/dcc.fc
|
|
@@ -10,6 +10,8 @@
|
|
/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
|
|
/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
|
|
|
|
+/usr/libexec/dcc/start-dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
|
|
+
|
|
/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
|
|
/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
|
|
/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
|
|
diff --git a/dcc.if b/dcc.if
|
|
index a5c21e0..4639421 100644
|
|
--- a/dcc.if
|
|
+++ b/dcc.if
|
|
@@ -173,6 +173,6 @@ interface(`dcc_stream_connect_dccifd',`
|
|
type dcc_var_t, dccifd_var_run_t, dccifd_t;
|
|
')
|
|
|
|
- files_search_var($1)
|
|
+ files_search_pids($1)
|
|
stream_connect_pattern($1, dcc_var_t, dccifd_var_run_t, dccifd_t)
|
|
')
|
|
diff --git a/dcc.te b/dcc.te
|
|
index 353fa4a..a5e912f 100644
|
|
--- a/dcc.te
|
|
+++ b/dcc.te
|
|
@@ -45,7 +45,7 @@ type dcc_var_t;
|
|
files_type(dcc_var_t)
|
|
|
|
type dcc_var_run_t;
|
|
-files_type(dcc_var_run_t)
|
|
+files_pid_file(dcc_var_run_t)
|
|
|
|
type dccd_t;
|
|
type dccd_exec_t;
|
|
@@ -94,15 +94,18 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
|
|
read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
|
|
read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(cdcc_t)
|
|
+corenet_udp_sendrecv_generic_if(cdcc_t)
|
|
+corenet_udp_sendrecv_generic_node(cdcc_t)
|
|
+corenet_udp_sendrecv_all_ports(cdcc_t)
|
|
+
|
|
files_read_etc_runtime_files(cdcc_t)
|
|
|
|
auth_use_nsswitch(cdcc_t)
|
|
|
|
logging_send_syslog_msg(cdcc_t)
|
|
|
|
-miscfiles_read_localization(cdcc_t)
|
|
-
|
|
-userdom_use_user_terminals(cdcc_t)
|
|
+userdom_use_inherited_user_terminals(cdcc_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -113,6 +116,8 @@ allow dcc_client_t self:capability { setuid setgid };
|
|
|
|
allow dcc_client_t dcc_client_map_t:file rw_file_perms;
|
|
|
|
+domtrans_pattern(dcc_client_t, dccifd_exec_t, dccifd_t)
|
|
+
|
|
manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
|
|
manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
|
|
files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
|
|
@@ -123,6 +128,12 @@ read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
|
|
|
|
kernel_read_system_state(dcc_client_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(dcc_client_t)
|
|
+corenet_udp_sendrecv_generic_if(dcc_client_t)
|
|
+corenet_udp_sendrecv_generic_node(dcc_client_t)
|
|
+corenet_udp_sendrecv_all_ports(dcc_client_t)
|
|
+corenet_udp_bind_generic_node(dcc_client_t)
|
|
+
|
|
files_read_etc_runtime_files(dcc_client_t)
|
|
|
|
fs_getattr_all_fs(dcc_client_t)
|
|
@@ -131,12 +142,10 @@ auth_use_nsswitch(dcc_client_t)
|
|
|
|
logging_send_syslog_msg(dcc_client_t)
|
|
|
|
-miscfiles_read_localization(dcc_client_t)
|
|
-
|
|
-userdom_use_user_terminals(dcc_client_t)
|
|
+userdom_use_inherited_user_terminals(dcc_client_t)
|
|
|
|
optional_policy(`
|
|
- amavis_read_spool_files(dcc_client_t)
|
|
+ antivirus_read_db(dcc_client_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -160,15 +169,18 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
|
|
|
|
kernel_read_system_state(dcc_dbclean_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
|
|
+corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
|
|
+corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
|
|
+corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
|
|
+
|
|
files_read_etc_runtime_files(dcc_dbclean_t)
|
|
|
|
auth_use_nsswitch(dcc_dbclean_t)
|
|
|
|
logging_send_syslog_msg(dcc_dbclean_t)
|
|
|
|
-miscfiles_read_localization(dcc_dbclean_t)
|
|
-
|
|
-userdom_use_user_terminals(dcc_dbclean_t)
|
|
+userdom_use_inherited_user_terminals(dcc_dbclean_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -202,7 +214,6 @@ files_pid_filetrans(dccd_t, dccd_var_run_t, { dir file })
|
|
kernel_read_system_state(dccd_t)
|
|
kernel_read_kernel_sysctls(dccd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(dccd_t)
|
|
corenet_all_recvfrom_netlabel(dccd_t)
|
|
corenet_udp_sendrecv_generic_if(dccd_t)
|
|
corenet_udp_sendrecv_generic_node(dccd_t)
|
|
@@ -227,8 +238,6 @@ auth_use_nsswitch(dccd_t)
|
|
|
|
logging_send_syslog_msg(dccd_t)
|
|
|
|
-miscfiles_read_localization(dccd_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(dccd_t)
|
|
userdom_dontaudit_search_user_home_dirs(dccd_t)
|
|
|
|
@@ -269,6 +278,11 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
|
|
kernel_read_system_state(dccifd_t)
|
|
kernel_read_kernel_sysctls(dccifd_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(dccifd_t)
|
|
+corenet_udp_sendrecv_generic_if(dccifd_t)
|
|
+corenet_udp_sendrecv_generic_node(dccifd_t)
|
|
+corenet_udp_sendrecv_all_ports(dccifd_t)
|
|
+
|
|
dev_read_sysfs(dccifd_t)
|
|
|
|
domain_use_interactive_fds(dccifd_t)
|
|
@@ -282,8 +296,6 @@ auth_use_nsswitch(dccifd_t)
|
|
|
|
logging_send_syslog_msg(dccifd_t)
|
|
|
|
-miscfiles_read_localization(dccifd_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(dccifd_t)
|
|
userdom_dontaudit_search_user_home_dirs(dccifd_t)
|
|
|
|
@@ -324,6 +336,11 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
|
|
kernel_read_system_state(dccm_t)
|
|
kernel_read_kernel_sysctls(dccm_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(dccm_t)
|
|
+corenet_udp_sendrecv_generic_if(dccm_t)
|
|
+corenet_udp_sendrecv_generic_node(dccm_t)
|
|
+corenet_udp_sendrecv_all_ports(dccm_t)
|
|
+
|
|
dev_read_sysfs(dccm_t)
|
|
|
|
domain_use_interactive_fds(dccm_t)
|
|
@@ -337,8 +354,6 @@ auth_use_nsswitch(dccm_t)
|
|
|
|
logging_send_syslog_msg(dccm_t)
|
|
|
|
-miscfiles_read_localization(dccm_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(dccm_t)
|
|
userdom_dontaudit_search_user_home_dirs(dccm_t)
|
|
|
|
diff --git a/ddclient.if b/ddclient.if
|
|
index 5606b40..cd18cf2 100644
|
|
--- a/ddclient.if
|
|
+++ b/ddclient.if
|
|
@@ -70,9 +70,13 @@ interface(`ddclient_admin',`
|
|
type ddclient_var_run_t, ddclient_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 ddclient_t:process { ptrace signal_perms };
|
|
+ allow $1 ddclient_t:process signal_perms;
|
|
ps_process_pattern($1, ddclient_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ddclient_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, ddclient_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 ddclient_initrc_exec_t system_r;
|
|
diff --git a/ddclient.te b/ddclient.te
|
|
index a4caa1b..42f3066 100644
|
|
--- a/ddclient.te
|
|
+++ b/ddclient.te
|
|
@@ -38,9 +38,13 @@ files_pid_file(ddclient_var_run_t)
|
|
# Declarations
|
|
#
|
|
|
|
+
|
|
dontaudit ddclient_t self:capability sys_tty_config;
|
|
allow ddclient_t self:process signal_perms;
|
|
allow ddclient_t self:fifo_file rw_fifo_file_perms;
|
|
+allow ddclient_t self:tcp_socket create_socket_perms;
|
|
+allow ddclient_t self:udp_socket create_socket_perms;
|
|
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
|
|
setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
|
|
@@ -75,7 +79,6 @@ kernel_search_network_sysctl(ddclient_t)
|
|
corecmd_exec_shell(ddclient_t)
|
|
corecmd_exec_bin(ddclient_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ddclient_t)
|
|
corenet_all_recvfrom_netlabel(ddclient_t)
|
|
corenet_tcp_sendrecv_generic_if(ddclient_t)
|
|
corenet_udp_sendrecv_generic_if(ddclient_t)
|
|
@@ -83,6 +86,8 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
|
|
corenet_udp_sendrecv_generic_node(ddclient_t)
|
|
corenet_tcp_sendrecv_all_ports(ddclient_t)
|
|
corenet_udp_sendrecv_all_ports(ddclient_t)
|
|
+corenet_tcp_bind_generic_node(ddclient_t)
|
|
+corenet_udp_bind_generic_node(ddclient_t)
|
|
|
|
corenet_sendrecv_all_client_packets(ddclient_t)
|
|
corenet_tcp_connect_all_ports(ddclient_t)
|
|
@@ -92,16 +97,16 @@ dev_read_urand(ddclient_t)
|
|
|
|
domain_use_interactive_fds(ddclient_t)
|
|
|
|
-files_read_etc_files(ddclient_t)
|
|
files_read_etc_runtime_files(ddclient_t)
|
|
-files_read_usr_files(ddclient_t)
|
|
|
|
fs_getattr_all_fs(ddclient_t)
|
|
fs_search_auto_mountpoints(ddclient_t)
|
|
|
|
+auth_read_passwd(ddclient_t)
|
|
+
|
|
logging_send_syslog_msg(ddclient_t)
|
|
|
|
-miscfiles_read_localization(ddclient_t)
|
|
+mta_send_mail(ddclient_t)
|
|
|
|
sysnet_exec_ifconfig(ddclient_t)
|
|
sysnet_dns_name_resolve(ddclient_t)
|
|
diff --git a/ddcprobe.te b/ddcprobe.te
|
|
index 8fa4bb9..8f5ffb0 100644
|
|
--- a/ddcprobe.te
|
|
+++ b/ddcprobe.te
|
|
@@ -34,9 +34,7 @@ dev_read_urand(ddcprobe_t)
|
|
dev_read_raw_memory(ddcprobe_t)
|
|
dev_wx_raw_memory(ddcprobe_t)
|
|
|
|
-files_read_etc_files(ddcprobe_t)
|
|
files_read_etc_runtime_files(ddcprobe_t)
|
|
-files_read_usr_files(ddcprobe_t)
|
|
|
|
term_use_all_ttys(ddcprobe_t)
|
|
term_use_all_ptys(ddcprobe_t)
|
|
diff --git a/denyhosts.if b/denyhosts.if
|
|
index a7326da..c87b5b7 100644
|
|
--- a/denyhosts.if
|
|
+++ b/denyhosts.if
|
|
@@ -53,6 +53,7 @@ interface(`denyhosts_initrc_domtrans',`
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
interface(`denyhosts_admin',`
|
|
gen_require(`
|
|
@@ -60,20 +61,24 @@ interface(`denyhosts_admin',`
|
|
type denyhosts_var_log_t, denyhosts_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 denyhosts_t:process { ptrace signal_perms };
|
|
+ allow $1 denyhosts_t:process signal_perms;
|
|
ps_process_pattern($1, denyhosts_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 denyhosts_t:process ptrace;
|
|
+ ')
|
|
+
|
|
denyhosts_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 denyhosts_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_var_lib($1)
|
|
+ files_list_var_lib($1)
|
|
admin_pattern($1, denyhosts_var_lib_t)
|
|
|
|
- logging_search_logs($1)
|
|
+ logging_list_logs($1)
|
|
admin_pattern($1, denyhosts_var_log_t)
|
|
|
|
- files_search_locks($1)
|
|
+ files_list_locks($1)
|
|
admin_pattern($1, denyhosts_var_lock_t)
|
|
')
|
|
diff --git a/denyhosts.te b/denyhosts.te
|
|
index 583a527..bb77017 100644
|
|
--- a/denyhosts.te
|
|
+++ b/denyhosts.te
|
|
@@ -25,6 +25,9 @@ logging_log_file(denyhosts_var_log_t)
|
|
#
|
|
# Local policy
|
|
#
|
|
+# Bug #588563
|
|
+allow denyhosts_t self:capability sys_tty_config;
|
|
+allow denyhosts_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow denyhosts_t self:capability sys_tty_config;
|
|
allow denyhosts_t self:fifo_file rw_fifo_file_perms;
|
|
@@ -48,7 +51,6 @@ kernel_read_system_state(denyhosts_t)
|
|
corecmd_exec_bin(denyhosts_t)
|
|
corecmd_exec_shell(denyhosts_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(denyhosts_t)
|
|
corenet_all_recvfrom_netlabel(denyhosts_t)
|
|
corenet_tcp_sendrecv_generic_if(denyhosts_t)
|
|
corenet_tcp_sendrecv_generic_node(denyhosts_t)
|
|
@@ -59,11 +61,11 @@ corenet_tcp_sendrecv_smtp_port(denyhosts_t)
|
|
|
|
dev_read_urand(denyhosts_t)
|
|
|
|
+auth_use_nsswitch(denyhosts_t)
|
|
+
|
|
logging_read_generic_logs(denyhosts_t)
|
|
logging_send_syslog_msg(denyhosts_t)
|
|
|
|
-miscfiles_read_localization(denyhosts_t)
|
|
-
|
|
sysnet_dns_name_resolve(denyhosts_t)
|
|
sysnet_manage_config(denyhosts_t)
|
|
sysnet_etc_filetrans_config(denyhosts_t)
|
|
@@ -71,3 +73,7 @@ sysnet_etc_filetrans_config(denyhosts_t)
|
|
optional_policy(`
|
|
cron_system_entry(denyhosts_t, denyhosts_exec_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_dontaudit_search_config(denyhosts_t)
|
|
+')
|
|
diff --git a/devicekit.if b/devicekit.if
|
|
index 8ce99ff..0819898 100644
|
|
--- a/devicekit.if
|
|
+++ b/devicekit.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Devicekit modular hardware abstraction layer.</summary>
|
|
+## <summary>Devicekit modular hardware abstraction layer</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,12 +15,29 @@ interface(`devicekit_domtrans',`
|
|
type devicekit_t, devicekit_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, devicekit_exec_t, devicekit_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute a domain transition to run devicekit_disk.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`devicekit_domtrans_disk',`
|
|
+ gen_require(`
|
|
+ type devicekit_disk_t, devicekit_disk_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, devicekit_disk_exec_t, devicekit_disk_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Send to devicekit over a unix domain
|
|
## datagram socket.
|
|
## </summary>
|
|
@@ -32,11 +49,10 @@ interface(`devicekit_domtrans',`
|
|
#
|
|
interface(`devicekit_dgram_send',`
|
|
gen_require(`
|
|
- type devicekit_t, devicekit_var_run_t;
|
|
+ type devicekit_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- dgram_send_pattern($1, devicekit_var_run_t, devicekit_var_run_t, devicekit_t)
|
|
+ allow $1 devicekit_t:unix_dgram_socket sendto;
|
|
')
|
|
|
|
########################################
|
|
@@ -83,7 +99,7 @@ interface(`devicekit_dbus_chat_disk',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to devicekit power.
|
|
+## Use file descriptors for devicekit_disk.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -91,39 +107,38 @@ interface(`devicekit_dbus_chat_disk',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`devicekit_signal_power',`
|
|
+interface(`devicekit_use_fds_disk',`
|
|
gen_require(`
|
|
- type devicekit_power_t;
|
|
+ type devicekit_disk_t;
|
|
')
|
|
|
|
- allow $1 devicekit_power_t:process signal;
|
|
+ allow $1 devicekit_disk_t:fd use;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send and receive messages from
|
|
-## devicekit power over dbus.
|
|
+## Dontaudit Send and receive messages from
|
|
+## devicekit disk over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`devicekit_dbus_chat_power',`
|
|
+interface(`devicekit_dontaudit_dbus_chat_disk',`
|
|
gen_require(`
|
|
- type devicekit_power_t;
|
|
+ type devicekit_disk_t;
|
|
class dbus send_msg;
|
|
')
|
|
|
|
- allow $1 devicekit_power_t:dbus send_msg;
|
|
- allow devicekit_power_t $1:dbus send_msg;
|
|
+ dontaudit $1 devicekit_disk_t:dbus send_msg;
|
|
+ dontaudit devicekit_disk_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Use and inherit devicekit power
|
|
-## file descriptors.
|
|
+## Send signal devicekit power
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -131,17 +146,18 @@ interface(`devicekit_dbus_chat_power',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`devicekit_use_fds_power',`
|
|
+interface(`devicekit_signal_power',`
|
|
gen_require(`
|
|
type devicekit_power_t;
|
|
')
|
|
|
|
- allow $1 devicekit_power_t:fd use;
|
|
+ allow $1 devicekit_power_t:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Append inherited devicekit log files.
|
|
+## Send and receive messages from
|
|
+## devicekit power over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -149,40 +165,78 @@ interface(`devicekit_use_fds_power',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
+interface(`devicekit_dbus_chat_power',`
|
|
+ gen_require(`
|
|
+ type devicekit_power_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ allow $1 devicekit_power_t:dbus send_msg;
|
|
+ allow devicekit_power_t $1:dbus send_msg;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Use and inherit devicekit power
|
|
+## file descriptors.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`devicekit_use_fds_power',`
|
|
+ gen_require(`
|
|
+ type devicekit_power_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 devicekit_power_t:fd use;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Append inherited devicekit log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
interface(`devicekit_append_inherited_log_files',`
|
|
gen_require(`
|
|
type devicekit_var_log_t;
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
- allow $1 devicekit_var_log_t:file { getattr_file_perms append };
|
|
+ allow $1 devicekit_var_log_t:file append_inherited_file_perms;
|
|
|
|
devicekit_use_fds_power($1)
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## devicekit log files.
|
|
+## Do not audit attempts to write the devicekit
|
|
+## log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`devicekit_manage_log_files',`
|
|
+interface(`devicekit_dontaudit_rw_log',`
|
|
gen_require(`
|
|
type devicekit_var_log_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
- manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
|
|
+ dontaudit $1 devicekit_var_log_t:file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Relabel devicekit log files.
|
|
+## Allow the domain to read devicekit_power state files in /proc.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -190,13 +244,13 @@ interface(`devicekit_manage_log_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`devicekit_relabel_log_files',`
|
|
+interface(`devicekit_read_state_power',`
|
|
gen_require(`
|
|
- type devicekit_var_log_t;
|
|
+ type devicekit_power_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
- relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
|
|
+ kernel_search_proc($1)
|
|
+ ps_process_pattern($1, devicekit_power_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -220,11 +274,30 @@ interface(`devicekit_read_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
+## Do not audit attempts to read
|
|
## devicekit PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`devicekit_dontaudit_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type devicekit_var_run_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 devicekit_var_run_t:file read_inherited_file_perms;
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage devicekit PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
@@ -235,22 +308,59 @@ interface(`devicekit_manage_pid_files',`
|
|
')
|
|
|
|
files_search_pids($1)
|
|
+ manage_dirs_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
|
|
manage_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
|
|
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Relabel devicekit LOG files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`devicekit_relabel_log_files',`
|
|
+ gen_require(`
|
|
+ type devicekit_var_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ relabel_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an devicekit environment.
|
|
+## Manage devicekit LOG files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`devicekit_manage_log_files',`
|
|
+ gen_require(`
|
|
+ type devicekit_var_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_files_pattern($1, devicekit_var_log_t, devicekit_var_log_t)
|
|
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
|
|
+ #logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an devicekit environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -259,21 +369,48 @@ interface(`devicekit_admin',`
|
|
gen_require(`
|
|
type devicekit_t, devicekit_disk_t, devicekit_power_t;
|
|
type devicekit_var_lib_t, devicekit_var_run_t, devicekit_tmp_t;
|
|
- type devicekit_var_log_t;
|
|
')
|
|
|
|
- allow $1 { devicekit_t devicekit_disk_t devicekit_power_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { devicekit_t devicekit_disk_t devicekit_power_t })
|
|
+ allow $1 devicekit_t:process signal_perms;
|
|
+ ps_process_pattern($1, devicekit_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 devicekit_t:process ptrace;
|
|
+ allow $1 devicekit_disk_t:process ptrace;
|
|
+ allow $1 devicekit_power_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 devicekit_disk_t:process signal_perms;
|
|
+ ps_process_pattern($1, devicekit_disk_t)
|
|
+
|
|
+ allow $1 devicekit_power_t:process signal_perms;
|
|
+ ps_process_pattern($1, devicekit_power_t)
|
|
|
|
- files_search_tmp($1)
|
|
admin_pattern($1, devicekit_tmp_t)
|
|
+ files_list_tmp($1)
|
|
|
|
- files_search_var_lib($1)
|
|
admin_pattern($1, devicekit_var_lib_t)
|
|
+ files_list_var_lib($1)
|
|
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, devicekit_var_log_t)
|
|
-
|
|
- files_search_pids($1)
|
|
admin_pattern($1, devicekit_var_run_t)
|
|
+ files_list_pids($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to devicekit named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`devicekit_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type devicekit_var_run_t, devicekit_var_log_t;
|
|
+ ')
|
|
+
|
|
+ files_pid_filetrans($1, devicekit_var_run_t, dir, "pm-utils")
|
|
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-powersave.log")
|
|
+ logging_log_filetrans($1, devicekit_var_log_t, file, "pm-suspend.log")
|
|
')
|
|
diff --git a/devicekit.te b/devicekit.te
|
|
index 77a5003..2728ee6 100644
|
|
--- a/devicekit.te
|
|
+++ b/devicekit.te
|
|
@@ -7,15 +7,15 @@ policy_module(devicekit, 1.3.1)
|
|
|
|
type devicekit_t;
|
|
type devicekit_exec_t;
|
|
-dbus_system_domain(devicekit_t, devicekit_exec_t)
|
|
+init_daemon_domain(devicekit_t, devicekit_exec_t)
|
|
|
|
type devicekit_power_t;
|
|
type devicekit_power_exec_t;
|
|
-dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
|
|
+init_daemon_domain(devicekit_power_t, devicekit_power_exec_t)
|
|
|
|
type devicekit_disk_t;
|
|
type devicekit_disk_exec_t;
|
|
-dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
|
|
+init_daemon_domain(devicekit_disk_t, devicekit_disk_exec_t)
|
|
|
|
type devicekit_tmp_t;
|
|
files_tmp_file(devicekit_tmp_t)
|
|
@@ -45,11 +45,8 @@ kernel_read_system_state(devicekit_t)
|
|
dev_read_sysfs(devicekit_t)
|
|
dev_read_urand(devicekit_t)
|
|
|
|
-files_read_etc_files(devicekit_t)
|
|
-
|
|
-miscfiles_read_localization(devicekit_t)
|
|
-
|
|
optional_policy(`
|
|
+ dbus_system_domain(devicekit_t, devicekit_exec_t)
|
|
dbus_system_bus_client(devicekit_t)
|
|
|
|
allow devicekit_t { devicekit_disk_t devicekit_power_t }:dbus send_msg;
|
|
@@ -64,7 +61,8 @@ optional_policy(`
|
|
# Disk local policy
|
|
#
|
|
|
|
-allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio };
|
|
+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_tty_config sys_rawio };
|
|
+
|
|
allow devicekit_disk_t self:process { getsched signal_perms };
|
|
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
|
|
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
@@ -81,10 +79,11 @@ allow devicekit_disk_t devicekit_var_run_t:dir mounton;
|
|
manage_dirs_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
|
|
manage_files_pattern(devicekit_disk_t, devicekit_var_run_t, devicekit_var_run_t)
|
|
files_pid_filetrans(devicekit_disk_t, devicekit_var_run_t, { dir file })
|
|
+files_filetrans_named_content(devicekit_disk_t)
|
|
|
|
+kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
|
|
kernel_getattr_message_if(devicekit_disk_t)
|
|
kernel_list_unlabeled(devicekit_disk_t)
|
|
-kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
|
|
kernel_read_fs_sysctls(devicekit_disk_t)
|
|
kernel_read_network_state(devicekit_disk_t)
|
|
kernel_read_software_raid_state(devicekit_disk_t)
|
|
@@ -99,6 +98,8 @@ corecmd_getattr_all_executables(devicekit_disk_t)
|
|
|
|
dev_getattr_all_chr_files(devicekit_disk_t)
|
|
dev_getattr_mtrr_dev(devicekit_disk_t)
|
|
+dev_rw_generic_blk_files(devicekit_disk_t)
|
|
+dev_rw_loop_control(devicekit_disk_t)
|
|
dev_getattr_usbfs_dirs(devicekit_disk_t)
|
|
dev_manage_generic_files(devicekit_disk_t)
|
|
dev_read_urand(devicekit_disk_t)
|
|
@@ -117,8 +118,8 @@ files_getattr_all_pipes(devicekit_disk_t)
|
|
files_manage_boot_dirs(devicekit_disk_t)
|
|
files_manage_isid_type_dirs(devicekit_disk_t)
|
|
files_manage_mnt_dirs(devicekit_disk_t)
|
|
+files_manage_etc_files(devicekit_disk_t)
|
|
files_read_etc_runtime_files(devicekit_disk_t)
|
|
-files_read_usr_files(devicekit_disk_t)
|
|
|
|
fs_getattr_all_fs(devicekit_disk_t)
|
|
fs_list_inotifyfs(devicekit_disk_t)
|
|
@@ -135,18 +136,18 @@ storage_raw_write_fixed_disk(devicekit_disk_t)
|
|
storage_raw_read_removable_device(devicekit_disk_t)
|
|
storage_raw_write_removable_device(devicekit_disk_t)
|
|
|
|
-term_use_all_terms(devicekit_disk_t)
|
|
+term_use_all_inherited_terms(devicekit_disk_t)
|
|
|
|
auth_use_nsswitch(devicekit_disk_t)
|
|
|
|
logging_send_syslog_msg(devicekit_disk_t)
|
|
|
|
-miscfiles_read_localization(devicekit_disk_t)
|
|
-
|
|
userdom_read_all_users_state(devicekit_disk_t)
|
|
userdom_search_user_home_dirs(devicekit_disk_t)
|
|
+userdom_manage_user_tmp_dirs(devicekit_disk_t)
|
|
|
|
optional_policy(`
|
|
+ dbus_system_domain(devicekit_disk_t, devicekit_disk_exec_t)
|
|
dbus_system_bus_client(devicekit_disk_t)
|
|
|
|
allow devicekit_disk_t devicekit_t:dbus send_msg;
|
|
@@ -170,6 +171,7 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
mount_domtrans(devicekit_disk_t)
|
|
+ mount_read_pid_files(devicekit_disk_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -183,6 +185,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ systemd_read_logind_sessions_files(devicekit_disk_t)
|
|
+ systemd_write_inhibit_pipes(devicekit_disk_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
udev_domtrans(devicekit_disk_t)
|
|
udev_read_db(devicekit_disk_t)
|
|
udev_read_pid_files(devicekit_disk_t)
|
|
@@ -192,12 +199,19 @@ optional_policy(`
|
|
virt_manage_images(devicekit_disk_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ unconfined_domain(devicekit_t)
|
|
+ unconfined_domain(devicekit_power_t)
|
|
+ unconfined_domain(devicekit_disk_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
# Power local policy
|
|
#
|
|
|
|
-allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice sys_ptrace };
|
|
+allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_tty_config sys_nice };
|
|
+allow devicekit_power_t self:capability2 compromise_kernel;
|
|
allow devicekit_power_t self:process { getsched signal_perms };
|
|
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
|
|
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
|
|
@@ -212,9 +226,7 @@ manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
|
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
|
|
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
|
|
|
|
-allow devicekit_power_t devicekit_var_log_t:file append_file_perms;
|
|
-allow devicekit_power_t devicekit_var_log_t:file create_file_perms;
|
|
-allow devicekit_power_t devicekit_var_log_t:file setattr_file_perms;
|
|
+manage_files_pattern(devicekit_power_t, devicekit_var_log_t, devicekit_var_log_t)
|
|
logging_log_filetrans(devicekit_power_t, devicekit_var_log_t, file)
|
|
|
|
manage_dirs_pattern(devicekit_power_t, devicekit_var_run_t, devicekit_var_run_t)
|
|
@@ -248,21 +260,18 @@ domain_read_all_domains_state(devicekit_power_t)
|
|
|
|
files_read_kernel_img(devicekit_power_t)
|
|
files_read_etc_runtime_files(devicekit_power_t)
|
|
-files_read_usr_files(devicekit_power_t)
|
|
files_dontaudit_list_mnt(devicekit_power_t)
|
|
|
|
fs_getattr_all_fs(devicekit_power_t)
|
|
fs_list_inotifyfs(devicekit_power_t)
|
|
|
|
-term_use_all_terms(devicekit_power_t)
|
|
+term_use_all_inherited_terms(devicekit_power_t)
|
|
|
|
auth_use_nsswitch(devicekit_power_t)
|
|
|
|
init_all_labeled_script_domtrans(devicekit_power_t)
|
|
init_read_utmp(devicekit_power_t)
|
|
|
|
-miscfiles_read_localization(devicekit_power_t)
|
|
-
|
|
sysnet_domtrans_ifconfig(devicekit_power_t)
|
|
sysnet_domtrans_dhcpc(devicekit_power_t)
|
|
|
|
@@ -277,6 +286,12 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ cron_initrc_domtrans(devicekit_power_t)
|
|
+ cron_systemctl(devicekit_power_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_domain(devicekit_power_t, devicekit_power_exec_t)
|
|
dbus_system_bus_client(devicekit_power_t)
|
|
|
|
allow devicekit_power_t devicekit_t:dbus send_msg;
|
|
@@ -307,8 +322,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_manage_home_config(devicekit_power_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
hal_domtrans_mac(devicekit_power_t)
|
|
- hal_manage_log(devicekit_power_t)
|
|
hal_manage_pid_dirs(devicekit_power_t)
|
|
hal_manage_pid_files(devicekit_power_t)
|
|
')
|
|
@@ -347,3 +365,9 @@ optional_policy(`
|
|
optional_policy(`
|
|
vbetool_domtrans(devicekit_power_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ corenet_tcp_connect_xserver_port(devicekit_power_t)
|
|
+ xserver_stream_connect(devicekit_power_t)
|
|
+')
|
|
+
|
|
diff --git a/dhcp.fc b/dhcp.fc
|
|
index 8182c48..74d8d39 100644
|
|
--- a/dhcp.fc
|
|
+++ b/dhcp.fc
|
|
@@ -1,4 +1,5 @@
|
|
/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
|
|
+/usr/lib/systemd/system/dhcpcd.* -- gen_context(system_u:object_r:dhcpd_unit_file_t,s0)
|
|
|
|
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
|
|
|
|
diff --git a/dhcp.if b/dhcp.if
|
|
index c697edb..31d45bf 100644
|
|
--- a/dhcp.if
|
|
+++ b/dhcp.if
|
|
@@ -36,7 +36,7 @@ interface(`dhcpd_setattr_state_files',`
|
|
')
|
|
|
|
sysnet_search_dhcp_state($1)
|
|
- allow $1 dhcpd_state_t:file setattr;
|
|
+ allow $1 dhcpd_state_t:file setattr_file_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -60,6 +60,30 @@ interface(`dhcpd_initrc_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute dhcpd server in the dhcpd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dhcpd_systemctl',`
|
|
+ gen_require(`
|
|
+ type dhcpd_unit_file_t;
|
|
+ type dhcpd_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_search_unit_dirs($1)
|
|
+ allow $1 dhcpd_unit_file_t:file read_file_perms;
|
|
+ allow $1 dhcpd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, dhcpd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an dhcpd environment.
|
|
## </summary>
|
|
@@ -79,11 +103,16 @@ interface(`dhcpd_admin',`
|
|
gen_require(`
|
|
type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
|
|
type dhcpd_var_run_t, dhcpd_initrc_exec_t;
|
|
+ type dhcpd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 dhcpd_t:process { ptrace signal_perms };
|
|
+ allow $1 dhcpd_t:process signal_perms;
|
|
ps_process_pattern($1, dhcpd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 dhcpd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, dhcpd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 dhcpd_initrc_exec_t system_r;
|
|
@@ -97,4 +126,8 @@ interface(`dhcpd_admin',`
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, dhcpd_var_run_t)
|
|
+
|
|
+ dhcpd_systemctl($1)
|
|
+ admin_pattern($1, dhcpd_unit_file_t)
|
|
+ allow $1 dhcpd_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/dhcp.te b/dhcp.te
|
|
index 98a24b9..36e32aa 100644
|
|
--- a/dhcp.te
|
|
+++ b/dhcp.te
|
|
@@ -20,6 +20,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
|
|
type dhcpd_initrc_exec_t;
|
|
init_script_file(dhcpd_initrc_exec_t)
|
|
|
|
+type dhcpd_unit_file_t;
|
|
+systemd_unit_file(dhcpd_unit_file_t)
|
|
+
|
|
type dhcpd_state_t;
|
|
files_type(dhcpd_state_t)
|
|
|
|
@@ -58,7 +61,6 @@ kernel_read_system_state(dhcpd_t)
|
|
kernel_read_kernel_sysctls(dhcpd_t)
|
|
kernel_read_network_state(dhcpd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(dhcpd_t)
|
|
corenet_all_recvfrom_netlabel(dhcpd_t)
|
|
corenet_tcp_sendrecv_generic_if(dhcpd_t)
|
|
corenet_udp_sendrecv_generic_if(dhcpd_t)
|
|
@@ -94,7 +96,6 @@ fs_search_auto_mountpoints(dhcpd_t)
|
|
|
|
domain_use_interactive_fds(dhcpd_t)
|
|
|
|
-files_read_usr_files(dhcpd_t)
|
|
files_read_etc_runtime_files(dhcpd_t)
|
|
files_search_var_lib(dhcpd_t)
|
|
|
|
@@ -102,8 +103,6 @@ auth_use_nsswitch(dhcpd_t)
|
|
|
|
logging_send_syslog_msg(dhcpd_t)
|
|
|
|
-miscfiles_read_localization(dhcpd_t)
|
|
-
|
|
sysnet_read_dhcp_config(dhcpd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
|
|
@@ -113,11 +112,20 @@ tunable_policy(`dhcpd_use_ldap',`
|
|
sysnet_use_ldap(dhcpd_t)
|
|
')
|
|
|
|
+ifdef(`distro_gentoo',`
|
|
+ allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
+ # used for dynamic DNS
|
|
bind_read_dnssec_keys(dhcpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ cobbler_dontaudit_rw_log(dhcpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
dbus_system_bus_client(dhcpd_t)
|
|
dbus_connect_system_bus(dhcpd_t)
|
|
')
|
|
diff --git a/dictd.if b/dictd.if
|
|
index 3cc3494..cb0a1f4 100644
|
|
--- a/dictd.if
|
|
+++ b/dictd.if
|
|
@@ -38,8 +38,11 @@ interface(`dictd_admin',`
|
|
type dictd_var_run_t, dictd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 dictd_t:process { ptrace signal_perms };
|
|
+ allow $1 dictd_t:process signal_perms;
|
|
ps_process_pattern($1, dictd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 dictd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, dictd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/dictd.te b/dictd.te
|
|
index 433d3c5..0dccebf 100644
|
|
--- a/dictd.te
|
|
+++ b/dictd.te
|
|
@@ -43,7 +43,6 @@ files_pid_filetrans(dictd_t, dictd_var_run_t, file)
|
|
kernel_read_system_state(dictd_t)
|
|
kernel_read_kernel_sysctls(dictd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(dictd_t)
|
|
corenet_all_recvfrom_netlabel(dictd_t)
|
|
corenet_tcp_sendrecv_generic_if(dictd_t)
|
|
corenet_tcp_sendrecv_generic_node(dictd_t)
|
|
@@ -58,7 +57,6 @@ dev_read_sysfs(dictd_t)
|
|
domain_use_interactive_fds(dictd_t)
|
|
|
|
files_read_etc_runtime_files(dictd_t)
|
|
-files_read_usr_files(dictd_t)
|
|
files_search_var_lib(dictd_t)
|
|
|
|
fs_getattr_xattr_fs(dictd_t)
|
|
@@ -68,8 +66,6 @@ auth_use_nsswitch(dictd_t)
|
|
|
|
logging_send_syslog_msg(dictd_t)
|
|
|
|
-miscfiles_read_localization(dictd_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
|
|
|
|
optional_policy(`
|
|
diff --git a/dirmngr.te b/dirmngr.te
|
|
index b3b2188..5f91705 100644
|
|
--- a/dirmngr.te
|
|
+++ b/dirmngr.te
|
|
@@ -53,6 +53,5 @@ files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
|
|
|
|
kernel_read_crypto_sysctls(dirmngr_t)
|
|
|
|
-files_read_etc_files(dirmngr_t)
|
|
|
|
miscfiles_read_localization(dirmngr_t)
|
|
diff --git a/dirsrv-admin.fc b/dirsrv-admin.fc
|
|
new file mode 100644
|
|
index 0000000..8c44697
|
|
--- /dev/null
|
|
+++ b/dirsrv-admin.fc
|
|
@@ -0,0 +1,15 @@
|
|
+/etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
|
|
+
|
|
+/etc/dirsrv/dsgw(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
|
|
+
|
|
+/usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
|
|
+/usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
|
|
+/usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
|
|
+
|
|
+/usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
|
|
+/usr/lib/dirsrv/dsgw-cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
|
|
+
|
|
+/usr/lib/dirsrv/cgi-bin/ds_create -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
|
|
+/usr/lib/dirsrv/cgi-bin/ds_remove -- gen_context(system_u:object_r:dirsrvadmin_unconfined_script_exec_t,s0)
|
|
+
|
|
+/var/lock/subsys/dirsrv-admin -- gen_context(system_u:object_r:dirsrvadmin_lock_t,s0)
|
|
diff --git a/dirsrv-admin.if b/dirsrv-admin.if
|
|
new file mode 100644
|
|
index 0000000..30416f2
|
|
--- /dev/null
|
|
+++ b/dirsrv-admin.if
|
|
@@ -0,0 +1,133 @@
|
|
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Exec dirsrv-admin programs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrvadmin_run_exec',`
|
|
+ gen_require(`
|
|
+ type dirsrvadmin_exec_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
|
|
+ can_exec($1, dirsrvadmin_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Exec cgi programs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrvadmin_run_httpd_script_exec',`
|
|
+ gen_require(`
|
|
+ type httpd_dirsrvadmin_script_exec_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
|
|
+ can_exec($1, httpd_dirsrvadmin_script_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage dirsrv-adminserver configuration files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrvadmin_read_config',`
|
|
+ gen_require(`
|
|
+ type dirsrvadmin_config_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, dirsrvadmin_config_t, dirsrvadmin_config_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage dirsrv-adminserver configuration files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrvadmin_manage_config',`
|
|
+ gen_require(`
|
|
+ type dirsrvadmin_config_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
|
|
+ allow $1 dirsrvadmin_config_t:file manage_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read dirsrv-adminserver tmp files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrvadmin_read_tmp',`
|
|
+ gen_require(`
|
|
+ type dirsrvadmin_tmp_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage dirsrv-adminserver tmp files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrvadmin_manage_tmp',`
|
|
+ gen_require(`
|
|
+ type dirsrvadmin_tmp_t;
|
|
+ ')
|
|
+
|
|
+ manage_files_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
+ manage_dirs_pattern($1, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute admin cgi programs in caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrvadmin_domtrans_unconfined_script_t',`
|
|
+ gen_require(`
|
|
+ type dirsrvadmin_unconfined_script_t;
|
|
+ type dirsrvadmin_unconfined_script_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, dirsrvadmin_unconfined_script_exec_t, dirsrvadmin_unconfined_script_t)
|
|
+ allow $1 dirsrvadmin_unconfined_script_t:process signal_perms;
|
|
+')
|
|
diff --git a/dirsrv-admin.te b/dirsrv-admin.te
|
|
new file mode 100644
|
|
index 0000000..021c5ae
|
|
--- /dev/null
|
|
+++ b/dirsrv-admin.te
|
|
@@ -0,0 +1,157 @@
|
|
+policy_module(dirsrv-admin,1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations for the daemon
|
|
+#
|
|
+
|
|
+type dirsrvadmin_t;
|
|
+type dirsrvadmin_exec_t;
|
|
+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
|
|
+role system_r types dirsrvadmin_t;
|
|
+
|
|
+type dirsrvadmin_config_t;
|
|
+files_type(dirsrvadmin_config_t)
|
|
+
|
|
+type dirsrvadmin_lock_t;
|
|
+files_lock_file(dirsrvadmin_lock_t)
|
|
+
|
|
+type dirsrvadmin_tmp_t;
|
|
+files_tmp_file(dirsrvadmin_tmp_t)
|
|
+
|
|
+type dirsrvadmin_unconfined_script_t;
|
|
+type dirsrvadmin_unconfined_script_exec_t;
|
|
+domain_type(dirsrvadmin_unconfined_script_t)
|
|
+domain_entry_file(dirsrvadmin_unconfined_script_t, dirsrvadmin_unconfined_script_exec_t)
|
|
+corecmd_shell_entry_type(dirsrvadmin_unconfined_script_t)
|
|
+role system_r types dirsrvadmin_unconfined_script_t;
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Local policy for the daemon
|
|
+#
|
|
+
|
|
+allow dirsrvadmin_t self:fifo_file rw_fifo_file_perms;
|
|
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config sys_resource };
|
|
+allow dirsrvadmin_t self:process { setrlimit signal_perms };
|
|
+
|
|
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
|
|
+
|
|
+kernel_read_system_state(dirsrvadmin_t)
|
|
+
|
|
+corecmd_exec_bin(dirsrvadmin_t)
|
|
+corecmd_read_bin_symlinks(dirsrvadmin_t)
|
|
+corecmd_search_bin(dirsrvadmin_t)
|
|
+corecmd_shell_entry_type(dirsrvadmin_t)
|
|
+
|
|
+files_exec_etc_files(dirsrvadmin_t)
|
|
+
|
|
+libs_exec_ld_so(dirsrvadmin_t)
|
|
+
|
|
+logging_search_logs(dirsrvadmin_t)
|
|
+
|
|
+# Needed for stop and restart scripts
|
|
+dirsrv_read_var_run(dirsrvadmin_t)
|
|
+
|
|
+optional_policy(`
|
|
+ apache_domtrans(dirsrvadmin_t)
|
|
+ apache_signal(dirsrvadmin_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Local policy for the CGIs
|
|
+#
|
|
+#
|
|
+#
|
|
+# Create a domain for the CGI scripts
|
|
+
|
|
+optional_policy(`
|
|
+ apache_content_template(dirsrvadmin)
|
|
+
|
|
+ allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
|
|
+ allow httpd_dirsrvadmin_script_t self:capability { fowner fsetid setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
|
|
+ allow httpd_dirsrvadmin_script_t self:tcp_socket create_stream_socket_perms;
|
|
+ allow httpd_dirsrvadmin_script_t self:udp_socket create_socket_perms;
|
|
+ allow httpd_dirsrvadmin_script_t self:unix_dgram_socket create_socket_perms;
|
|
+ allow httpd_dirsrvadmin_script_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+ allow httpd_dirsrvadmin_script_t self:sem create_sem_perms;
|
|
+
|
|
+
|
|
+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, dirsrvadmin_lock_t)
|
|
+ files_lock_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_lock_t, { file })
|
|
+
|
|
+ kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
|
|
+
|
|
+
|
|
+ corenet_tcp_bind_generic_node(httpd_dirsrvadmin_script_t)
|
|
+ corenet_udp_bind_generic_node(httpd_dirsrvadmin_script_t)
|
|
+ corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
|
|
+
|
|
+ corenet_tcp_bind_http_port(httpd_dirsrvadmin_script_t)
|
|
+ corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
|
|
+ corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
|
|
+ corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
|
|
+
|
|
+ files_search_var_lib(httpd_dirsrvadmin_script_t)
|
|
+
|
|
+ sysnet_read_config(httpd_dirsrvadmin_script_t)
|
|
+
|
|
+ manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
+ manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
+ files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
|
|
+
|
|
+ optional_policy(`
|
|
+ apache_read_modules(httpd_dirsrvadmin_script_t)
|
|
+ apache_read_config(httpd_dirsrvadmin_script_t)
|
|
+ apache_signal(httpd_dirsrvadmin_script_t)
|
|
+ apache_signull(httpd_dirsrvadmin_script_t)
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
+ # The CGI scripts must be able to manage dirsrv-admin
|
|
+ dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
|
|
+ dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
|
|
+ dirsrv_domtrans(httpd_dirsrvadmin_script_t)
|
|
+ dirsrv_signal(httpd_dirsrvadmin_script_t)
|
|
+ dirsrv_signull(httpd_dirsrvadmin_script_t)
|
|
+ dirsrv_manage_log(httpd_dirsrvadmin_script_t)
|
|
+ dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
|
|
+ dirsrv_pid_filetrans(httpd_dirsrvadmin_script_t)
|
|
+ dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
|
|
+ dirsrv_manage_config(httpd_dirsrvadmin_script_t)
|
|
+ dirsrv_read_share(httpd_dirsrvadmin_script_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# Local policy for the admin CGIs
|
|
+#
|
|
+#
|
|
+
|
|
+
|
|
+manage_files_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
+manage_dirs_pattern(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
|
|
+files_tmp_filetrans(dirsrvadmin_unconfined_script_t, dirsrvadmin_tmp_t, { file dir })
|
|
+
|
|
+# needed because of filetrans rules
|
|
+dirsrvadmin_run_exec(dirsrvadmin_unconfined_script_t)
|
|
+dirsrvadmin_manage_config(dirsrvadmin_unconfined_script_t)
|
|
+dirsrv_domtrans(dirsrvadmin_unconfined_script_t)
|
|
+dirsrv_signal(dirsrvadmin_unconfined_script_t)
|
|
+dirsrv_signull(dirsrvadmin_unconfined_script_t)
|
|
+dirsrv_manage_log(dirsrvadmin_unconfined_script_t)
|
|
+dirsrv_manage_var_lib(dirsrvadmin_unconfined_script_t)
|
|
+dirsrv_pid_filetrans(dirsrvadmin_unconfined_script_t)
|
|
+dirsrv_manage_var_run(dirsrvadmin_unconfined_script_t)
|
|
+dirsrv_manage_config(dirsrvadmin_unconfined_script_t)
|
|
+dirsrv_read_share(dirsrvadmin_unconfined_script_t)
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(dirsrvadmin_unconfined_script_t)
|
|
+')
|
|
+
|
|
+
|
|
diff --git a/dirsrv.fc b/dirsrv.fc
|
|
new file mode 100644
|
|
index 0000000..5d30dab
|
|
--- /dev/null
|
|
+++ b/dirsrv.fc
|
|
@@ -0,0 +1,23 @@
|
|
+/etc/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
|
|
+
|
|
+/usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
|
|
+/usr/sbin/ldap-agent -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
|
+/usr/sbin/ldap-agent-bin -- gen_context(system_u:object_r:dirsrv_snmp_exec_t,s0)
|
|
+/usr/sbin/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
|
+/usr/sbin/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
|
+
|
|
+/usr/share/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_share_t,s0)
|
|
+
|
|
+/var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
|
|
+/var/run/ldap-agent\.pid gen_context(system_u:object_r:dirsrv_snmp_var_run_t,s0)
|
|
+
|
|
+# BZ:
|
|
+/var/run/slapd.* -s gen_context(system_u:object_r:dirsrv_var_run_t,s0)
|
|
+
|
|
+/var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
|
|
+
|
|
+/var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
|
|
+
|
|
+/var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_log_t,s0)
|
|
+
|
|
+/var/log/dirsrv/ldap-agent.log.* gen_context(system_u:object_r:dirsrv_snmp_var_log_t,s0)
|
|
diff --git a/dirsrv.if b/dirsrv.if
|
|
new file mode 100644
|
|
index 0000000..b214253
|
|
--- /dev/null
|
|
+++ b/dirsrv.if
|
|
@@ -0,0 +1,208 @@
|
|
+## <summary>policy for dirsrv</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run dirsrv.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrv_domtrans',`
|
|
+ gen_require(`
|
|
+ type dirsrv_t, dirsrv_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow caller to signal dirsrv.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrv_signal',`
|
|
+ gen_require(`
|
|
+ type dirsrv_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 dirsrv_t:process signal;
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send a null signal to dirsrv.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrv_signull',`
|
|
+ gen_require(`
|
|
+ type dirsrv_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 dirsrv_t:process signull;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow a domain to manage dirsrv logs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrv_manage_log',`
|
|
+ gen_require(`
|
|
+ type dirsrv_var_log_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
|
|
+ allow $1 dirsrv_var_log_t:file manage_file_perms;
|
|
+ allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow a domain to manage dirsrv /var/lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrv_manage_var_lib',`
|
|
+ gen_require(`
|
|
+ type dirsrv_var_lib_t;
|
|
+ ')
|
|
+ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
|
|
+ allow $1 dirsrv_var_lib_t:file manage_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to dirsrv over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrv_stream_connect',`
|
|
+ gen_require(`
|
|
+ type dirsrv_t, dirsrv_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow a domain to manage dirsrv /var/run files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrv_manage_var_run',`
|
|
+ gen_require(`
|
|
+ type dirsrv_var_run_t;
|
|
+ ')
|
|
+ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
|
|
+ allow $1 dirsrv_var_run_t:file manage_file_perms;
|
|
+ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow a domain to create dirsrv pid directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrv_pid_filetrans',`
|
|
+ gen_require(`
|
|
+ type dirsrv_var_run_t;
|
|
+ ')
|
|
+ # Allow creating a dir in /var/run with this type
|
|
+ files_pid_filetrans($1, dirsrv_var_run_t, dir)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow a domain to read dirsrv /var/run files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrv_read_var_run',`
|
|
+ gen_require(`
|
|
+ type dirsrv_var_run_t;
|
|
+ ')
|
|
+ allow $1 dirsrv_var_run_t:dir list_dir_perms;
|
|
+ allow $1 dirsrv_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage dirsrv configuration files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrv_manage_config',`
|
|
+ gen_require(`
|
|
+ type dirsrv_config_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 dirsrv_config_t:dir manage_dir_perms;
|
|
+ allow $1 dirsrv_config_t:file manage_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read dirsrv share files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dirsrv_read_share',`
|
|
+ gen_require(`
|
|
+ type dirsrv_share_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 dirsrv_share_t:dir list_dir_perms;
|
|
+ allow $1 dirsrv_share_t:file read_file_perms;
|
|
+ allow $1 dirsrv_share_t:lnk_file read;
|
|
+')
|
|
diff --git a/dirsrv.te b/dirsrv.te
|
|
new file mode 100644
|
|
index 0000000..73d1b46
|
|
--- /dev/null
|
|
+++ b/dirsrv.te
|
|
@@ -0,0 +1,196 @@
|
|
+policy_module(dirsrv,1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+# main daemon
|
|
+type dirsrv_t;
|
|
+type dirsrv_exec_t;
|
|
+domain_type(dirsrv_t)
|
|
+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
|
|
+
|
|
+type dirsrv_snmp_t;
|
|
+type dirsrv_snmp_exec_t;
|
|
+domain_type(dirsrv_snmp_t)
|
|
+init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
|
|
+
|
|
+type dirsrv_var_lib_t;
|
|
+files_type(dirsrv_var_lib_t)
|
|
+
|
|
+type dirsrv_var_log_t;
|
|
+logging_log_file(dirsrv_var_log_t)
|
|
+
|
|
+type dirsrv_snmp_var_log_t;
|
|
+logging_log_file(dirsrv_snmp_var_log_t)
|
|
+
|
|
+type dirsrv_var_run_t;
|
|
+files_pid_file(dirsrv_var_run_t)
|
|
+
|
|
+type dirsrv_snmp_var_run_t;
|
|
+files_pid_file(dirsrv_snmp_var_run_t)
|
|
+
|
|
+type dirsrv_var_lock_t;
|
|
+files_lock_file(dirsrv_var_lock_t)
|
|
+
|
|
+type dirsrv_config_t;
|
|
+files_type(dirsrv_config_t)
|
|
+
|
|
+type dirsrv_tmp_t;
|
|
+files_tmp_file(dirsrv_tmp_t)
|
|
+
|
|
+type dirsrv_tmpfs_t;
|
|
+files_tmpfs_file(dirsrv_tmpfs_t)
|
|
+
|
|
+type dirsrv_share_t;
|
|
+files_type(dirsrv_share_t);
|
|
+
|
|
+########################################
|
|
+#
|
|
+# dirsrv local policy
|
|
+#
|
|
+allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
|
|
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
|
|
+allow dirsrv_t self:fifo_file manage_fifo_file_perms;
|
|
+allow dirsrv_t self:sem create_sem_perms;
|
|
+allow dirsrv_t self:tcp_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
|
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
|
+manage_lnk_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
|
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, { dir file })
|
|
+
|
|
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
|
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
|
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
|
|
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
|
|
+
|
|
+manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
|
|
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
|
|
+manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
|
|
+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
|
|
+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
|
|
+
|
|
+manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
|
|
+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
|
|
+manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
|
|
+files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
|
|
+
|
|
+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
|
|
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
|
|
+files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
|
|
+files_setattr_lock_dirs(dirsrv_t)
|
|
+
|
|
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
|
|
+manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
|
|
+manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
|
|
+
|
|
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
|
|
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
|
|
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
|
|
+allow dirsrv_t dirsrv_tmp_t:file relabel_file_perms;
|
|
+
|
|
+kernel_read_network_state(dirsrv_t)
|
|
+kernel_read_system_state(dirsrv_t)
|
|
+kernel_read_kernel_sysctls(dirsrv_t)
|
|
+
|
|
+corecmd_search_bin(dirsrv_t)
|
|
+
|
|
+corenet_all_recvfrom_netlabel(dirsrv_t)
|
|
+corenet_tcp_sendrecv_generic_if(dirsrv_t)
|
|
+corenet_tcp_sendrecv_generic_node(dirsrv_t)
|
|
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
|
|
+corenet_tcp_bind_generic_node(dirsrv_t)
|
|
+corenet_tcp_bind_ldap_port(dirsrv_t)
|
|
+corenet_tcp_bind_dogtag_port(dirsrv_t)
|
|
+corenet_tcp_bind_all_rpc_ports(dirsrv_t)
|
|
+corenet_udp_bind_all_rpc_ports(dirsrv_t)
|
|
+corenet_tcp_connect_all_ports(dirsrv_t)
|
|
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
|
|
+corenet_sendrecv_all_client_packets(dirsrv_t)
|
|
+
|
|
+dev_read_sysfs(dirsrv_t)
|
|
+dev_read_urand(dirsrv_t)
|
|
+
|
|
+files_read_usr_symlinks(dirsrv_t)
|
|
+
|
|
+fs_getattr_all_fs(dirsrv_t)
|
|
+
|
|
+auth_use_pam(dirsrv_t)
|
|
+
|
|
+logging_send_syslog_msg(dirsrv_t)
|
|
+
|
|
+sysnet_dns_name_resolve(dirsrv_t)
|
|
+
|
|
+optional_policy(`
|
|
+ apache_dontaudit_leaks(dirsrv_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dirsrvadmin_read_tmp(dirsrv_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ kerberos_use(dirsrv_t)
|
|
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldapmap1_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_487")
|
|
+ kerberos_tmp_filetrans_host_rcache(dirsrv_t, "ldap_55")
|
|
+')
|
|
+
|
|
+# FIPS mode
|
|
+optional_policy(`
|
|
+ prelink_exec(dirsrv_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rpcbind_stream_connect(dirsrv_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ uuidd_stream_connect_manager(dirsrv_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# dirsrv-snmp local policy
|
|
+#
|
|
+allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
|
|
+allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
|
|
+
|
|
+rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
|
|
+
|
|
+read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
|
|
+
|
|
+read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
|
|
+
|
|
+manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
|
|
+files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
|
|
+search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
|
|
+
|
|
+manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
|
|
+filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
|
|
+
|
|
+corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
|
|
+
|
|
+dev_read_rand(dirsrv_snmp_t)
|
|
+dev_read_urand(dirsrv_snmp_t)
|
|
+
|
|
+domain_use_interactive_fds(dirsrv_snmp_t)
|
|
+
|
|
+#files_manage_var_files(dirsrv_snmp_t)
|
|
+
|
|
+fs_getattr_tmpfs(dirsrv_snmp_t)
|
|
+fs_search_tmpfs(dirsrv_snmp_t)
|
|
+
|
|
+
|
|
+sysnet_read_config(dirsrv_snmp_t)
|
|
+sysnet_dns_name_resolve(dirsrv_snmp_t)
|
|
+
|
|
+optional_policy(`
|
|
+ snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
|
|
+ snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
|
|
+ snmp_manage_var_lib_dirs(dirsrv_snmp_t)
|
|
+ snmp_manage_var_lib_files(dirsrv_snmp_t)
|
|
+ snmp_stream_connect(dirsrv_snmp_t)
|
|
+')
|
|
diff --git a/distcc.if b/distcc.if
|
|
index 24d8c74..1790ec5 100644
|
|
--- a/distcc.if
|
|
+++ b/distcc.if
|
|
@@ -19,7 +19,7 @@
|
|
#
|
|
interface(`distcc_admin',`
|
|
gen_require(`
|
|
- type distccd_t, distccd_t, distccd_log_t;
|
|
+ type distccd_t, distccd_t, distccd_log_t, distccd_var_run_t;
|
|
type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
|
|
')
|
|
|
|
diff --git a/distcc.te b/distcc.te
|
|
index 898b2f4..8a1725b 100644
|
|
--- a/distcc.te
|
|
+++ b/distcc.te
|
|
@@ -47,7 +47,6 @@ files_pid_filetrans(distccd_t, distccd_var_run_t, file)
|
|
kernel_read_system_state(distccd_t)
|
|
kernel_read_kernel_sysctls(distccd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(distccd_t)
|
|
corenet_all_recvfrom_netlabel(distccd_t)
|
|
corenet_tcp_sendrecv_generic_if(distccd_t)
|
|
corenet_tcp_sendrecv_generic_node(distccd_t)
|
|
@@ -74,8 +73,6 @@ libs_exec_lib_files(distccd_t)
|
|
|
|
logging_send_syslog_msg(distccd_t)
|
|
|
|
-miscfiles_read_localization(distccd_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(distccd_t)
|
|
userdom_dontaudit_search_user_home_dirs(distccd_t)
|
|
|
|
diff --git a/djbdns.if b/djbdns.if
|
|
index 671d3c0..6d36c95 100644
|
|
--- a/djbdns.if
|
|
+++ b/djbdns.if
|
|
@@ -39,6 +39,23 @@ template(`djbdns_daemontools_domain_template',`
|
|
|
|
allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
|
|
allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
|
|
+
|
|
+ corenet_all_recvfrom_netlabel(djbdns_$1_t)
|
|
+ corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
|
|
+ corenet_udp_sendrecv_generic_if(djbdns_$1_t)
|
|
+ corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
|
|
+ corenet_udp_sendrecv_generic_node(djbdns_$1_t)
|
|
+ corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
|
|
+ corenet_udp_sendrecv_all_ports(djbdns_$1_t)
|
|
+ corenet_tcp_bind_generic_node(djbdns_$1_t)
|
|
+ corenet_udp_bind_generic_node(djbdns_$1_t)
|
|
+ corenet_tcp_bind_dns_port(djbdns_$1_t)
|
|
+ corenet_udp_bind_dns_port(djbdns_$1_t)
|
|
+ corenet_udp_bind_generic_port(djbdns_$1_t)
|
|
+ corenet_sendrecv_dns_server_packets(djbdns_$1_t)
|
|
+ corenet_sendrecv_generic_server_packets(djbdns_$1_t)
|
|
+
|
|
+ files_search_var(djbdns_$1_t)
|
|
')
|
|
|
|
#####################################
|
|
diff --git a/djbdns.te b/djbdns.te
|
|
index 87ca536..ebd327a 100644
|
|
--- a/djbdns.te
|
|
+++ b/djbdns.te
|
|
@@ -48,6 +48,10 @@ corenet_udp_bind_generic_port(djbdns_domain)
|
|
|
|
files_search_var(djbdns_domain)
|
|
|
|
+daemontools_ipc_domain(djbdns_axfrdns_t)
|
|
+daemontools_read_svc(djbdns_axfrdns_t)
|
|
+
|
|
+
|
|
########################################
|
|
#
|
|
# axfrdns local policy
|
|
diff --git a/dkim.fc b/dkim.fc
|
|
index 5818418..674367b 100644
|
|
--- a/dkim.fc
|
|
+++ b/dkim.fc
|
|
@@ -9,7 +9,6 @@
|
|
|
|
/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
|
|
|
|
-/var/run/dkim-filter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
|
|
/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
|
|
/var/run/dkim-milter\.pid -- gen_context(system_u:object_r:dkim_milter_data_t,s0)
|
|
|
|
diff --git a/dmidecode.if b/dmidecode.if
|
|
index 41c3f67..653a1ec 100644
|
|
--- a/dmidecode.if
|
|
+++ b/dmidecode.if
|
|
@@ -19,6 +19,25 @@ interface(`dmidecode_domtrans',`
|
|
domtrans_pattern($1, dmidecode_exec_t, dmidecode_t)
|
|
')
|
|
|
|
+######################################
|
|
+## <summary>
|
|
+## Execute dmidecode in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dmidecode_exec',`
|
|
+ gen_require(`
|
|
+ type dmidecode_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ can_exec($1, dmidecode_exec_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Execute dmidecode in the dmidecode
|
|
diff --git a/dmidecode.te b/dmidecode.te
|
|
index aa0ef6e..02bdb68 100644
|
|
--- a/dmidecode.te
|
|
+++ b/dmidecode.te
|
|
@@ -31,4 +31,8 @@ mls_file_read_all_levels(dmidecode_t)
|
|
|
|
locallogin_use_fds(dmidecode_t)
|
|
|
|
-userdom_use_user_terminals(dmidecode_t)
|
|
+userdom_use_inherited_user_terminals(dmidecode_t)
|
|
+
|
|
+optional_policy(`
|
|
+ rhsmcertd_rw_inherited_lock_files(dmidecode_t)
|
|
+')
|
|
diff --git a/dnsmasq.fc b/dnsmasq.fc
|
|
index 23ab808..4a801b5 100644
|
|
--- a/dnsmasq.fc
|
|
+++ b/dnsmasq.fc
|
|
@@ -2,6 +2,8 @@
|
|
|
|
/etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
|
|
|
|
/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
|
|
diff --git a/dnsmasq.if b/dnsmasq.if
|
|
index 19aa0b8..1e8b244 100644
|
|
--- a/dnsmasq.if
|
|
+++ b/dnsmasq.if
|
|
@@ -10,7 +10,6 @@
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-#
|
|
interface(`dnsmasq_domtrans',`
|
|
gen_require(`
|
|
type dnsmasq_exec_t, dnsmasq_t;
|
|
@@ -20,6 +19,42 @@ interface(`dnsmasq_domtrans',`
|
|
domtrans_pattern($1, dnsmasq_exec_t, dnsmasq_t)
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute dnsmasq server in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dnsmasq_exec',`
|
|
+ gen_require(`
|
|
+ type dnsmasq_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, dnsmasq_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow read/write dnsmasq pipes
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dnsmasq_rw_inherited_pipes',`
|
|
+ gen_require(`
|
|
+ type dnsmasq_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 dnsmasq_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Execute the dnsmasq init script in
|
|
@@ -42,6 +77,48 @@ interface(`dnsmasq_initrc_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute dnsmasq server in the dnsmasq domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dnsmasq_systemctl',`
|
|
+ gen_require(`
|
|
+ type dnsmasq_unit_file_t;
|
|
+ type dnsmasq_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 dnsmasq_unit_file_t:file read_file_perms;
|
|
+ allow $1 dnsmasq_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, dnsmasq_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send sigchld to dnsmasq.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+#
|
|
+interface(`dnsmasq_sigchld',`
|
|
+ gen_require(`
|
|
+ type dnsmasq_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 dnsmasq_t:process sigchld;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Send generic signals to dnsmasq.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -145,15 +222,16 @@ interface(`dnsmasq_write_config',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-#
|
|
interface(`dnsmasq_delete_pid_files',`
|
|
gen_require(`
|
|
type dnsmasq_var_run_t;
|
|
')
|
|
|
|
+ files_search_pids($1)
|
|
delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
|
')
|
|
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
@@ -176,7 +254,7 @@ interface(`dnsmasq_manage_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read dnsmasq pid files.
|
|
+## Read dnsmasq pid files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -184,12 +262,12 @@ interface(`dnsmasq_manage_pid_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-#
|
|
interface(`dnsmasq_read_pid_files',`
|
|
gen_require(`
|
|
type dnsmasq_var_run_t;
|
|
')
|
|
|
|
+ files_search_pids($1)
|
|
read_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
|
')
|
|
|
|
@@ -214,37 +292,46 @@ interface(`dnsmasq_create_pid_dirs',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified objects in specified
|
|
-## directories with a type transition to
|
|
-## the dnsmasq pid file type.
|
|
+## Transition to dnsmasq named content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="file_type">
|
|
-## <summary>
|
|
-## Directory to transition on.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object">
|
|
-## <summary>
|
|
-## The object class of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="name" optional="true">
|
|
+## <param name="private type">
|
|
## <summary>
|
|
-## The name of the object being created.
|
|
+## The type of the directory for the object to be created.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`dnsmasq_spec_filetrans_pid',`
|
|
+interface(`dnsmasq_filetrans_named_content_fromdir',`
|
|
gen_require(`
|
|
type dnsmasq_var_run_t;
|
|
')
|
|
|
|
- filetrans_pattern($1, $2, dnsmasq_var_run_t, $3, $4)
|
|
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, dir, "network")
|
|
+ filetrans_pattern($1, $2, dnsmasq_var_run_t, file, "dnsmasq.pid")
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Transition to dnsmasq named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dnsmasq_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type dnsmasq_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_pid_filetrans($1, dnsmasq_var_run_t, dir, "network")
|
|
+ files_pid_filetrans($1, dnsmasq_var_run_t, file, "dnsmasq.pid")
|
|
+ virt_pid_filetrans($1, dnsmasq_var_run_t, file, "network")
|
|
')
|
|
|
|
########################################
|
|
@@ -267,12 +354,18 @@ interface(`dnsmasq_spec_filetrans_pid',`
|
|
interface(`dnsmasq_admin',`
|
|
gen_require(`
|
|
type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t;
|
|
- type dnsmasq_initrc_exec_t, dnsmasq_var_log_t;
|
|
+ type dnsmasq_var_log_t;
|
|
+ type dnsmasq_initrc_exec_t;
|
|
+ type dnsmasq_unit_file_t;
|
|
')
|
|
|
|
- allow $1 dnsmasq_t:process { ptrace signal_perms };
|
|
+ allow $1 dnsmasq_t:process signal_perms;
|
|
ps_process_pattern($1, dnsmasq_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 dnsmasq_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, dnsmasq_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 dnsmasq_initrc_exec_t system_r;
|
|
@@ -281,9 +374,13 @@ interface(`dnsmasq_admin',`
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, dnsmasq_lease_t)
|
|
|
|
- logging_seearch_logs($1)
|
|
+ logging_search_logs($1)
|
|
admin_pattern($1, dnsmasq_var_log_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, dnsmasq_var_run_t)
|
|
+
|
|
+ dnsmasq_systemctl($1)
|
|
+ admin_pattern($1, dnsmasq_unit_file_t)
|
|
+ allow $1 dnsmasq_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/dnsmasq.te b/dnsmasq.te
|
|
index 37a3b7b..83a8692 100644
|
|
--- a/dnsmasq.te
|
|
+++ b/dnsmasq.te
|
|
@@ -24,6 +24,9 @@ logging_log_file(dnsmasq_var_log_t)
|
|
type dnsmasq_var_run_t;
|
|
files_pid_file(dnsmasq_var_run_t)
|
|
|
|
+type dnsmasq_unit_file_t;
|
|
+systemd_unit_file(dnsmasq_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -52,11 +55,14 @@ manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t)
|
|
files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
|
|
|
|
kernel_read_kernel_sysctls(dnsmasq_t)
|
|
+kernel_read_net_sysctls(dnsmasq_t)
|
|
kernel_read_network_state(dnsmasq_t)
|
|
kernel_read_system_state(dnsmasq_t)
|
|
kernel_request_load_module(dnsmasq_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(dnsmasq_t)
|
|
+corecmd_exec_bin(dnsmasq_t)
|
|
+corecmd_exec_shell(dnsmasq_t)
|
|
+
|
|
corenet_all_recvfrom_netlabel(dnsmasq_t)
|
|
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
|
|
corenet_udp_sendrecv_generic_if(dnsmasq_t)
|
|
@@ -86,9 +92,9 @@ fs_search_auto_mountpoints(dnsmasq_t)
|
|
|
|
auth_use_nsswitch(dnsmasq_t)
|
|
|
|
-logging_send_syslog_msg(dnsmasq_t)
|
|
+libs_exec_ldconfig(dnsmasq_t)
|
|
|
|
-miscfiles_read_localization(dnsmasq_t)
|
|
+logging_send_syslog_msg(dnsmasq_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
|
|
userdom_dontaudit_search_user_home_dirs(dnsmasq_t)
|
|
@@ -98,12 +104,21 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ cron_manage_pid_files(dnsmasq_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
dbus_connect_system_bus(dnsmasq_t)
|
|
dbus_system_bus_client(dnsmasq_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- networkmanager_read_pid_files(dnsmasq_t)
|
|
+ dnsmasq_domtrans(dnsmasq_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ networkmanager_read_conf(dnsmasq_t)
|
|
+ networkmanager_manage_pid_files(dnsmasq_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -124,6 +139,14 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
virt_manage_lib_files(dnsmasq_t)
|
|
+ virt_read_lib_files(dnsmasq_t)
|
|
virt_read_pid_files(dnsmasq_t)
|
|
virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file })
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ neutron_manage_lib_files(dnsmasq_t)
|
|
+ neutron_stream_connect(dnsmasq_t)
|
|
+ neutron_rw_fifo_file(dnsmasq_t)
|
|
+ neutron_sigchld(dnsmasq_t)
|
|
+')
|
|
diff --git a/dnssec.fc b/dnssec.fc
|
|
new file mode 100644
|
|
index 0000000..9e231a8
|
|
--- /dev/null
|
|
+++ b/dnssec.fc
|
|
@@ -0,0 +1,3 @@
|
|
+/usr/sbin/dnssec-triggerd -- gen_context(system_u:object_r:dnssec_trigger_exec_t,s0)
|
|
+
|
|
+/var/run/dnssec.* gen_context(system_u:object_r:dnssec_trigger_var_run_t,s0)
|
|
diff --git a/dnssec.if b/dnssec.if
|
|
new file mode 100644
|
|
index 0000000..a952041
|
|
--- /dev/null
|
|
+++ b/dnssec.if
|
|
@@ -0,0 +1,64 @@
|
|
+
|
|
+## <summary>policy for dnssec_trigger</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to dnssec_trigger.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dnssec_trigger_domtrans',`
|
|
+ gen_require(`
|
|
+ type dnssec_trigger_t, dnssec_trigger_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, dnssec_trigger_exec_t, dnssec_trigger_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Read dnssec_trigger PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dnssec_trigger_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type dnssec_trigger_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 dnssec_trigger_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an dnssec_trigger environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dnssec_trigger_admin',`
|
|
+ gen_require(`
|
|
+ type dnssec_trigger_t;
|
|
+ type dnssec_trigger_var_run_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 dnssec_trigger_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, dnssec_trigger_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, dnssec_trigger_var_run_t)
|
|
+')
|
|
diff --git a/dnssec.te b/dnssec.te
|
|
new file mode 100644
|
|
index 0000000..7f715f8
|
|
--- /dev/null
|
|
+++ b/dnssec.te
|
|
@@ -0,0 +1,58 @@
|
|
+policy_module(dnssec, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type dnssec_trigger_t;
|
|
+type dnssec_trigger_exec_t;
|
|
+init_daemon_domain(dnssec_trigger_t, dnssec_trigger_exec_t)
|
|
+
|
|
+type dnssec_trigger_var_run_t;
|
|
+files_pid_file(dnssec_trigger_var_run_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# dnssec_trigger local policy
|
|
+#
|
|
+allow dnssec_trigger_t self:capability linux_immutable;
|
|
+allow dnssec_trigger_t self:process signal;
|
|
+allow dnssec_trigger_t self:fifo_file rw_fifo_file_perms;
|
|
+allow dnssec_trigger_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow dnssec_trigger_t self:tcp_socket create_stream_socket_perms;
|
|
+allow dnssec_trigger_t self:udp_socket create_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
|
|
+manage_files_pattern(dnssec_trigger_t, dnssec_trigger_var_run_t, dnssec_trigger_var_run_t)
|
|
+files_pid_filetrans(dnssec_trigger_t, dnssec_trigger_var_run_t, { dir file })
|
|
+
|
|
+kernel_read_system_state(dnssec_trigger_t)
|
|
+
|
|
+corecmd_exec_bin(dnssec_trigger_t)
|
|
+corecmd_exec_shell(dnssec_trigger_t)
|
|
+
|
|
+corenet_tcp_bind_generic_node(dnssec_trigger_t)
|
|
+corenet_tcp_bind_dnssec_port(dnssec_trigger_t)
|
|
+corenet_tcp_connect_rndc_port(dnssec_trigger_t)
|
|
+corenet_tcp_connect_http_port(dnssec_trigger_t)
|
|
+
|
|
+dev_read_urand(dnssec_trigger_t)
|
|
+
|
|
+domain_use_interactive_fds(dnssec_trigger_t)
|
|
+
|
|
+files_read_etc_runtime_files(dnssec_trigger_t)
|
|
+
|
|
+logging_send_syslog_msg(dnssec_trigger_t)
|
|
+
|
|
+auth_read_passwd(dnssec_trigger_t)
|
|
+
|
|
+sysnet_dns_name_resolve(dnssec_trigger_t)
|
|
+sysnet_manage_config(dnssec_trigger_t)
|
|
+
|
|
+optional_policy(`
|
|
+ bind_read_config(dnssec_trigger_t)
|
|
+ bind_read_dnssec_keys(dnssec_trigger_t)
|
|
+')
|
|
+
|
|
+
|
|
diff --git a/dnssectrigger.te b/dnssectrigger.te
|
|
index c7bb4e7..e6fe2f40 100644
|
|
--- a/dnssectrigger.te
|
|
+++ b/dnssectrigger.te
|
|
@@ -67,8 +67,6 @@ files_read_etc_runtime_files(dnssec_triggerd_t)
|
|
|
|
logging_send_syslog_msg(dnssec_triggerd_t)
|
|
|
|
-miscfiles_read_localization(dnssec_triggerd_t)
|
|
-
|
|
sysnet_dns_name_resolve(dnssec_triggerd_t)
|
|
sysnet_manage_config(dnssec_triggerd_t)
|
|
sysnet_etc_filetrans_config(dnssec_triggerd_t)
|
|
diff --git a/docker.fc b/docker.fc
|
|
new file mode 100644
|
|
index 0000000..484dd44
|
|
--- /dev/null
|
|
+++ b/docker.fc
|
|
@@ -0,0 +1,12 @@
|
|
+/usr/bin/docker -- gen_context(system_u:object_r:docker_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/docker.service -- gen_context(system_u:object_r:docker_unit_file_t,s0)
|
|
+
|
|
+/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
|
|
+
|
|
+/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
|
|
+/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
|
|
+
|
|
+/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
|
|
+
|
|
+/usr/lib/lxc/rootfs gen_context(system_u:object_r:mnt_t,s0)
|
|
\ No newline at end of file
|
|
diff --git a/docker.if b/docker.if
|
|
new file mode 100644
|
|
index 0000000..097c75c
|
|
--- /dev/null
|
|
+++ b/docker.if
|
|
@@ -0,0 +1,202 @@
|
|
+
|
|
+## <summary>policy for docker</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the docker domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`docker_domtrans',`
|
|
+ gen_require(`
|
|
+ type docker_t, docker_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, docker_exec_t, docker_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search docker lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`docker_search_lib',`
|
|
+ gen_require(`
|
|
+ type docker_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 docker_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read docker lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`docker_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type docker_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage docker lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`docker_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type docker_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage docker lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`docker_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type docker_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read docker PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`docker_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type docker_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, docker_var_run_t, docker_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute docker server in the docker domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`docker_systemctl',`
|
|
+ gen_require(`
|
|
+ type docker_t;
|
|
+ type docker_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 docker_unit_file_t:file read_file_perms;
|
|
+ allow $1 docker_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, docker_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an docker environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`docker_admin',`
|
|
+ gen_require(`
|
|
+ type docker_t;
|
|
+ type docker_var_lib_t;
|
|
+ type docker_var_run_t;
|
|
+ type docker_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 docker_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, docker_t)
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ admin_pattern($1, docker_var_lib_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, docker_var_run_t)
|
|
+
|
|
+ docker_systemctl($1)
|
|
+ admin_pattern($1, docker_unit_file_t)
|
|
+ allow $1 docker_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read and write docker shared memory.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`docker_rw_sem',`
|
|
+ gen_require(`
|
|
+ type docker_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 docker_t:sem rw_sem_perms;
|
|
+')
|
|
diff --git a/docker.te b/docker.te
|
|
new file mode 100644
|
|
index 0000000..1229d66
|
|
--- /dev/null
|
|
+++ b/docker.te
|
|
@@ -0,0 +1,133 @@
|
|
+policy_module(docker, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type docker_t;
|
|
+type docker_exec_t;
|
|
+init_daemon_domain(docker_t, docker_exec_t)
|
|
+
|
|
+type docker_var_lib_t;
|
|
+files_type(docker_var_lib_t)
|
|
+
|
|
+type docker_log_t;
|
|
+logging_log_file(docker_log_t)
|
|
+
|
|
+type docker_tmp_t;
|
|
+files_tmp_file(docker_tmp_t)
|
|
+
|
|
+type docker_var_run_t;
|
|
+files_pid_file(docker_var_run_t)
|
|
+
|
|
+type docker_unit_file_t;
|
|
+systemd_unit_file(docker_unit_file_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# docker local policy
|
|
+#
|
|
+allow docker_t self:capability { chown fowner fsetid mknod net_admin };
|
|
+allow docker_t self:process signal_perms;
|
|
+allow docker_t self:fifo_file rw_fifo_file_perms;
|
|
+allow docker_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow docker_t self:capability2 block_suspend;
|
|
+
|
|
+manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
|
|
+manage_files_pattern(docker_t, docker_log_t, docker_log_t)
|
|
+manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
|
|
+logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
|
|
+
|
|
+manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
|
|
+manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
|
|
+manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
|
|
+files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
|
|
+
|
|
+manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
|
+manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
|
+manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
|
+manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
|
+manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
|
|
+files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
|
|
+
|
|
+manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
|
|
+manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
|
|
+manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
|
|
+manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
|
|
+files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
|
|
+
|
|
+kernel_read_system_state(docker_t)
|
|
+kernel_read_network_state(docker_t)
|
|
+kernel_read_all_sysctls(docker_t)
|
|
+
|
|
+domain_use_interactive_fds(docker_t)
|
|
+
|
|
+corecmd_exec_bin(docker_t)
|
|
+corecmd_exec_shell(docker_t)
|
|
+
|
|
+corenet_tcp_bind_generic_node(docker_t)
|
|
+
|
|
+files_read_etc_files(docker_t)
|
|
+
|
|
+fs_read_cgroup_files(docker_t)
|
|
+
|
|
+auth_use_nsswitch(docker_t)
|
|
+
|
|
+miscfiles_read_localization(docker_t)
|
|
+
|
|
+mount_domtrans(docker_t)
|
|
+
|
|
+sysnet_dns_name_resolve(docker_t)
|
|
+sysnet_exec_ifconfig(docker_t)
|
|
+
|
|
+optional_policy(`
|
|
+ fstools_domtrans(docker_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ iptables_domtrans(docker_t)
|
|
+')
|
|
+
|
|
+#
|
|
+# lxc rules
|
|
+#
|
|
+
|
|
+allow docker_t self:capability { sys_admin sys_boot dac_override setpcap sys_ptrace };
|
|
+allow docker_t self:process { setsched signal_perms };
|
|
+allow docker_t self:netlink_route_socket nlmsg_write;
|
|
+allow docker_t self:unix_dgram_socket create_socket_perms;
|
|
+
|
|
+allow docker_t docker_var_lib_t:dir mounton;
|
|
+
|
|
+kernel_setsched(docker_t)
|
|
+
|
|
+dev_getattr_all_blk_files(docker_t)
|
|
+dev_read_urand(docker_t)
|
|
+dev_read_lvm_control(docker_t)
|
|
+dev_read_sysfs(docker_t)
|
|
+
|
|
+files_manage_isid_type_dirs(docker_t)
|
|
+files_manage_isid_type_files(docker_t)
|
|
+files_manage_isid_type_symlinks(docker_t)
|
|
+files_manage_isid_type_chr_files(docker_t)
|
|
+files_exec_isid_files(docker_t)
|
|
+files_mounton_isid(docker_t)
|
|
+files_mounton_non_security(docker_t)
|
|
+
|
|
+fs_mount_all_fs(docker_t)
|
|
+fs_unmount_all_fs(docker_t)
|
|
+fs_remount_all_fs(docker_t)
|
|
+fs_manage_cgroup_dirs(docker_t)
|
|
+fs_manage_cgroup_files(docker_t)
|
|
+
|
|
+term_use_generic_ptys(docker_t)
|
|
+term_use_ptmx(docker_t)
|
|
+term_getattr_pty_fs(docker_t)
|
|
+
|
|
+modutils_domtrans_insmod(docker_t)
|
|
+
|
|
+optional_policy(`
|
|
+ virt_read_config(docker_t)
|
|
+ virt_exec(docker_t)
|
|
+')
|
|
diff --git a/dovecot.fc b/dovecot.fc
|
|
index c880070..4448055 100644
|
|
--- a/dovecot.fc
|
|
+++ b/dovecot.fc
|
|
@@ -1,36 +1,48 @@
|
|
-/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
|
|
-/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
|
|
|
|
-/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
|
|
-/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
|
|
-
|
|
-/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
|
|
+#
|
|
+# /etc
|
|
+#
|
|
+/etc/dovecot(/.*)? gen_context(system_u:object_r:dovecot_etc_t,s0)
|
|
+/etc/dovecot\.conf.* gen_context(system_u:object_r:dovecot_etc_t,s0)
|
|
+/etc/dovecot\.passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
|
|
|
|
+/etc/pki/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
|
|
/etc/rc\.d/init\.d/dovecot -- gen_context(system_u:object_r:dovecot_initrc_exec_t,s0)
|
|
|
|
-/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
|
|
+# Debian uses /etc/dovecot/
|
|
+ifdef(`distro_debian',`
|
|
+/etc/dovecot/passwd.* gen_context(system_u:object_r:dovecot_passwd_t,s0)
|
|
+')
|
|
|
|
-/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
|
|
-/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
|
|
+#
|
|
+# /usr
|
|
+#
|
|
+/usr/sbin/dovecot -- gen_context(system_u:object_r:dovecot_exec_t,s0)
|
|
|
|
-/etc/ssl/dovecot(/.*)? gen_context(system_u:object_r:dovecot_cert_t,s0)
|
|
+/usr/share/ssl/certs/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
|
|
+/usr/share/ssl/private/dovecot\.pem -- gen_context(system_u:object_r:dovecot_cert_t,s0)
|
|
|
|
-/usr/lib/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
|
|
-/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
|
|
+ifdef(`distro_debian', `
|
|
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
|
|
-/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
|
|
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
|
|
+')
|
|
|
|
-/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
|
|
+ifdef(`distro_redhat', `
|
|
+/usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
|
|
/usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
|
|
-/usr/libexec/dovecot/deliver-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
|
|
-/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
|
|
+/usr/libexec/dovecot/dovecot-lda -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
|
|
+/usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
|
|
+')
|
|
|
|
-/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
|
|
-/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
|
|
+#
|
|
+# /var
|
|
+#
|
|
+/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
|
|
+/var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0)
|
|
|
|
-/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
|
|
+/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
|
|
|
|
-/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
|
|
-/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
|
|
+/var/log/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_log_t,s0)
|
|
+/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
|
|
|
|
-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
|
|
+/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
|
|
diff --git a/dovecot.if b/dovecot.if
|
|
index d5badb7..b093baa 100644
|
|
--- a/dovecot.if
|
|
+++ b/dovecot.if
|
|
@@ -1,29 +1,49 @@
|
|
-## <summary>POP and IMAP mail server.</summary>
|
|
+## <summary>Dovecot POP and IMAP mail server</summary>
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## dovecot daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`dovecot_basic_types_template',`
|
|
+ gen_require(`
|
|
+ attribute dovecot_domain;
|
|
+ ')
|
|
+
|
|
+ type $1_t, dovecot_domain;
|
|
+ type $1_exec_t;
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Connect to dovecot using a unix
|
|
-## domain stream socket.
|
|
+## Connect to dovecot unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`dovecot_stream_connect',`
|
|
- gen_require(`
|
|
- type dovecot_t, dovecot_var_run_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type dovecot_t, dovecot_var_run_t;
|
|
+ ')
|
|
|
|
- files_search_pids($1)
|
|
- stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, dovecot_var_run_t, dovecot_var_run_t, dovecot_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to dovecot using a unix
|
|
-## domain stream socket.
|
|
+## Connect to dovecot auth unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -43,8 +63,7 @@ interface(`dovecot_stream_connect_auth',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute dovecot_deliver in the
|
|
-## dovecot_deliver domain.
|
|
+## Execute dovecot_deliver in the dovecot_deliver domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -57,14 +76,12 @@ interface(`dovecot_domtrans_deliver',`
|
|
type dovecot_deliver_t, dovecot_deliver_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## dovecot spool files.
|
|
+## Create, read, write, and delete the dovecot spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -78,15 +95,13 @@ interface(`dovecot_manage_spool',`
|
|
')
|
|
|
|
files_search_spool($1)
|
|
- allow $1 dovecot_spool_t:dir manage_dir_perms;
|
|
- allow $1 dovecot_spool_t:file manage_file_perms;
|
|
- allow $1 dovecot_spool_t:lnk_file manage_lnk_file_perms;
|
|
+ manage_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
|
|
+ manage_lnk_files_pattern($1, dovecot_spool_t, dovecot_spool_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to delete
|
|
-## dovecot lib files.
|
|
+## Do not audit attempts to delete dovecot lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -99,12 +114,13 @@ interface(`dovecot_dontaudit_unlink_lib_files',`
|
|
type dovecot_var_lib_t;
|
|
')
|
|
|
|
- dontaudit $1 dovecot_var_lib_t:file delete_file_perms;
|
|
+ dontaudit $1 dovecot_var_lib_t:file unlink;
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Write inherited dovecot tmp files.
|
|
+## Allow attempts to write inherited
|
|
+## dovecot tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -122,8 +138,8 @@ interface(`dovecot_write_inherited_tmp_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an dovecot environment.
|
|
+## All of the rules required to administrate
|
|
+## an dovecot environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -132,7 +148,7 @@ interface(`dovecot_write_inherited_tmp_files',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the dovecot domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -146,9 +162,13 @@ interface(`dovecot_admin',`
|
|
type dovecot_keytab_t;
|
|
')
|
|
|
|
- allow $1 dovecot_t:process { ptrace signal_perms };
|
|
+ allow $1 dovecot_t:process signal_perms;
|
|
ps_process_pattern($1, dovecot_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 dovecot_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, dovecot_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 dovecot_initrc_exec_t system_r;
|
|
@@ -157,20 +177,25 @@ interface(`dovecot_admin',`
|
|
files_list_etc($1)
|
|
admin_pattern($1, { dovecot_keytab_t dovecot_etc_t })
|
|
|
|
- logging_list_logs($1)
|
|
- admin_pattern($1, dovecot_var_log_t)
|
|
+ files_list_tmp($1)
|
|
+ admin_pattern($1, dovecot_auth_tmp_t)
|
|
+ admin_pattern($1, dovecot_tmp_t)
|
|
+
|
|
+ admin_pattern($1, dovecot_keytab_t)
|
|
|
|
files_list_spool($1)
|
|
admin_pattern($1, dovecot_spool_t)
|
|
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, { dovecot_tmp_t dovecot_auth_tmp_t dovecot_deliver_tmp_t })
|
|
-
|
|
files_list_var_lib($1)
|
|
admin_pattern($1, dovecot_var_lib_t)
|
|
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, dovecot_var_log_t)
|
|
+
|
|
files_list_pids($1)
|
|
admin_pattern($1, dovecot_var_run_t)
|
|
|
|
- admin_pattern($1, { dovecot_cert_t dovecot_passwd_t })
|
|
+ admin_pattern($1, dovecot_cert_t)
|
|
+
|
|
+ admin_pattern($1, dovecot_passwd_t)
|
|
')
|
|
diff --git a/dovecot.te b/dovecot.te
|
|
index 0aabc7e..2290915 100644
|
|
--- a/dovecot.te
|
|
+++ b/dovecot.te
|
|
@@ -7,12 +7,10 @@ policy_module(dovecot, 1.16.1)
|
|
|
|
attribute dovecot_domain;
|
|
|
|
-type dovecot_t, dovecot_domain;
|
|
-type dovecot_exec_t;
|
|
+dovecot_basic_types_template(dovecot)
|
|
init_daemon_domain(dovecot_t, dovecot_exec_t)
|
|
|
|
-type dovecot_auth_t, dovecot_domain;
|
|
-type dovecot_auth_exec_t;
|
|
+dovecot_basic_types_template(dovecot_auth)
|
|
domain_type(dovecot_auth_t)
|
|
domain_entry_file(dovecot_auth_t, dovecot_auth_exec_t)
|
|
role system_r types dovecot_auth_t;
|
|
@@ -23,8 +21,7 @@ files_tmp_file(dovecot_auth_tmp_t)
|
|
type dovecot_cert_t;
|
|
miscfiles_cert_type(dovecot_cert_t)
|
|
|
|
-type dovecot_deliver_t, dovecot_domain;
|
|
-type dovecot_deliver_exec_t;
|
|
+dovecot_basic_types_template(dovecot_deliver)
|
|
domain_type(dovecot_deliver_t)
|
|
domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
|
|
role system_r types dovecot_deliver_t;
|
|
@@ -45,11 +42,12 @@ type dovecot_passwd_t;
|
|
files_type(dovecot_passwd_t)
|
|
|
|
type dovecot_spool_t;
|
|
-files_type(dovecot_spool_t)
|
|
+files_spool_file(dovecot_spool_t)
|
|
|
|
type dovecot_tmp_t;
|
|
files_tmp_file(dovecot_tmp_t)
|
|
|
|
+# /var/lib/dovecot holds SSL parameters file
|
|
type dovecot_var_lib_t;
|
|
files_type(dovecot_var_lib_t)
|
|
|
|
@@ -59,20 +57,18 @@ logging_log_file(dovecot_var_log_t)
|
|
type dovecot_var_run_t;
|
|
files_pid_file(dovecot_var_run_t)
|
|
|
|
-########################################
|
|
+#######################################
|
|
#
|
|
-# Common local policy
|
|
+# dovecot domain local policy
|
|
#
|
|
|
|
allow dovecot_domain self:capability2 block_suspend;
|
|
-allow dovecot_domain self:fifo_file rw_fifo_file_perms;
|
|
|
|
-allow dovecot_domain dovecot_etc_t:dir list_dir_perms;
|
|
-allow dovecot_domain dovecot_etc_t:file read_file_perms;
|
|
-allow dovecot_domain dovecot_etc_t:lnk_file read_lnk_file_perms;
|
|
+allow dovecot_domain self:unix_dgram_socket create_socket_perms;
|
|
+allow dovecot_domain self:fifo_file rw_fifo_file_perms;
|
|
|
|
kernel_read_all_sysctls(dovecot_domain)
|
|
-kernel_read_system_state(dovecot_domain)
|
|
+kernel_read_network_state(dovecot_domain)
|
|
|
|
corecmd_exec_bin(dovecot_domain)
|
|
corecmd_exec_shell(dovecot_domain)
|
|
@@ -81,26 +77,34 @@ dev_read_sysfs(dovecot_domain)
|
|
dev_read_rand(dovecot_domain)
|
|
dev_read_urand(dovecot_domain)
|
|
|
|
+# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
|
|
files_read_etc_runtime_files(dovecot_domain)
|
|
|
|
-logging_send_syslog_msg(dovecot_domain)
|
|
-
|
|
-miscfiles_read_localization(dovecot_domain)
|
|
-
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# dovecot local policy
|
|
#
|
|
|
|
-allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill setgid setuid sys_chroot };
|
|
+allow dovecot_t self:capability { dac_override dac_read_search chown fsetid kill net_bind_service setgid setuid sys_chroot };
|
|
dontaudit dovecot_t self:capability sys_tty_config;
|
|
allow dovecot_t self:process { setrlimit signal_perms getcap setcap setsched };
|
|
-allow dovecot_t self:tcp_socket { accept listen };
|
|
-allow dovecot_t self:unix_stream_socket { accept connectto listen };
|
|
+allow dovecot_t self:tcp_socket create_stream_socket_perms;
|
|
+allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+
|
|
+domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
|
|
+
|
|
+allow dovecot_t dovecot_auth_t:process signal;
|
|
|
|
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
|
|
-allow dovecot_t dovecot_cert_t:file read_file_perms;
|
|
-allow dovecot_t dovecot_cert_t:lnk_file read_lnk_file_perms;
|
|
+read_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
|
|
+read_lnk_files_pattern(dovecot_t, dovecot_cert_t, dovecot_cert_t)
|
|
+
|
|
+allow dovecot_t dovecot_etc_t:dir list_dir_perms;
|
|
+read_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
|
|
+read_lnk_files_pattern(dovecot_t, dovecot_etc_t, dovecot_etc_t)
|
|
+files_search_etc(dovecot_t)
|
|
+
|
|
+can_exec(dovecot_t, dovecot_exec_t)
|
|
|
|
allow dovecot_t dovecot_keytab_t:file read_file_perms;
|
|
|
|
@@ -108,12 +112,13 @@ manage_dirs_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
|
|
manage_files_pattern(dovecot_t, dovecot_tmp_t, dovecot_tmp_t)
|
|
files_tmp_filetrans(dovecot_t, dovecot_tmp_t, { file dir })
|
|
|
|
+# Allow dovecot to create and read SSL parameters file
|
|
manage_files_pattern(dovecot_t, dovecot_var_lib_t, dovecot_var_lib_t)
|
|
+files_search_var_lib(dovecot_t)
|
|
+files_read_var_symlinks(dovecot_t)
|
|
|
|
manage_dirs_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
|
|
-append_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
|
|
-create_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
|
|
-setattr_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
|
|
+manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
|
|
logging_log_filetrans(dovecot_t, dovecot_var_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t)
|
|
@@ -125,45 +130,35 @@ manage_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
-files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file })
|
|
-
|
|
-can_exec(dovecot_t, dovecot_exec_t)
|
|
-
|
|
-allow dovecot_t dovecot_auth_t:process signal;
|
|
-
|
|
-domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
|
|
+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file sock_file })
|
|
|
|
-corenet_all_recvfrom_unlabeled(dovecot_t)
|
|
corenet_all_recvfrom_netlabel(dovecot_t)
|
|
corenet_tcp_sendrecv_generic_if(dovecot_t)
|
|
corenet_tcp_sendrecv_generic_node(dovecot_t)
|
|
corenet_tcp_sendrecv_all_ports(dovecot_t)
|
|
corenet_tcp_bind_generic_node(dovecot_t)
|
|
-
|
|
-corenet_sendrecv_mail_server_packets(dovecot_t)
|
|
corenet_tcp_bind_mail_port(dovecot_t)
|
|
-corenet_sendrecv_pop_server_packets(dovecot_t)
|
|
corenet_tcp_bind_pop_port(dovecot_t)
|
|
-corenet_sendrecv_sieve_server_packets(dovecot_t)
|
|
+corenet_tcp_bind_lmtp_port(dovecot_t)
|
|
corenet_tcp_bind_sieve_port(dovecot_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(dovecot_t)
|
|
corenet_tcp_connect_all_ports(dovecot_t)
|
|
corenet_tcp_connect_postgresql_port(dovecot_t)
|
|
+corenet_sendrecv_pop_server_packets(dovecot_t)
|
|
+corenet_sendrecv_all_client_packets(dovecot_t)
|
|
+
|
|
+fs_getattr_all_fs(dovecot_t)
|
|
+fs_getattr_all_dirs(dovecot_t)
|
|
+fs_search_auto_mountpoints(dovecot_t)
|
|
+fs_list_inotifyfs(dovecot_t)
|
|
|
|
domain_use_interactive_fds(dovecot_t)
|
|
|
|
-files_read_var_lib_files(dovecot_t)
|
|
-files_read_var_symlinks(dovecot_t)
|
|
files_search_spool(dovecot_t)
|
|
+files_search_tmp(dovecot_t)
|
|
files_dontaudit_list_default(dovecot_t)
|
|
files_dontaudit_search_all_dirs(dovecot_t)
|
|
files_search_all_mountpoints(dovecot_t)
|
|
-
|
|
-fs_getattr_all_fs(dovecot_t)
|
|
-fs_getattr_all_dirs(dovecot_t)
|
|
-fs_search_auto_mountpoints(dovecot_t)
|
|
-fs_list_inotifyfs(dovecot_t)
|
|
+files_read_var_lib_files(dovecot_t)
|
|
|
|
init_getattr_utmp(dovecot_t)
|
|
|
|
@@ -171,45 +166,44 @@ auth_use_nsswitch(dovecot_t)
|
|
|
|
miscfiles_read_generic_certs(dovecot_t)
|
|
|
|
-userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
|
|
-userdom_use_user_terminals(dovecot_t)
|
|
+logging_send_syslog_msg(dovecot_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(dovecot_t)
|
|
- fs_manage_nfs_files(dovecot_t)
|
|
- fs_manage_nfs_symlinks(dovecot_t)
|
|
-')
|
|
+userdom_home_manager(dovecot_t)
|
|
+userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
|
|
+userdom_manage_user_home_content_dirs(dovecot_t)
|
|
+userdom_manage_user_home_content_files(dovecot_t)
|
|
+userdom_manage_user_home_content_symlinks(dovecot_t)
|
|
+userdom_manage_user_home_content_pipes(dovecot_t)
|
|
+userdom_manage_user_home_content_sockets(dovecot_t)
|
|
+userdom_filetrans_home_content(dovecot_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(dovecot_t)
|
|
- fs_manage_cifs_files(dovecot_t)
|
|
- fs_manage_cifs_symlinks(dovecot_t)
|
|
+optional_policy(`
|
|
+ mta_manage_home_rw(dovecot_t)
|
|
+ mta_manage_spool(dovecot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_manage_host_rcache(dovecot_t)
|
|
kerberos_read_keytab(dovecot_t)
|
|
- kerberos_tmp_filetrans_host_rcache(dovecot_t, file, "imap_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(dovecot_t, "imap_0")
|
|
kerberos_use(dovecot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mta_manage_spool(dovecot_t)
|
|
- mta_manage_mail_home_rw_content(dovecot_t)
|
|
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
|
|
- mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
|
|
+ gnome_manage_data(dovecot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- postgresql_stream_connect(dovecot_t)
|
|
+ postfix_manage_private_sockets(dovecot_t)
|
|
+ postfix_search_spool(dovecot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- postfix_manage_private_sockets(dovecot_t)
|
|
- postfix_search_spool(dovecot_t)
|
|
+ postgresql_stream_connect(dovecot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # Handle sieve scripts
|
|
sendmail_domtrans(dovecot_t)
|
|
')
|
|
|
|
@@ -227,46 +221,65 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Auth local policy
|
|
+# dovecot auth local policy
|
|
#
|
|
|
|
allow dovecot_auth_t self:capability { chown dac_override ipc_lock setgid setuid sys_nice };
|
|
allow dovecot_auth_t self:process { getsched setsched signal_perms getcap setcap };
|
|
-allow dovecot_auth_t self:unix_stream_socket { accept connectto listen };
|
|
+allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
|
|
|
read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t)
|
|
|
|
+read_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
|
|
+read_lnk_files_pattern(dovecot_auth_t, dovecot_etc_t, dovecot_etc_t)
|
|
+
|
|
+manage_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
+
|
|
manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
|
manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t)
|
|
files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
|
|
|
|
allow dovecot_auth_t dovecot_var_run_t:dir list_dir_perms;
|
|
manage_sock_files_pattern(dovecot_auth_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
+dovecot_stream_connect_auth(dovecot_auth_t)
|
|
|
|
-allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
|
+corecmd_exec_bin(dovecot_auth_t)
|
|
|
|
-files_search_pids(dovecot_auth_t)
|
|
-files_read_usr_files(dovecot_auth_t)
|
|
-files_read_var_lib_files(dovecot_auth_t)
|
|
+logging_send_audit_msgs(dovecot_auth_t)
|
|
|
|
auth_domtrans_chk_passwd(dovecot_auth_t)
|
|
auth_use_nsswitch(dovecot_auth_t)
|
|
|
|
-init_rw_utmp(dovecot_auth_t)
|
|
+logging_send_syslog_msg(dovecot_auth_t)
|
|
|
|
-logging_send_audit_msgs(dovecot_auth_t)
|
|
+files_search_pids(dovecot_auth_t)
|
|
+files_read_usr_symlinks(dovecot_auth_t)
|
|
+files_read_var_lib_files(dovecot_auth_t)
|
|
+files_search_tmp(dovecot_auth_t)
|
|
|
|
-seutil_dontaudit_search_config(dovecot_auth_t)
|
|
+fs_getattr_xattr_fs(dovecot_auth_t)
|
|
+
|
|
+init_rw_utmp(dovecot_auth_t)
|
|
|
|
sysnet_use_ldap(dovecot_auth_t)
|
|
|
|
+systemd_login_read_pid_files(dovecot_auth_t)
|
|
+
|
|
+userdom_getattr_user_home_dirs(dovecot_auth_t)
|
|
+
|
|
optional_policy(`
|
|
+ kerberos_use(dovecot_auth_t)
|
|
+
|
|
+ # for gssapi (kerberos)
|
|
userdom_list_user_tmp(dovecot_auth_t)
|
|
userdom_read_user_tmp_files(dovecot_auth_t)
|
|
userdom_read_user_tmp_symlinks(dovecot_auth_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mysql_search_db(dovecot_auth_t)
|
|
mysql_stream_connect(dovecot_auth_t)
|
|
mysql_read_config(dovecot_auth_t)
|
|
mysql_tcp_connect(dovecot_auth_t)
|
|
@@ -277,15 +290,30 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ dbus_system_bus_client(dovecot_auth_t)
|
|
+ optional_policy(`
|
|
+ oddjob_dbus_chat(dovecot_auth_t)
|
|
+ oddjob_domtrans_mkhomedir(dovecot_auth_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
postfix_manage_private_sockets(dovecot_auth_t)
|
|
+ postfix_rw_inherited_master_pipes(dovecot_deliver_t)
|
|
postfix_search_spool(dovecot_auth_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Deliver local policy
|
|
+# dovecot deliver local policy
|
|
#
|
|
|
|
+allow dovecot_deliver_t dovecot_t:process signull;
|
|
+
|
|
+allow dovecot_deliver_t dovecot_etc_t:dir list_dir_perms;
|
|
+read_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
|
|
+read_lnk_files_pattern(dovecot_deliver_t, dovecot_etc_t, dovecot_etc_t)
|
|
+
|
|
allow dovecot_deliver_t dovecot_cert_t:dir search_dir_perms;
|
|
|
|
append_files_pattern(dovecot_deliver_t, dovecot_var_log_t, dovecot_var_log_t)
|
|
@@ -295,35 +323,43 @@ manage_files_pattern(dovecot_deliver_t, dovecot_deliver_tmp_t, dovecot_deliver_t
|
|
files_tmp_filetrans(dovecot_deliver_t, dovecot_deliver_tmp_t, { file dir })
|
|
|
|
allow dovecot_deliver_t dovecot_var_run_t:dir list_dir_perms;
|
|
-allow dovecot_deliver_t dovecot_var_run_t:file read_file_perms;
|
|
-allow dovecot_deliver_t dovecot_var_run_t:sock_file read_sock_file_perms;
|
|
-
|
|
-stream_connect_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t, { dovecot_t dovecot_auth_t })
|
|
+read_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
+read_sock_files_pattern(dovecot_deliver_t, dovecot_var_run_t, dovecot_var_run_t)
|
|
+dovecot_stream_connect(dovecot_deliver_t)
|
|
|
|
can_exec(dovecot_deliver_t, dovecot_deliver_exec_t)
|
|
|
|
-allow dovecot_deliver_t dovecot_t:process signull;
|
|
+auth_use_nsswitch(dovecot_deliver_t)
|
|
|
|
-fs_getattr_all_fs(dovecot_deliver_t)
|
|
+logging_append_all_logs(dovecot_deliver_t)
|
|
+logging_send_syslog_msg(dovecot_deliver_t)
|
|
|
|
-auth_use_nsswitch(dovecot_deliver_t)
|
|
+dovecot_stream_connect_auth(dovecot_deliver_t)
|
|
|
|
-logging_search_logs(dovecot_deliver_t)
|
|
+files_search_tmp(dovecot_deliver_t)
|
|
+files_dontaudit_getattr_all_dirs(dovecot_deliver_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(dovecot_deliver_t)
|
|
- fs_manage_nfs_files(dovecot_deliver_t)
|
|
- fs_manage_nfs_symlinks(dovecot_deliver_t)
|
|
-')
|
|
+fs_getattr_all_fs(dovecot_deliver_t)
|
|
+fs_dontaudit_getattr_all_fs(dovecot_deliver_t)
|
|
+fs_dontaudit_getattr_all_dirs(dovecot_deliver_t)
|
|
+fs_dontaudit_search_cgroup_dirs(dovecot_deliver_t)
|
|
+
|
|
+userdom_manage_user_home_content_dirs(dovecot_deliver_t)
|
|
+userdom_manage_user_home_content_files(dovecot_deliver_t)
|
|
+userdom_manage_user_home_content_symlinks(dovecot_deliver_t)
|
|
+userdom_manage_user_home_content_pipes(dovecot_deliver_t)
|
|
+userdom_manage_user_home_content_sockets(dovecot_deliver_t)
|
|
+userdom_filetrans_home_content(dovecot_deliver_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(dovecot_deliver_t)
|
|
- fs_manage_cifs_files(dovecot_deliver_t)
|
|
- fs_manage_cifs_symlinks(dovecot_deliver_t)
|
|
+userdom_home_manager(dovecot_deliver_t)
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_manage_data(dovecot_deliver_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_mailserver_delivery(dovecot_deliver_t)
|
|
+ mta_manage_spool(dovecot_deliver_t)
|
|
mta_read_queue(dovecot_deliver_t)
|
|
')
|
|
|
|
@@ -332,5 +368,6 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # Handle sieve scripts
|
|
sendmail_domtrans(dovecot_deliver_t)
|
|
')
|
|
diff --git a/drbd.if b/drbd.if
|
|
index 9a21639..26c5986 100644
|
|
--- a/drbd.if
|
|
+++ b/drbd.if
|
|
@@ -2,12 +2,11 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run drbd.
|
|
+## Execute a domain transition to run drbd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
@@ -16,14 +15,91 @@ interface(`drbd_domtrans',`
|
|
type drbd_t, drbd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, drbd_exec_t, drbd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an drbd environment.
|
|
+## Search drbd lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`drbd_search_lib',`
|
|
+ gen_require(`
|
|
+ type drbd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 drbd_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read drbd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`drbd_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type drbd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## drbd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`drbd_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type drbd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage drbd lib dirs files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`drbd_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type drbd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, drbd_var_lib_t, drbd_var_lib_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an drbd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -35,7 +111,6 @@ interface(`drbd_domtrans',`
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`drbd_admin',`
|
|
gen_require(`
|
|
@@ -43,9 +118,13 @@ interface(`drbd_admin',`
|
|
type drbd_var_lib_t;
|
|
')
|
|
|
|
- allow $1 drbd_t:process { ptrace signal_perms };
|
|
+ allow $1 drbd_t:process signal_perms;
|
|
ps_process_pattern($1, drbd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 drbd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, drbd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 drbd_initrc_exec_t system_r;
|
|
@@ -57,3 +136,4 @@ interface(`drbd_admin',`
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, drbd_var_lib_t)
|
|
')
|
|
+
|
|
diff --git a/drbd.te b/drbd.te
|
|
index f2516cc..8975946 100644
|
|
--- a/drbd.te
|
|
+++ b/drbd.te
|
|
@@ -28,7 +28,7 @@ dontaudit drbd_t self:capability sys_tty_config;
|
|
allow drbd_t self:fifo_file rw_fifo_file_perms;
|
|
allow drbd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow drbd_t self:netlink_socket create_socket_perms;
|
|
-allow drbd_t self:netlink_route_socket nlmsg_write;
|
|
+allow drbd_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
|
|
manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
|
|
manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t)
|
|
@@ -46,10 +46,6 @@ dev_read_rand(drbd_t)
|
|
dev_read_sysfs(drbd_t)
|
|
dev_read_urand(drbd_t)
|
|
|
|
-files_read_etc_files(drbd_t)
|
|
-
|
|
storage_raw_read_fixed_disk(drbd_t)
|
|
|
|
-miscfiles_read_localization(drbd_t)
|
|
-
|
|
sysnet_dns_name_resolve(drbd_t)
|
|
diff --git a/dspam.fc b/dspam.fc
|
|
index 5eddac5..3ea0423 100644
|
|
--- a/dspam.fc
|
|
+++ b/dspam.fc
|
|
@@ -5,8 +5,13 @@
|
|
/usr/share/dspam-web/dspam\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
|
|
|
|
/var/lib/dspam(/.*)? gen_context(system_u:object_r:dspam_var_lib_t,s0)
|
|
-/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
|
|
|
|
/var/log/dspam(/.*)? gen_context(system_u:object_r:dspam_log_t,s0)
|
|
|
|
/var/run/dspam(/.*)? gen_context(system_u:object_r:dspam_var_run_t,s0)
|
|
+
|
|
+# web
|
|
+/var/www/dspam/.*\.cgi -- gen_context(system_u:object_r:httpd_dspam_script_exec_t,s0)
|
|
+/var/www/dspam(/.*?) gen_context(system_u:object_r:httpd_dspam_content_t,s0)
|
|
+
|
|
+/var/lib/dspam/data(/.*)? gen_context(system_u:object_r:httpd_dspam_rw_content_t,s0)
|
|
diff --git a/dspam.if b/dspam.if
|
|
index 18f2452..a446210 100644
|
|
--- a/dspam.if
|
|
+++ b/dspam.if
|
|
@@ -1,13 +1,15 @@
|
|
-## <summary>Content-based spam filter designed for multi-user enterprise systems.</summary>
|
|
+
|
|
+## <summary>policy for dspam</summary>
|
|
+
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to run dspam.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`dspam_domtrans',`
|
|
@@ -15,35 +17,211 @@ interface(`dspam_domtrans',`
|
|
type dspam_t, dspam_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, dspam_exec_t, dspam_t)
|
|
')
|
|
|
|
-#######################################
|
|
+
|
|
+########################################
|
|
## <summary>
|
|
-## Connect to dspam using a unix
|
|
-## domain stream socket.
|
|
+## Execute dspam server in the dspam domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## The type of the process performing this action.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dspam_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type dspam_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, dspam_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read dspam's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
-interface(`dspam_stream_connect',`
|
|
+interface(`dspam_read_log',`
|
|
+ gen_require(`
|
|
+ type dspam_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, dspam_log_t, dspam_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to append
|
|
+## dspam log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dspam_append_log',`
|
|
+ gen_require(`
|
|
+ type dspam_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, dspam_log_t, dspam_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow domain to manage dspam log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dspam_manage_log',`
|
|
+ gen_require(`
|
|
+ type dspam_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, dspam_log_t, dspam_log_t)
|
|
+ manage_files_pattern($1, dspam_log_t, dspam_log_t)
|
|
+ manage_lnk_files_pattern($1, dspam_log_t, dspam_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search dspam lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dspam_search_lib',`
|
|
+ gen_require(`
|
|
+ type dspam_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 dspam_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read dspam lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dspam_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type dspam_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## dspam lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dspam_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type dspam_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage dspam lib dirs files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dspam_manage_lib_dirs',`
|
|
gen_require(`
|
|
- type dspam_t, dspam_var_run_t, dspam_tmp_t;
|
|
+ type dspam_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, dspam_var_lib_t, dspam_var_lib_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read dspam PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dspam_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type dspam_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
+ allow $1 dspam_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Connect to DSPAM using a unix domain stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`dspam_stream_connect',`
|
|
+ gen_require(`
|
|
+ type dspam_t, dspam_var_run_t, dspam_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
files_search_tmp($1)
|
|
- stream_connect_pattern($1, { dspam_tmp_t dspam_var_run_t }, { dspam_tmp_t dspam_var_run_t }, dspam_t)
|
|
+ stream_connect_pattern($1, dspam_var_run_t, dspam_var_run_t, dspam_t)
|
|
+ stream_connect_pattern($1, dspam_tmp_t, dspam_tmp_t, dspam_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an dspam environment.
|
|
+## All of the rules required to administrate
|
|
+## an dspam environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -59,14 +237,20 @@ interface(`dspam_stream_connect',`
|
|
#
|
|
interface(`dspam_admin',`
|
|
gen_require(`
|
|
- type dspam_t, dspam_initrc_exec_t, dspam_log_t;
|
|
- type dspam_var_lib_t, dspam_var_run_t;
|
|
+ type dspam_t;
|
|
+ type dspam_initrc_exec_t;
|
|
+ type dspam_log_t;
|
|
+ type dspam_var_lib_t;
|
|
+ type dspam_var_run_t;
|
|
')
|
|
|
|
- allow $1 dspam_t:process { ptrace signal_perms };
|
|
+ allow $1 dspam_t:process signal_perms;
|
|
ps_process_pattern($1, dspam_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 dspam_t:process ptrace;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, dspam_initrc_exec_t)
|
|
+ dspam_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 dspam_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
@@ -79,4 +263,5 @@ interface(`dspam_admin',`
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, dspam_var_run_t)
|
|
+
|
|
')
|
|
diff --git a/dspam.te b/dspam.te
|
|
index ef62363..37c844b 100644
|
|
--- a/dspam.te
|
|
+++ b/dspam.te
|
|
@@ -28,6 +28,9 @@ files_pid_file(dspam_var_run_t)
|
|
|
|
allow dspam_t self:capability net_admin;
|
|
allow dspam_t self:process signal;
|
|
+
|
|
+allow dspam_t self:tcp_socket { listen accept };
|
|
+
|
|
allow dspam_t self:fifo_file rw_fifo_file_perms;
|
|
allow dspam_t self:unix_stream_socket { accept listen };
|
|
|
|
@@ -57,6 +60,12 @@ corenet_sendrecv_spamd_server_packets(dspam_t)
|
|
corenet_tcp_bind_spamd_port(dspam_t)
|
|
corenet_tcp_connect_spamd_port(dspam_t)
|
|
corenet_tcp_sendrecv_spamd_port(dspam_t)
|
|
+corenet_tcp_bind_lmtp_port(dspam_t)
|
|
+corenet_tcp_connect_lmtp_port(dspam_t)
|
|
+
|
|
+kernel_read_system_state(dspam_t)
|
|
+
|
|
+corecmd_exec_shell(dspam_t)
|
|
|
|
files_search_spool(dspam_t)
|
|
|
|
@@ -64,14 +73,32 @@ auth_use_nsswitch(dspam_t)
|
|
|
|
logging_send_syslog_msg(dspam_t)
|
|
|
|
-miscfiles_read_localization(dspam_t)
|
|
-
|
|
optional_policy(`
|
|
apache_content_template(dspam)
|
|
|
|
+ read_files_pattern(httpd_dspam_script_t, dspam_var_lib_t, dspam_var_lib_t)
|
|
+
|
|
+ files_search_var_lib(httpd_dspam_script_t)
|
|
list_dirs_pattern(dspam_t, httpd_dspam_content_t, httpd_dspam_content_t)
|
|
- manage_dirs_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
|
|
- manage_files_pattern(dspam_t, httpd_dspam_rw_content_t, httpd_dspam_rw_content_t)
|
|
+ manage_dirs_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
|
|
+ manage_files_pattern(dspam_t, httpd_dspam_content_rw_t, httpd_dspam_content_rw_t)
|
|
+
|
|
+ domain_dontaudit_read_all_domains_state(httpd_dspam_script_t)
|
|
+
|
|
+ term_dontaudit_search_ptys(httpd_dspam_script_t)
|
|
+ term_dontaudit_getattr_all_ttys(httpd_dspam_script_t)
|
|
+ term_dontaudit_getattr_all_ptys(httpd_dspam_script_t)
|
|
+
|
|
+ init_read_utmp(httpd_dspam_script_t)
|
|
+
|
|
+ logging_send_syslog_msg(httpd_dspam_script_t)
|
|
+
|
|
+ mta_send_mail(httpd_dspam_script_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ mysql_tcp_connect(httpd_dspam_script_t)
|
|
+ mysql_stream_connect(httpd_dspam_script_t)
|
|
+ ')
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -87,3 +114,12 @@ optional_policy(`
|
|
|
|
postgresql_tcp_connect(dspam_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ postfix_rw_inherited_master_pipes(dspam_t)
|
|
+ postfix_list_spool(dspam_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ procmail_domtrans(dspam_t)
|
|
+')
|
|
diff --git a/entropyd.te b/entropyd.te
|
|
index b8b8328..4608c0c 100644
|
|
--- a/entropyd.te
|
|
+++ b/entropyd.te
|
|
@@ -45,9 +45,6 @@ dev_write_urand(entropyd_t)
|
|
dev_read_rand(entropyd_t)
|
|
dev_write_rand(entropyd_t)
|
|
|
|
-files_read_etc_files(entropyd_t)
|
|
-files_read_usr_files(entropyd_t)
|
|
-
|
|
fs_getattr_all_fs(entropyd_t)
|
|
fs_search_auto_mountpoints(entropyd_t)
|
|
|
|
@@ -55,7 +52,7 @@ domain_use_interactive_fds(entropyd_t)
|
|
|
|
logging_send_syslog_msg(entropyd_t)
|
|
|
|
-miscfiles_read_localization(entropyd_t)
|
|
+auth_use_nsswitch(entropyd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(entropyd_t)
|
|
userdom_dontaudit_search_user_home_dirs(entropyd_t)
|
|
diff --git a/evolution.fc b/evolution.fc
|
|
index 597f305..8520653 100644
|
|
--- a/evolution.fc
|
|
+++ b/evolution.fc
|
|
@@ -1,5 +1,6 @@
|
|
HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
|
|
HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
|
|
+HOME_DIR/\.cache/evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
|
|
|
|
/tmp/\.exchange-USER(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
|
|
|
|
diff --git a/evolution.te b/evolution.te
|
|
index c99e07c..ab9dd9f 100644
|
|
--- a/evolution.te
|
|
+++ b/evolution.te
|
|
@@ -168,7 +168,6 @@ dev_read_urand(evolution_t)
|
|
|
|
domain_dontaudit_read_all_domains_state(evolution_t)
|
|
|
|
-files_read_usr_files(evolution_t)
|
|
|
|
fs_search_auto_mountpoints(evolution_t)
|
|
|
|
@@ -187,7 +186,7 @@ userdom_manage_user_tmp_files(evolution_t)
|
|
|
|
userdom_manage_user_home_content_dirs(evolution_t)
|
|
userdom_manage_user_home_content_files(evolution_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
|
|
+userdom_filetrans_home_content(evolution_t)
|
|
|
|
userdom_write_user_tmp_sockets(evolution_t)
|
|
|
|
@@ -286,7 +285,6 @@ stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolutio
|
|
|
|
dev_read_urand(evolution_alarm_t)
|
|
|
|
-files_read_usr_files(evolution_alarm_t)
|
|
|
|
fs_search_auto_mountpoints(evolution_alarm_t)
|
|
|
|
@@ -354,7 +352,6 @@ corecmd_exec_bin(evolution_exchange_t)
|
|
|
|
dev_read_urand(evolution_exchange_t)
|
|
|
|
-files_read_usr_files(evolution_exchange_t)
|
|
|
|
fs_search_auto_mountpoints(evolution_exchange_t)
|
|
|
|
@@ -423,7 +420,6 @@ corenet_tcp_connect_http_port(evolution_server_t)
|
|
|
|
dev_read_urand(evolution_server_t)
|
|
|
|
-files_read_usr_files(evolution_server_t)
|
|
|
|
fs_search_auto_mountpoints(evolution_server_t)
|
|
|
|
diff --git a/exim.if b/exim.if
|
|
index 9bbc690..4a8d053 100644
|
|
--- a/exim.if
|
|
+++ b/exim.if
|
|
@@ -21,35 +21,51 @@ interface(`exim_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute exim in the exim domain,
|
|
-## and allow the specified role
|
|
-## the exim domain.
|
|
+## Execute the mailman program in the mailman domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## The role to allow the mailman domain.
|
|
+## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`exim_run',`
|
|
+ gen_require(`
|
|
+ type exim_t;
|
|
+ ')
|
|
+
|
|
+ exim_domtrans($1)
|
|
+ role $2 types exim_t;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute exim in the exim domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`exim_initrc_domtrans',`
|
|
gen_require(`
|
|
- attribute_role exim_roles;
|
|
+ type exim_initrc_exec_t;
|
|
')
|
|
|
|
- exim_domtrans($1)
|
|
- roleattribute $2 exim_roles;
|
|
+ init_labeled_script_domtrans($1, exim_initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read exim
|
|
-## temporary tmp files.
|
|
+## Do not audit attempts to read,
|
|
+## exim tmp files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -67,7 +83,7 @@ interface(`exim_dontaudit_read_tmp_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read exim temporary files.
|
|
+## Allow domain to read, exim tmp files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -86,7 +102,7 @@ interface(`exim_read_tmp_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read exim pid files.
|
|
+## Read exim PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -105,7 +121,7 @@ interface(`exim_read_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read exim log files.
|
|
+## Allow the specified domain to read exim's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -125,7 +141,8 @@ interface(`exim_read_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Append exim log files.
|
|
+## Allow the specified domain to append
|
|
+## exim log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -144,8 +161,7 @@ interface(`exim_append_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## exim log files.
|
|
+## Allow the specified domain to manage exim's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -166,7 +182,7 @@ interface(`exim_manage_log',`
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
-## exim spool directories.
|
|
+## exim spool dirs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -276,7 +292,6 @@ interface(`exim_manage_var_lib_files',`
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`exim_admin',`
|
|
gen_require(`
|
|
@@ -285,10 +300,14 @@ interface(`exim_admin',`
|
|
type exim_keytab_t;
|
|
')
|
|
|
|
- allow $1 exim_t:process { ptrace signal_perms };
|
|
+ allow $1 exim_t:process signal_perms;
|
|
ps_process_pattern($1, exim_t)
|
|
|
|
- init_labeled_script_domtrans($1, exim_initrc_exec_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 exim_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ exim_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 exim_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
diff --git a/exim.te b/exim.te
|
|
index 4086c51..28105d6 100644
|
|
--- a/exim.te
|
|
+++ b/exim.te
|
|
@@ -55,7 +55,7 @@ type exim_log_t;
|
|
logging_log_file(exim_log_t)
|
|
|
|
type exim_spool_t;
|
|
-files_type(exim_spool_t)
|
|
+files_spool_file(exim_spool_t)
|
|
|
|
type exim_tmp_t;
|
|
files_tmp_file(exim_tmp_t)
|
|
@@ -105,11 +105,10 @@ can_exec(exim_t, exim_exec_t)
|
|
kernel_read_crypto_sysctls(exim_t)
|
|
kernel_read_kernel_sysctls(exim_t)
|
|
kernel_read_network_state(exim_t)
|
|
-kernel_dontaudit_read_system_state(exim_t)
|
|
+kernel_read_system_state(exim_t)
|
|
|
|
corecmd_search_bin(exim_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(exim_t)
|
|
corenet_all_recvfrom_netlabel(exim_t)
|
|
corenet_tcp_sendrecv_generic_if(exim_t)
|
|
corenet_udp_sendrecv_generic_if(exim_t)
|
|
@@ -154,7 +153,6 @@ auth_use_nsswitch(exim_t)
|
|
|
|
logging_send_syslog_msg(exim_t)
|
|
|
|
-miscfiles_read_localization(exim_t)
|
|
miscfiles_read_generic_certs(exim_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(exim_t)
|
|
@@ -170,9 +168,9 @@ tunable_policy(`exim_can_connect_db',`
|
|
corenet_sendrecv_mssql_client_packets(exim_t)
|
|
corenet_tcp_connect_mssql_port(exim_t)
|
|
corenet_tcp_sendrecv_mssql_port(exim_t)
|
|
- corenet_sendrecv_oracledb_client_packets(exim_t)
|
|
- corenet_tcp_connect_oracledb_port(exim_t)
|
|
- corenet_tcp_sendrecv_oracledb_port(exim_t)
|
|
+ corenet_sendrecv_oracle_client_packets(exim_t)
|
|
+ corenet_tcp_connect_oracle_port(exim_t)
|
|
+ corenet_tcp_sendrecv_oracle_port(exim_t)
|
|
')
|
|
|
|
tunable_policy(`exim_read_user_files',`
|
|
@@ -186,8 +184,8 @@ tunable_policy(`exim_manage_user_files',`
|
|
')
|
|
|
|
optional_policy(`
|
|
- clamav_domtrans_clamscan(exim_t)
|
|
- clamav_stream_connect(exim_t)
|
|
+ antivirus_domtrans(exim_t)
|
|
+ antivirus_stream_connect(exim_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -210,11 +208,6 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- mailman_read_data_files(exim_t)
|
|
- mailman_domtrans(exim_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
nagios_search_spool(exim_t)
|
|
')
|
|
|
|
@@ -236,6 +229,7 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
procmail_domtrans(exim_t)
|
|
+ procmail_read_home_files(exim_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/fail2ban.if b/fail2ban.if
|
|
index 50d0084..94e1936 100644
|
|
--- a/fail2ban.if
|
|
+++ b/fail2ban.if
|
|
@@ -19,57 +19,57 @@ interface(`fail2ban_domtrans',`
|
|
domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Execute the fail2ban client in
|
|
-## the fail2ban client domain.
|
|
+## Execute the fail2ban client in
|
|
+## the fail2ban client domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`fail2ban_domtrans_client',`
|
|
- gen_require(`
|
|
- type fail2ban_client_t, fail2ban_client_exec_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type fail2ban_client_t, fail2ban_client_exec_t;
|
|
+ ')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Execute fail2ban client in the
|
|
-## fail2ban client domain, and allow
|
|
-## the specified role the fail2ban
|
|
-## client domain.
|
|
+## Execute fail2ban client in the
|
|
+## fail2ban client domain, and allow
|
|
+## the specified role the fail2ban
|
|
+## client domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`fail2ban_run_client',`
|
|
- gen_require(`
|
|
- attribute_role fail2ban_client_roles;
|
|
- ')
|
|
+ gen_require(`
|
|
+ attribute_role fail2ban_client_roles;
|
|
+ ')
|
|
|
|
- fail2ban_domtrans_client($1)
|
|
- roleattribute $2 fail2ban_client_roles;
|
|
+ fail2ban_domtrans_client($1)
|
|
+ roleattribute $2 fail2ban_client_roles;
|
|
')
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Connect to fail2ban over a
|
|
-## unix domain stream socket.
|
|
+## Connect to fail2ban over a unix domain
|
|
+## stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -102,64 +102,63 @@ interface(`fail2ban_rw_inherited_tmp_files',`
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
- allow $1 fail2ban_tmp_t:file { read write };
|
|
+ allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to use
|
|
-## fail2ban file descriptors.
|
|
+## Read and write to an fail2ba unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain to not audit.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`fail2ban_dontaudit_use_fds',`
|
|
+interface(`fail2ban_rw_stream_sockets',`
|
|
gen_require(`
|
|
type fail2ban_t;
|
|
')
|
|
|
|
- dontaudit $1 fail2ban_t:fd use;
|
|
+ allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Do not audit attempts to read and
|
|
-## write fail2ban unix stream sockets
|
|
+## Do not audit attempts to use
|
|
+## fail2ban file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain to not audit.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`fail2ban_dontaudit_rw_stream_sockets',`
|
|
- gen_require(`
|
|
- type fail2ban_t;
|
|
- ')
|
|
+interface(`fail2ban_dontaudit_use_fds',`
|
|
+ gen_require(`
|
|
+ type fail2ban_t;
|
|
+ ')
|
|
|
|
- dontaudit $1 fail2ban_t:unix_stream_socket { read write };
|
|
+ dontaudit $1 fail2ban_t:fd use;
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Read and write fail2ban unix
|
|
-## stream sockets.
|
|
+## Do not audit attempts to read and
|
|
+## write fail2ban unix stream sockets
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`fail2ban_rw_stream_sockets',`
|
|
- gen_require(`
|
|
- type fail2ban_t;
|
|
- ')
|
|
+interface(`fail2ban_dontaudit_rw_stream_sockets',`
|
|
+ gen_require(`
|
|
+ type fail2ban_t;
|
|
+ ')
|
|
|
|
- allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
|
|
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
@@ -178,12 +177,12 @@ interface(`fail2ban_read_lib_files',`
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
- allow $1 fail2ban_var_lib_t:file read_file_perms;
|
|
+ read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read fail2ban log files.
|
|
+## Allow the specified domain to read fail2ban's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -198,12 +197,14 @@ interface(`fail2ban_read_log',`
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
+ allow $1 fail2ban_log_t:dir list_dir_perms;
|
|
allow $1 fail2ban_log_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Append fail2ban log files.
|
|
+## Allow the specified domain to append
|
|
+## fail2ban log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -217,12 +218,13 @@ interface(`fail2ban_append_log',`
|
|
')
|
|
|
|
logging_search_logs($1)
|
|
+ allow $1 fail2ban_log_t:dir list_dir_perms;
|
|
allow $1 fail2ban_log_t:file append_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read fail2ban pid files.
|
|
+## Read fail2ban PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -241,8 +243,28 @@ interface(`fail2ban_read_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an fail2ban environment.
|
|
+## dontaudit read and write an leaked file descriptors
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`fail2ban_dontaudit_leaks',`
|
|
+ gen_require(`
|
|
+ type fail2ban_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 fail2ban_t:tcp_socket { read write };
|
|
+ dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
|
|
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an fail2ban environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -251,21 +273,25 @@ interface(`fail2ban_read_pid_files',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the fail2ban domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`fail2ban_admin',`
|
|
gen_require(`
|
|
- type fail2ban_t, fail2ban_log_t, fail2ban_tmp_t;
|
|
- type fail2ban_var_run_t, fail2ban_initrc_exec_t;
|
|
- type fail2ban_var_lib_t, fail2ban_client_t;
|
|
+ type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
|
|
+ type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
|
|
+ type fail2ban_client_t;
|
|
')
|
|
|
|
- allow $1 { fail2ban_t fail2ban_client_t }:process { ptrace signal_perms };
|
|
+ allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
|
|
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 fail2ban_initrc_exec_t system_r;
|
|
@@ -277,10 +303,10 @@ interface(`fail2ban_admin',`
|
|
files_list_pids($1)
|
|
admin_pattern($1, fail2ban_var_run_t)
|
|
|
|
- files_search_var_lib($1)
|
|
+ files_list_var_lib($1)
|
|
admin_pattern($1, fail2ban_var_lib_t)
|
|
|
|
- files_search_tmp($1)
|
|
+ files_list_tmp($1)
|
|
admin_pattern($1, fail2ban_tmp_t)
|
|
|
|
fail2ban_run_client($1, $2)
|
|
diff --git a/fail2ban.te b/fail2ban.te
|
|
index cf0e567..91d4dfb 100644
|
|
--- a/fail2ban.te
|
|
+++ b/fail2ban.te
|
|
@@ -37,7 +37,7 @@ role fail2ban_client_roles types fail2ban_client_t;
|
|
#
|
|
|
|
allow fail2ban_t self:capability { dac_read_search dac_override sys_tty_config };
|
|
-allow fail2ban_t self:process signal;
|
|
+allow fail2ban_t self:process { setsched signal };
|
|
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
|
|
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
|
|
allow fail2ban_t self:tcp_socket { accept listen };
|
|
@@ -67,7 +67,6 @@ kernel_read_system_state(fail2ban_t)
|
|
corecmd_exec_bin(fail2ban_t)
|
|
corecmd_exec_shell(fail2ban_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(fail2ban_t)
|
|
corenet_all_recvfrom_netlabel(fail2ban_t)
|
|
corenet_tcp_sendrecv_generic_if(fail2ban_t)
|
|
corenet_tcp_sendrecv_generic_node(fail2ban_t)
|
|
@@ -82,7 +81,6 @@ domain_use_interactive_fds(fail2ban_t)
|
|
domain_dontaudit_read_all_domains_state(fail2ban_t)
|
|
|
|
files_read_etc_runtime_files(fail2ban_t)
|
|
-files_read_usr_files(fail2ban_t)
|
|
files_list_var(fail2ban_t)
|
|
files_dontaudit_list_tmp(fail2ban_t)
|
|
|
|
@@ -94,22 +92,33 @@ auth_use_nsswitch(fail2ban_t)
|
|
logging_read_all_logs(fail2ban_t)
|
|
logging_send_syslog_msg(fail2ban_t)
|
|
|
|
-miscfiles_read_localization(fail2ban_t)
|
|
+mta_send_mail(fail2ban_t)
|
|
|
|
sysnet_manage_config(fail2ban_t)
|
|
-sysnet_etc_filetrans_config(fail2ban_t)
|
|
-
|
|
-mta_send_mail(fail2ban_t)
|
|
+sysnet_filetrans_named_content(fail2ban_t)
|
|
|
|
optional_policy(`
|
|
apache_read_log(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ dbus_system_bus_client(fail2ban_t)
|
|
+ dbus_connect_system_bus(fail2ban_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ firewalld_dbus_chat(fail2ban_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
ftp_read_log(fail2ban_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_dontaudit_search_config(fail2ban_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
iptables_domtrans(fail2ban_t)
|
|
')
|
|
|
|
@@ -118,6 +127,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ rpm_exec(fail2ban_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
shorewall_domtrans(fail2ban_t)
|
|
')
|
|
|
|
@@ -131,22 +144,25 @@ allow fail2ban_client_t self:unix_stream_socket { create connect write read };
|
|
|
|
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
|
|
|
|
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
|
|
+allow fail2ban_client_t fail2ban_var_run_t:dir write;
|
|
stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
|
|
|
|
kernel_read_system_state(fail2ban_client_t)
|
|
|
|
corecmd_exec_bin(fail2ban_client_t)
|
|
|
|
+dev_read_urand(fail2ban_client_t)
|
|
+dev_read_rand(fail2ban_client_t)
|
|
+
|
|
domain_use_interactive_fds(fail2ban_client_t)
|
|
|
|
-files_read_etc_files(fail2ban_client_t)
|
|
-files_read_usr_files(fail2ban_client_t)
|
|
files_search_pids(fail2ban_client_t)
|
|
|
|
+auth_use_nsswitch(fail2ban_client_t)
|
|
+
|
|
logging_getattr_all_logs(fail2ban_client_t)
|
|
logging_search_all_logs(fail2ban_client_t)
|
|
|
|
-miscfiles_read_localization(fail2ban_client_t)
|
|
-
|
|
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
|
|
userdom_use_user_terminals(fail2ban_client_t)
|
|
diff --git a/fcoe.te b/fcoe.te
|
|
index ce358fb..90e08d8 100644
|
|
--- a/fcoe.te
|
|
+++ b/fcoe.te
|
|
@@ -20,20 +20,20 @@ files_pid_file(fcoemon_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow fcoemon_t self:capability { dac_override kill net_admin };
|
|
+allow fcoemon_t self:capability { net_admin net_raw dac_override };
|
|
allow fcoemon_t self:fifo_file rw_fifo_file_perms;
|
|
allow fcoemon_t self:unix_stream_socket { accept listen };
|
|
allow fcoemon_t self:netlink_socket create_socket_perms;
|
|
allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms;
|
|
+allow fcoemon_t self:packet_socket create_socket_perms;
|
|
+allow fcoemon_t self:udp_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
|
|
manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
|
|
manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t)
|
|
files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file })
|
|
|
|
-files_read_etc_files(fcoemon_t)
|
|
-
|
|
-dev_read_sysfs(fcoemon_t)
|
|
+dev_rw_sysfs(fcoemon_t)
|
|
|
|
logging_send_syslog_msg(fcoemon_t)
|
|
|
|
diff --git a/fetchmail.fc b/fetchmail.fc
|
|
index 133b8ee..a47a12f 100644
|
|
--- a/fetchmail.fc
|
|
+++ b/fetchmail.fc
|
|
@@ -1,4 +1,5 @@
|
|
HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0)
|
|
+/root/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t, s0)
|
|
|
|
/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
|
|
|
|
diff --git a/fetchmail.if b/fetchmail.if
|
|
index c3f7916..cab3954 100644
|
|
--- a/fetchmail.if
|
|
+++ b/fetchmail.if
|
|
@@ -23,14 +23,16 @@ interface(`fetchmail_admin',`
|
|
type fetchmail_var_run_t, fetchmail_initrc_exec_t, fetchmail_log_t;
|
|
')
|
|
|
|
+ ps_process_pattern($1, fetchmail_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 fetchmail_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 fetchmail_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- allow $1 fetchmail_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, fetchmail_t)
|
|
-
|
|
files_list_etc($1)
|
|
admin_pattern($1, fetchmail_etc_t)
|
|
|
|
diff --git a/fetchmail.te b/fetchmail.te
|
|
index 742559a..a6c5c24 100644
|
|
--- a/fetchmail.te
|
|
+++ b/fetchmail.te
|
|
@@ -32,14 +32,17 @@ files_type(fetchmail_uidl_cache_t)
|
|
#
|
|
# Local policy
|
|
#
|
|
-
|
|
+allow fetchmail_t self:capability setuid;
|
|
dontaudit fetchmail_t self:capability sys_tty_config;
|
|
allow fetchmail_t self:process { signal_perms setrlimit };
|
|
allow fetchmail_t self:unix_stream_socket { accept listen };
|
|
|
|
allow fetchmail_t fetchmail_etc_t:file read_file_perms;
|
|
|
|
+list_dirs_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
|
|
read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
|
|
+userdom_search_user_home_dirs(fetchmail_t)
|
|
+userdom_search_admin_dir(fetchmail_t)
|
|
|
|
manage_dirs_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
|
|
append_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
|
|
@@ -63,7 +66,6 @@ kernel_dontaudit_read_system_state(fetchmail_t)
|
|
corecmd_exec_bin(fetchmail_t)
|
|
corecmd_exec_shell(fetchmail_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(fetchmail_t)
|
|
corenet_all_recvfrom_netlabel(fetchmail_t)
|
|
corenet_tcp_sendrecv_generic_if(fetchmail_t)
|
|
corenet_tcp_sendrecv_generic_node(fetchmail_t)
|
|
@@ -84,15 +86,23 @@ fs_search_auto_mountpoints(fetchmail_t)
|
|
|
|
domain_use_interactive_fds(fetchmail_t)
|
|
|
|
-auth_use_nsswitch(fetchmail_t)
|
|
+auth_read_passwd(fetchmail_t)
|
|
|
|
logging_send_syslog_msg(fetchmail_t)
|
|
|
|
-miscfiles_read_localization(fetchmail_t)
|
|
miscfiles_read_generic_certs(fetchmail_t)
|
|
|
|
+sysnet_dns_name_resolve(fetchmail_t)
|
|
+
|
|
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
|
|
-userdom_search_user_home_dirs(fetchmail_t)
|
|
+
|
|
+optional_policy(`
|
|
+ mta_send_mail(fetchmail_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ kerberos_use(fetchmail_t)
|
|
+')
|
|
|
|
optional_policy(`
|
|
procmail_domtrans(fetchmail_t)
|
|
diff --git a/finger.te b/finger.te
|
|
index 35da09d..85f1e03 100644
|
|
--- a/finger.te
|
|
+++ b/finger.te
|
|
@@ -45,7 +45,6 @@ logging_log_filetrans(fingerd_t, fingerd_log_t, file)
|
|
kernel_read_kernel_sysctls(fingerd_t)
|
|
kernel_read_system_state(fingerd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(fingerd_t)
|
|
corenet_all_recvfrom_netlabel(fingerd_t)
|
|
corenet_tcp_sendrecv_generic_if(fingerd_t)
|
|
corenet_tcp_sendrecv_generic_node(fingerd_t)
|
|
@@ -63,6 +62,7 @@ dev_read_sysfs(fingerd_t)
|
|
domain_use_interactive_fds(fingerd_t)
|
|
|
|
files_read_etc_runtime_files(fingerd_t)
|
|
+files_search_home(fingerd_t)
|
|
|
|
fs_getattr_all_fs(fingerd_t)
|
|
fs_search_auto_mountpoints(fingerd_t)
|
|
@@ -71,6 +71,7 @@ term_getattr_all_ttys(fingerd_t)
|
|
term_getattr_all_ptys(fingerd_t)
|
|
|
|
auth_read_lastlog(fingerd_t)
|
|
+auth_use_nsswitch(fingerd_t)
|
|
|
|
init_read_utmp(fingerd_t)
|
|
init_dontaudit_write_utmp(fingerd_t)
|
|
@@ -79,7 +80,7 @@ logging_send_syslog_msg(fingerd_t)
|
|
|
|
mta_getattr_spool(fingerd_t)
|
|
|
|
-miscfiles_read_localization(fingerd_t)
|
|
+sysnet_read_config(fingerd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
|
|
|
|
diff --git a/firewalld.fc b/firewalld.fc
|
|
index 21d7b84..0e272bd 100644
|
|
--- a/firewalld.fc
|
|
+++ b/firewalld.fc
|
|
@@ -1,3 +1,5 @@
|
|
+/usr/lib/systemd/system/firewalld.* -- gen_context(system_u:object_r:firewalld_unit_file_t,s0)
|
|
+
|
|
/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
|
|
|
|
/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
|
|
diff --git a/firewalld.if b/firewalld.if
|
|
index c62c567..0fc685b 100644
|
|
--- a/firewalld.if
|
|
+++ b/firewalld.if
|
|
@@ -2,7 +2,7 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read firewalld configuration files.
|
|
+## Read firewalld config
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -10,7 +10,7 @@
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`firewalld_read_config_files',`
|
|
+interface(`firewalld_read_config',`
|
|
gen_require(`
|
|
type firewalld_etc_rw_t;
|
|
')
|
|
@@ -21,6 +21,47 @@ interface(`firewalld_read_config_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute firewalld server in the firewalld domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## The type of the process performing this action.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`firewalld_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type firewalld_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute firewalld server in the firewalld domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`firewalld_systemctl',`
|
|
+ gen_require(`
|
|
+ type firewalld_t;
|
|
+ type firewalld_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 firewalld_unit_file_t:file read_file_perms;
|
|
+ allow $1 firewalld_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, firewalld_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Send and receive messages from
|
|
## firewalld over dbus.
|
|
## </summary>
|
|
@@ -42,8 +83,8 @@ interface(`firewalld_dbus_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read, snd
|
|
-## write firewalld temporary files.
|
|
+## Dontaudit attempts to write
|
|
+## firewalld tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -51,18 +92,18 @@ interface(`firewalld_dbus_chat',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`firewalld_dontaudit_rw_tmp_files',`
|
|
+interface(`firewalld_dontaudit_write_tmp_files',`
|
|
gen_require(`
|
|
type firewalld_tmp_t;
|
|
')
|
|
|
|
- dontaudit $1 firewalld_tmp_t:file { read write };
|
|
+ dontaudit $1 firewalld_tmp_t:file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an firewalld environment.
|
|
+## All of the rules required to administrate
|
|
+## an firewalld environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -83,10 +124,14 @@ interface(`firewalld_admin',`
|
|
type firewalld_var_log_t;
|
|
')
|
|
|
|
- allow $1 firewalld_t:process { ptrace signal_perms };
|
|
+ allow $1 firewalld_t:process signal_perms;
|
|
ps_process_pattern($1, firewalld_t)
|
|
|
|
- init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 firewalld_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ firewalld_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 firewalld_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
@@ -97,6 +142,9 @@ interface(`firewalld_admin',`
|
|
logging_search_logs($1)
|
|
admin_pattern($1, firewalld_var_log_t)
|
|
|
|
- files_search_etc($1)
|
|
admin_pattern($1, firewall_etc_rw_t)
|
|
+
|
|
+ admin_pattern($1, firewalld_unit_file_t)
|
|
+ firewalld_systemctl($1)
|
|
+ allow $1 firewalld_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/firewalld.te b/firewalld.te
|
|
index 98072a3..cbaf309 100644
|
|
--- a/firewalld.te
|
|
+++ b/firewalld.te
|
|
@@ -21,9 +21,15 @@ logging_log_file(firewalld_var_log_t)
|
|
type firewalld_tmp_t;
|
|
files_tmp_file(firewalld_tmp_t)
|
|
|
|
+type firewalld_tmpfs_t;
|
|
+files_tmpfs_file(firewalld_tmpfs_t)
|
|
+
|
|
type firewalld_var_run_t;
|
|
files_pid_file(firewalld_var_run_t)
|
|
|
|
+type firewalld_unit_file_t;
|
|
+systemd_unit_file(firewalld_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -37,6 +43,7 @@ allow firewalld_t self:udp_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
|
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
|
+manage_lnk_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
|
|
|
|
allow firewalld_t firewalld_var_log_t:file append_file_perms;
|
|
allow firewalld_t firewalld_var_log_t:file create_file_perms;
|
|
@@ -48,8 +55,13 @@ manage_files_pattern(firewalld_t, firewalld_tmp_t, firewalld_tmp_t)
|
|
files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
|
|
allow firewalld_t firewalld_tmp_t:file mmap_file_perms;
|
|
|
|
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
|
|
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, file)
|
|
+allow firewalld_t firewalld_tmpfs_t:file mmap_file_perms;
|
|
+
|
|
manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
|
|
files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
|
|
+can_exec(firewalld_t, firewalld_var_run_t)
|
|
|
|
kernel_read_network_state(firewalld_t)
|
|
kernel_read_system_state(firewalld_t)
|
|
@@ -63,20 +75,17 @@ dev_search_sysfs(firewalld_t)
|
|
|
|
domain_use_interactive_fds(firewalld_t)
|
|
|
|
-files_read_etc_files(firewalld_t)
|
|
-files_read_usr_files(firewalld_t)
|
|
+files_dontaudit_access_check_tmp(firewalld_t)
|
|
files_dontaudit_list_tmp(firewalld_t)
|
|
|
|
fs_getattr_xattr_fs(firewalld_t)
|
|
+fs_dontaudit_all_access_check(firewalld_t)
|
|
|
|
-logging_send_syslog_msg(firewalld_t)
|
|
-
|
|
-miscfiles_read_localization(firewalld_t)
|
|
+auth_use_nsswitch(firewalld_t)
|
|
|
|
-seutil_exec_setfiles(firewalld_t)
|
|
-seutil_read_file_contexts(firewalld_t)
|
|
+logging_send_syslog_msg(firewalld_t)
|
|
|
|
-sysnet_read_config(firewalld_t)
|
|
+sysnet_dns_name_resolve(firewalld_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_domain(firewalld_t, firewalld_exec_t)
|
|
@@ -95,6 +104,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_read_generic_data_home_dirs(firewalld_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
iptables_domtrans(firewalld_t)
|
|
')
|
|
|
|
diff --git a/firewallgui.if b/firewallgui.if
|
|
index e6866d1..941f4ef 100644
|
|
--- a/firewallgui.if
|
|
+++ b/firewallgui.if
|
|
@@ -37,5 +37,5 @@ interface(`firewallgui_dontaudit_rw_pipes',`
|
|
type firewallgui_t;
|
|
')
|
|
|
|
- dontaudit $1 firewallgui_t:fifo_file rw_fifo_file_perms;
|
|
+ dontaudit $1 firewallgui_t:fifo_file rw_inherited_fifo_file_perms;
|
|
')
|
|
diff --git a/firewallgui.te b/firewallgui.te
|
|
index 2094546..2481a97 100644
|
|
--- a/firewallgui.te
|
|
+++ b/firewallgui.te
|
|
@@ -36,8 +36,10 @@ corecmd_exec_shell(firewallgui_t)
|
|
dev_read_sysfs(firewallgui_t)
|
|
dev_read_urand(firewallgui_t)
|
|
|
|
+files_manage_system_conf_files(firewallgui_t)
|
|
+files_etc_filetrans_system_conf(firewallgui_t)
|
|
+files_search_kernel_modules(firewallgui_t)
|
|
files_list_kernel_modules(firewallgui_t)
|
|
-files_read_usr_files(firewallgui_t)
|
|
|
|
auth_use_nsswitch(firewallgui_t)
|
|
|
|
@@ -60,12 +62,13 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- gnome_read_generic_gconf_home_content(firewallgui_t)
|
|
+ gnome_read_gconf_home_files(firewallgui_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
iptables_domtrans(firewallgui_t)
|
|
iptables_initrc_domtrans(firewallgui_t)
|
|
+ iptables_systemctl(firewallgui_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/firstboot.fc b/firstboot.fc
|
|
index 12c782c..ba614e4 100644
|
|
--- a/firstboot.fc
|
|
+++ b/firstboot.fc
|
|
@@ -1,5 +1,3 @@
|
|
-/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0)
|
|
+/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
|
|
|
|
-/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
|
|
-
|
|
-/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
|
|
+/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)
|
|
diff --git a/firstboot.if b/firstboot.if
|
|
index 280f875..f3a67c9 100644
|
|
--- a/firstboot.if
|
|
+++ b/firstboot.if
|
|
@@ -1,4 +1,7 @@
|
|
-## <summary>Initial system configuration utility.</summary>
|
|
+## <summary>
|
|
+## Final system configuration run during the first boot
|
|
+## after installation of Red Hat/Fedora systems.
|
|
+## </summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,15 +18,13 @@ interface(`firstboot_domtrans',`
|
|
type firstboot_t, firstboot_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, firstboot_exec_t, firstboot_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute firstboot in the firstboot
|
|
-## domain, and allow the specified role
|
|
-## the firstboot domain.
|
|
+## Execute firstboot in the firstboot domain, and
|
|
+## allow the specified role the firstboot domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -38,16 +39,16 @@ interface(`firstboot_domtrans',`
|
|
#
|
|
interface(`firstboot_run',`
|
|
gen_require(`
|
|
- attribute_role firstboot_roles;
|
|
+ type firstboot_t;
|
|
')
|
|
|
|
firstboot_domtrans($1)
|
|
- roleattribute $2 firstboot_roles;
|
|
+ role $2 types firstboot_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Inherit and use firstboot file descriptors.
|
|
+## Inherit and use a file descriptor from firstboot.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -65,8 +66,8 @@ interface(`firstboot_use_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to inherit
|
|
-## firstboot file descriptors.
|
|
+## Do not audit attempts to inherit a
|
|
+## file descriptor from firstboot.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -84,7 +85,26 @@ interface(`firstboot_dontaudit_use_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Write firstboot unnamed pipes.
|
|
+## dontaudit read and write an leaked file descriptors
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`firstboot_dontaudit_leaks',`
|
|
+ gen_require(`
|
|
+ type firstboot_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 firstboot_t:socket_class_set { read write };
|
|
+ dontaudit $1 firstboot_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Write to a firstboot unnamed pipe.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -97,12 +117,13 @@ interface(`firstboot_write_pipes',`
|
|
type firstboot_t;
|
|
')
|
|
|
|
+ allow $1 firstboot_t:fd use;
|
|
allow $1 firstboot_t:fifo_file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and Write firstboot unnamed pipes.
|
|
+## Read and Write to a firstboot unnamed pipe.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -120,8 +141,7 @@ interface(`firstboot_rw_pipes',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attemps to read and
|
|
-## write firstboot unnamed pipes.
|
|
+## Do not audit attemps to read and write to a firstboot unnamed pipe.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -139,9 +159,8 @@ interface(`firstboot_dontaudit_rw_pipes',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attemps to read and
|
|
-## write firstboot unix domain
|
|
-## stream sockets.
|
|
+## Do not audit attemps to read and write to a firstboot
|
|
+## unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
diff --git a/firstboot.te b/firstboot.te
|
|
index 5010f04..928215f 100644
|
|
--- a/firstboot.te
|
|
+++ b/firstboot.te
|
|
@@ -1,7 +1,7 @@
|
|
policy_module(firstboot, 1.13.0)
|
|
|
|
gen_require(`
|
|
- class passwd { passwd chfn chsh rootok };
|
|
+ class passwd { passwd chfn chsh rootok crontab };
|
|
')
|
|
|
|
########################################
|
|
@@ -9,17 +9,12 @@ gen_require(`
|
|
# Declarations
|
|
#
|
|
|
|
-attribute_role firstboot_roles;
|
|
-
|
|
type firstboot_t;
|
|
type firstboot_exec_t;
|
|
init_system_domain(firstboot_t, firstboot_exec_t)
|
|
domain_obj_id_change_exemption(firstboot_t)
|
|
domain_subj_id_change_exemption(firstboot_t)
|
|
-role firstboot_roles types firstboot_t;
|
|
-
|
|
-type firstboot_initrc_exec_t;
|
|
-init_script_file(firstboot_initrc_exec_t)
|
|
+role system_r types firstboot_t;
|
|
|
|
type firstboot_etc_t;
|
|
files_config_file(firstboot_etc_t)
|
|
@@ -32,28 +27,25 @@ files_config_file(firstboot_etc_t)
|
|
allow firstboot_t self:capability { dac_override setgid };
|
|
allow firstboot_t self:process setfscreate;
|
|
allow firstboot_t self:fifo_file rw_fifo_file_perms;
|
|
-allow firstboot_t self:tcp_socket { accept listen };
|
|
+allow firstboot_t self:tcp_socket create_stream_socket_perms;
|
|
+allow firstboot_t self:unix_stream_socket { connect create };
|
|
allow firstboot_t self:passwd { rootok passwd chfn chsh };
|
|
|
|
allow firstboot_t firstboot_etc_t:file read_file_perms;
|
|
|
|
+files_manage_generic_tmp_dirs(firstboot_t)
|
|
+files_manage_generic_tmp_files(firstboot_t)
|
|
+
|
|
kernel_read_system_state(firstboot_t)
|
|
kernel_read_kernel_sysctls(firstboot_t)
|
|
|
|
-corecmd_exec_all_executables(firstboot_t)
|
|
+corenet_all_recvfrom_netlabel(firstboot_t)
|
|
+corenet_tcp_sendrecv_generic_if(firstboot_t)
|
|
+corenet_tcp_sendrecv_generic_node(firstboot_t)
|
|
+corenet_tcp_sendrecv_all_ports(firstboot_t)
|
|
|
|
dev_read_urand(firstboot_t)
|
|
|
|
-files_exec_etc_files(firstboot_t)
|
|
-files_manage_etc_files(firstboot_t)
|
|
-files_manage_etc_runtime_files(firstboot_t)
|
|
-files_read_usr_files(firstboot_t)
|
|
-files_manage_var_dirs(firstboot_t)
|
|
-files_manage_var_files(firstboot_t)
|
|
-files_manage_var_symlinks(firstboot_t)
|
|
-files_create_boot_flag(firstboot_t)
|
|
-files_delete_boot_flag(firstboot_t)
|
|
-
|
|
selinux_get_fs_mount(firstboot_t)
|
|
selinux_validate_context(firstboot_t)
|
|
selinux_compute_access_vector(firstboot_t)
|
|
@@ -63,6 +55,17 @@ selinux_compute_user_contexts(firstboot_t)
|
|
|
|
auth_dontaudit_getattr_shadow(firstboot_t)
|
|
|
|
+corecmd_exec_all_executables(firstboot_t)
|
|
+
|
|
+files_exec_etc_files(firstboot_t)
|
|
+files_manage_etc_files(firstboot_t)
|
|
+files_manage_etc_runtime_files(firstboot_t)
|
|
+files_manage_var_dirs(firstboot_t)
|
|
+files_manage_var_files(firstboot_t)
|
|
+files_manage_var_symlinks(firstboot_t)
|
|
+files_create_boot_flag(firstboot_t)
|
|
+files_delete_boot_flag(firstboot_t)
|
|
+
|
|
init_domtrans_script(firstboot_t)
|
|
init_rw_utmp(firstboot_t)
|
|
|
|
@@ -73,18 +76,18 @@ locallogin_use_fds(firstboot_t)
|
|
|
|
logging_send_syslog_msg(firstboot_t)
|
|
|
|
-miscfiles_read_localization(firstboot_t)
|
|
-
|
|
sysnet_dns_name_resolve(firstboot_t)
|
|
|
|
-userdom_use_user_terminals(firstboot_t)
|
|
+userdom_use_inherited_user_terminals(firstboot_t)
|
|
+
|
|
+# Add/remove user home directories
|
|
userdom_manage_user_home_content_dirs(firstboot_t)
|
|
userdom_manage_user_home_content_files(firstboot_t)
|
|
userdom_manage_user_home_content_symlinks(firstboot_t)
|
|
userdom_manage_user_home_content_pipes(firstboot_t)
|
|
userdom_manage_user_home_content_sockets(firstboot_t)
|
|
userdom_home_filetrans_user_home_dir(firstboot_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
|
|
+userdom_filetrans_home_content(firstboot_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(firstboot_t)
|
|
@@ -102,20 +105,18 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- nis_use_ypbind(firstboot_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
samba_rw_config(firstboot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domtrans(firstboot_t)
|
|
- unconfined_domain(firstboot_t)
|
|
+ # The big hammer
|
|
+ unconfined_domain_noaudit(firstboot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- gnome_manage_generic_home_content(firstboot_t)
|
|
+ gnome_admin_home_gconf_filetrans(firstboot_t, dir)
|
|
+ gnome_manage_config(firstboot_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/fprintd.te b/fprintd.te
|
|
index 92a6479..989f63a 100644
|
|
--- a/fprintd.te
|
|
+++ b/fprintd.te
|
|
@@ -20,6 +20,7 @@ files_type(fprintd_var_lib_t)
|
|
allow fprintd_t self:capability sys_nice;
|
|
allow fprintd_t self:process { getsched setsched signal sigkill };
|
|
allow fprintd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow fprintd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
|
|
manage_files_pattern(fprintd_t, fprintd_var_lib_t, fprintd_var_lib_t)
|
|
@@ -28,16 +29,13 @@ kernel_read_system_state(fprintd_t)
|
|
|
|
dev_list_usbfs(fprintd_t)
|
|
dev_read_sysfs(fprintd_t)
|
|
+dev_read_urand(fprintd_t)
|
|
dev_rw_generic_usb_dev(fprintd_t)
|
|
|
|
-files_read_usr_files(fprintd_t)
|
|
-
|
|
fs_getattr_all_fs(fprintd_t)
|
|
|
|
auth_use_nsswitch(fprintd_t)
|
|
|
|
-miscfiles_read_localization(fprintd_t)
|
|
-
|
|
userdom_use_user_ptys(fprintd_t)
|
|
userdom_read_all_users_state(fprintd_t)
|
|
|
|
@@ -54,8 +52,13 @@ optional_policy(`
|
|
')
|
|
')
|
|
|
|
+
|
|
optional_policy(`
|
|
- policykit_domtrans_auth(fprintd_t)
|
|
policykit_read_reload(fprintd_t)
|
|
policykit_read_lib(fprintd_t)
|
|
+ policykit_domtrans_auth(fprintd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_read_state_xdm(fprintd_t)
|
|
')
|
|
diff --git a/ftp.fc b/ftp.fc
|
|
index ddb75c1..44f74e6 100644
|
|
--- a/ftp.fc
|
|
+++ b/ftp.fc
|
|
@@ -1,5 +1,8 @@
|
|
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
|
|
|
|
+/usr/lib/systemd/system/vsftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/proftpd.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
|
|
+
|
|
/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
|
|
|
|
/etc/rc\.d/init\.d/vsftpd -- gen_context(system_u:object_r:ftpd_initrc_exec_t,s0)
|
|
diff --git a/ftp.if b/ftp.if
|
|
index 4498143..77bbcef 100644
|
|
--- a/ftp.if
|
|
+++ b/ftp.if
|
|
@@ -1,5 +1,66 @@
|
|
## <summary>File transfer protocol service.</summary>
|
|
|
|
+######################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run ftpd.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ftp_domtrans',`
|
|
+ gen_require(`
|
|
+ type ftpd_t, ftpd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1,ftpd_exec_t, ftpd_t)
|
|
+
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute ftpd server in the ftpd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## The type of the process performing this action.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ftp_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type ftpd_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute ftpd server in the ftpd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ftp_systemctl',`
|
|
+ gen_require(`
|
|
+ type ftpd_unit_file_t;
|
|
+ type ftpd_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 ftpd_unit_file_t:file read_file_perms;
|
|
+ allow $1 ftpd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, ftpd_t)
|
|
+')
|
|
+
|
|
#######################################
|
|
## <summary>
|
|
## Execute a dyntransition to run anon sftpd.
|
|
@@ -179,8 +240,11 @@ interface(`ftp_admin',`
|
|
type ftpd_keytab_t;
|
|
')
|
|
|
|
- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
|
|
+ allow $1 ftpd_t:process signal_perms;
|
|
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -204,5 +268,9 @@ interface(`ftp_admin',`
|
|
logging_list_logs($1)
|
|
admin_pattern($1, xferlog_t)
|
|
|
|
+ ftp_systemctl($1)
|
|
+ admin_pattern($1, ftpd_unit_file_t)
|
|
+ allow $1 ftpd_unit_file_t:service all_service_perms;
|
|
+
|
|
ftp_run_ftpdctl($1, $2)
|
|
')
|
|
diff --git a/ftp.te b/ftp.te
|
|
index 36838c2..ab0eccc 100644
|
|
--- a/ftp.te
|
|
+++ b/ftp.te
|
|
@@ -13,7 +13,7 @@ policy_module(ftp, 1.15.1)
|
|
## be labeled public_content_rw_t.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_ftpd_anon_write, false)
|
|
+gen_tunable(ftpd_anon_write, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
@@ -22,7 +22,7 @@ gen_tunable(allow_ftpd_anon_write, false)
|
|
## all files on the system, governed by DAC.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_ftpd_full_access, false)
|
|
+gen_tunable(ftpd_full_access, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
@@ -30,7 +30,14 @@ gen_tunable(allow_ftpd_full_access, false)
|
|
## used for public file transfer services.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_ftpd_use_cifs, false)
|
|
+gen_tunable(ftpd_use_cifs, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow ftpd to use ntfs/fusefs volumes.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(ftpd_use_fusefs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
@@ -38,7 +45,7 @@ gen_tunable(allow_ftpd_use_cifs, false)
|
|
## used for public file transfer services.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_ftpd_use_nfs, false)
|
|
+gen_tunable(ftpd_use_nfs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
@@ -124,6 +131,9 @@ files_config_file(ftpd_etc_t)
|
|
type ftpd_initrc_exec_t;
|
|
init_script_file(ftpd_initrc_exec_t)
|
|
|
|
+type ftpd_unit_file_t;
|
|
+systemd_unit_file(ftpd_unit_file_t)
|
|
+
|
|
type ftpd_keytab_t;
|
|
files_type(ftpd_keytab_t)
|
|
|
|
@@ -184,6 +194,9 @@ allow ftpd_t ftpd_keytab_t:file read_file_perms;
|
|
allow ftpd_t ftpd_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(ftpd_t, ftpd_lock_t, file)
|
|
|
|
+manage_dirs_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
|
|
+manage_files_pattern(ftpd_t, ftpd_tmp_t, ftpd_tmp_t)
|
|
+
|
|
manage_dirs_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
manage_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
manage_lnk_files_pattern(ftpd_t, ftpd_tmpfs_t, ftpd_tmpfs_t)
|
|
@@ -206,14 +219,13 @@ logging_log_filetrans(ftpd_t, xferlog_t, file)
|
|
|
|
kernel_read_kernel_sysctls(ftpd_t)
|
|
kernel_read_system_state(ftpd_t)
|
|
-kernel_search_network_state(ftpd_t)
|
|
+kernel_read_network_state(ftpd_t)
|
|
|
|
dev_read_sysfs(ftpd_t)
|
|
dev_read_urand(ftpd_t)
|
|
|
|
corecmd_exec_bin(ftpd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ftpd_t)
|
|
corenet_all_recvfrom_netlabel(ftpd_t)
|
|
corenet_tcp_sendrecv_generic_if(ftpd_t)
|
|
corenet_udp_sendrecv_generic_if(ftpd_t)
|
|
@@ -229,9 +241,12 @@ corenet_tcp_bind_ftp_port(ftpd_t)
|
|
corenet_sendrecv_ftp_data_server_packets(ftpd_t)
|
|
corenet_tcp_bind_ftp_data_port(ftpd_t)
|
|
|
|
+corenet_tcp_bind_generic_port(ftpd_t)
|
|
+corenet_tcp_bind_all_ephemeral_ports(ftpd_t)
|
|
+corenet_tcp_connect_all_ephemeral_ports(ftpd_t)
|
|
+
|
|
domain_use_interactive_fds(ftpd_t)
|
|
|
|
-files_read_etc_files(ftpd_t)
|
|
files_read_etc_runtime_files(ftpd_t)
|
|
files_search_var_lib(ftpd_t)
|
|
|
|
@@ -250,7 +265,6 @@ logging_send_audit_msgs(ftpd_t)
|
|
logging_send_syslog_msg(ftpd_t)
|
|
logging_set_loginuid(ftpd_t)
|
|
|
|
-miscfiles_read_localization(ftpd_t)
|
|
miscfiles_read_public_files(ftpd_t)
|
|
|
|
seutil_dontaudit_search_config(ftpd_t)
|
|
@@ -259,32 +273,49 @@ sysnet_use_ldap(ftpd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(ftpd_t)
|
|
userdom_dontaudit_search_user_home_dirs(ftpd_t)
|
|
+userdom_filetrans_home_content(ftpd_t)
|
|
|
|
-tunable_policy(`allow_ftpd_anon_write',`
|
|
+tunable_policy(`ftpd_anon_write',`
|
|
miscfiles_manage_public_files(ftpd_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_ftpd_use_cifs',`
|
|
+tunable_policy(`ftpd_use_cifs',`
|
|
fs_read_cifs_files(ftpd_t)
|
|
fs_read_cifs_symlinks(ftpd_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_ftpd_use_cifs && allow_ftpd_anon_write',`
|
|
+tunable_policy(`ftpd_use_cifs && ftpd_anon_write',`
|
|
fs_manage_cifs_files(ftpd_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_ftpd_use_nfs',`
|
|
+tunable_policy(`ftpd_use_fusefs',`
|
|
+ fs_manage_fusefs_dirs(ftpd_t)
|
|
+ fs_manage_fusefs_files(ftpd_t)
|
|
+',`
|
|
+ fs_search_fusefs(ftpd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`ftpd_use_nfs',`
|
|
fs_read_nfs_files(ftpd_t)
|
|
fs_read_nfs_symlinks(ftpd_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_ftpd_use_nfs && allow_ftpd_anon_write',`
|
|
+tunable_policy(`ftpd_use_nfs && ftpd_anon_write',`
|
|
fs_manage_nfs_files(ftpd_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_ftpd_full_access',`
|
|
+tunable_policy(`ftpd_full_access',`
|
|
allow ftpd_t self:capability { dac_override dac_read_search };
|
|
- files_manage_non_auth_files(ftpd_t)
|
|
+ files_manage_non_security_dirs(ftpd_t)
|
|
+ files_manage_non_security_files(ftpd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`ftpd_use_passive_mode',`
|
|
+ corenet_tcp_bind_all_unreserved_ports(ftpd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`ftpd_connect_all_unreserved',`
|
|
+ corenet_tcp_connect_all_unreserved_ports(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftpd_use_passive_mode',`
|
|
@@ -304,22 +335,19 @@ tunable_policy(`ftpd_connect_db',`
|
|
corenet_sendrecv_mssql_client_packets(ftpd_t)
|
|
corenet_tcp_connect_mssql_port(ftpd_t)
|
|
corenet_tcp_sendrecv_mssql_port(ftpd_t)
|
|
- corenet_sendrecv_oracledb_client_packets(ftpd_t)
|
|
- corenet_tcp_connect_oracledb_port(ftpd_t)
|
|
- corenet_tcp_sendrecv_oracledb_port(ftpd_t)
|
|
+ corenet_sendrecv_oracle_client_packets(ftpd_t)
|
|
+ corenet_tcp_connect_oracle_port(ftpd_t)
|
|
+ corenet_tcp_sendrecv_oracle_port(ftpd_t)
|
|
')
|
|
|
|
tunable_policy(`ftp_home_dir',`
|
|
allow ftpd_t self:capability { dac_override dac_read_search };
|
|
|
|
- userdom_manage_user_home_content_dirs(ftpd_t)
|
|
- userdom_manage_user_home_content_files(ftpd_t)
|
|
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
|
|
+ userdom_manage_all_user_home_type_dirs(ftpd_t)
|
|
+ userdom_manage_all_user_home_type_files(ftpd_t)
|
|
userdom_manage_user_tmp_dirs(ftpd_t)
|
|
userdom_manage_user_tmp_files(ftpd_t)
|
|
- userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
|
|
',`
|
|
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file })
|
|
userdom_tmp_filetrans_user_tmp(ftpd_t, { dir file })
|
|
')
|
|
|
|
@@ -363,9 +391,8 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
selinux_validate_context(ftpd_t)
|
|
-
|
|
kerberos_read_keytab(ftpd_t)
|
|
- kerberos_tmp_filetrans_host_rcache(ftpd_t, file, "host_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(ftpd_t, "host_0")
|
|
kerberos_use(ftpd_t)
|
|
')
|
|
|
|
@@ -416,21 +443,20 @@ optional_policy(`
|
|
#
|
|
|
|
stream_connect_pattern(ftpdctl_t, ftpd_var_run_t, ftpd_var_run_t, ftpd_t)
|
|
+files_search_pids(ftpdctl_t)
|
|
|
|
allow ftpdctl_t ftpdctl_tmp_t:sock_file manage_sock_file_perms;
|
|
files_tmp_filetrans(ftpdctl_t, ftpdctl_tmp_t, sock_file)
|
|
|
|
-files_read_etc_files(ftpdctl_t)
|
|
files_search_pids(ftpdctl_t)
|
|
|
|
-userdom_use_user_terminals(ftpdctl_t)
|
|
+userdom_use_inherited_user_terminals(ftpdctl_t)
|
|
|
|
########################################
|
|
#
|
|
# Anon sftpd local policy
|
|
#
|
|
|
|
-files_read_etc_files(anon_sftpd_t)
|
|
|
|
miscfiles_read_public_files(anon_sftpd_t)
|
|
|
|
@@ -443,23 +469,34 @@ tunable_policy(`sftpd_anon_write',`
|
|
# Sftpd local policy
|
|
#
|
|
|
|
-files_read_etc_files(sftpd_t)
|
|
|
|
userdom_read_user_home_content_files(sftpd_t)
|
|
userdom_read_user_home_content_symlinks(sftpd_t)
|
|
+userdom_dontaudit_list_admin_dir(sftpd_t)
|
|
+
|
|
+tunable_policy(`sftpd_full_access',`
|
|
+ allow sftpd_t self:capability { dac_override dac_read_search };
|
|
+ fs_read_noxattr_fs_files(sftpd_t)
|
|
+ files_manage_non_security_dirs(sftpd_t)
|
|
+ files_manage_non_security_files(sftpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`sftpd_write_ssh_home',`
|
|
+ ssh_manage_home_files(sftpd_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+userdom_filetrans_home_content(sftpd_t)
|
|
+userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
|
|
|
|
tunable_policy(`sftpd_enable_homedirs',`
|
|
allow sftpd_t self:capability { dac_override dac_read_search };
|
|
|
|
userdom_manage_user_home_content_dirs(sftpd_t)
|
|
userdom_manage_user_home_content_files(sftpd_t)
|
|
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
|
|
userdom_manage_user_tmp_dirs(sftpd_t)
|
|
userdom_manage_user_tmp_files(sftpd_t)
|
|
- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
|
|
-',`
|
|
- userdom_user_home_dir_filetrans_user_home_content(sftpd_t, { dir file })
|
|
- userdom_tmp_filetrans_user_tmp(sftpd_t, { dir file })
|
|
')
|
|
|
|
tunable_policy(`sftpd_enable_homedirs && use_nfs_home_dirs',`
|
|
@@ -481,21 +518,11 @@ tunable_policy(`sftpd_anon_write',`
|
|
tunable_policy(`sftpd_full_access',`
|
|
allow sftpd_t self:capability { dac_override dac_read_search };
|
|
fs_read_noxattr_fs_files(sftpd_t)
|
|
- files_manage_non_auth_files(sftpd_t)
|
|
+ files_manage_non_security_files(sftpd_t)
|
|
')
|
|
|
|
+userdom_home_reader(sftpd_t)
|
|
+
|
|
tunable_policy(`sftpd_write_ssh_home',`
|
|
ssh_manage_home_files(sftpd_t)
|
|
')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_list_cifs(sftpd_t)
|
|
- fs_read_cifs_files(sftpd_t)
|
|
- fs_read_cifs_symlinks(sftpd_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_list_nfs(sftpd_t)
|
|
- fs_read_nfs_files(sftpd_t)
|
|
- fs_read_nfs_symlinks(ftpd_t)
|
|
-')
|
|
diff --git a/games.te b/games.te
|
|
index e5b15fb..220622e 100644
|
|
--- a/games.te
|
|
+++ b/games.te
|
|
@@ -76,8 +76,6 @@ init_use_script_ptys(games_srv_t)
|
|
|
|
logging_send_syslog_msg(games_srv_t)
|
|
|
|
-miscfiles_read_localization(games_srv_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(games_srv_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(games_srv_t)
|
|
@@ -120,7 +118,6 @@ kernel_read_system_state(games_t)
|
|
|
|
corecmd_exec_bin(games_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(games_t)
|
|
corenet_all_recvfrom_netlabel(games_t)
|
|
corenet_tcp_sendrecv_generic_if(games_t)
|
|
corenet_tcp_sendrecv_generic_node(games_t)
|
|
@@ -142,8 +139,6 @@ dev_write_sound(games_t)
|
|
files_list_var(games_t)
|
|
files_search_var_lib(games_t)
|
|
files_dontaudit_search_var(games_t)
|
|
-files_read_etc_files(games_t)
|
|
-files_read_usr_files(games_t)
|
|
files_read_var_files(games_t)
|
|
|
|
init_dontaudit_rw_utmp(games_t)
|
|
@@ -151,7 +146,6 @@ init_dontaudit_rw_utmp(games_t)
|
|
logging_dontaudit_search_logs(games_t)
|
|
|
|
miscfiles_read_man_pages(games_t)
|
|
-miscfiles_read_localization(games_t)
|
|
|
|
sysnet_dns_name_resolve(games_t)
|
|
|
|
@@ -161,7 +155,7 @@ userdom_manage_user_tmp_symlinks(games_t)
|
|
userdom_manage_user_tmp_sockets(games_t)
|
|
userdom_dontaudit_read_user_home_content_files(games_t)
|
|
|
|
-tunable_policy(`allow_execmem',`
|
|
+tunable_policy(`deny_execmem',`', `
|
|
allow games_t self:process execmem;
|
|
')
|
|
|
|
diff --git a/gatekeeper.te b/gatekeeper.te
|
|
index 2820368..88c98f4 100644
|
|
--- a/gatekeeper.te
|
|
+++ b/gatekeeper.te
|
|
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(gatekeeper_t)
|
|
|
|
corecmd_list_bin(gatekeeper_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(gatekeeper_t)
|
|
corenet_all_recvfrom_netlabel(gatekeeper_t)
|
|
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
|
|
corenet_udp_sendrecv_generic_if(gatekeeper_t)
|
|
@@ -77,15 +76,11 @@ dev_read_urand(gatekeeper_t)
|
|
|
|
domain_use_interactive_fds(gatekeeper_t)
|
|
|
|
-files_read_etc_files(gatekeeper_t)
|
|
-
|
|
fs_getattr_all_fs(gatekeeper_t)
|
|
fs_search_auto_mountpoints(gatekeeper_t)
|
|
|
|
logging_send_syslog_msg(gatekeeper_t)
|
|
|
|
-miscfiles_read_localization(gatekeeper_t)
|
|
-
|
|
sysnet_read_config(gatekeeper_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(gatekeeper_t)
|
|
diff --git a/gift.te b/gift.te
|
|
index 8a820fa..996b30c 100644
|
|
--- a/gift.te
|
|
+++ b/gift.te
|
|
@@ -67,17 +67,7 @@ auth_use_nsswitch(gift_t)
|
|
|
|
userdom_dontaudit_read_user_home_content_files(gift_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(gift_t)
|
|
- fs_manage_nfs_files(gift_t)
|
|
- fs_manage_nfs_symlinks(gift_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(gift_t)
|
|
- fs_manage_cifs_files(gift_t)
|
|
- fs_manage_cifs_symlinks(gift_t)
|
|
-')
|
|
+userdom_home_manager(gift_t)
|
|
|
|
optional_policy(`
|
|
xserver_user_x_domain_template(gift, gift_t, gift_tmpfs_t)
|
|
@@ -119,22 +109,8 @@ corenet_sendrecv_all_client_packets(giftd_t)
|
|
corenet_tcp_connect_all_ports(giftd_t)
|
|
|
|
files_read_etc_runtime_files(giftd_t)
|
|
-files_read_usr_files(giftd_t)
|
|
-
|
|
-miscfiles_read_localization(giftd_t)
|
|
|
|
sysnet_dns_name_resolve(giftd_t)
|
|
|
|
-userdom_use_user_terminals(giftd_t)
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(giftd_t)
|
|
- fs_manage_nfs_files(giftd_t)
|
|
- fs_manage_nfs_symlinks(giftd_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(giftd_t)
|
|
- fs_manage_cifs_files(giftd_t)
|
|
- fs_manage_cifs_symlinks(giftd_t)
|
|
-')
|
|
+userdom_use_inherited_user_terminals(giftd_t)
|
|
+userdom_home_manager(gitd_t)
|
|
diff --git a/git.if b/git.if
|
|
index 1e29af1..6c64f55 100644
|
|
--- a/git.if
|
|
+++ b/git.if
|
|
@@ -37,7 +37,10 @@ template(`git_role',`
|
|
allow $2 git_user_content_t:file { exec_file_perms manage_file_perms relabel_file_perms };
|
|
userdom_user_home_dir_filetrans($2, git_user_content_t, dir, "public_git")
|
|
|
|
- allow $2 git_session_t:process { ptrace signal_perms };
|
|
+ allow $2 git_session_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 git_session_t:process ptrace;
|
|
+ ')
|
|
ps_process_pattern($2, git_session_t)
|
|
|
|
tunable_policy(`git_session_users',`
|
|
@@ -64,6 +67,7 @@ interface(`git_read_generic_sys_content_files',`
|
|
|
|
list_dirs_pattern($1, git_sys_content_t, git_sys_content_t)
|
|
read_files_pattern($1, git_sys_content_t, git_sys_content_t)
|
|
+ read_lnk_files_pattern($1, git_sys_content_t, git_sys_content_t)
|
|
|
|
files_search_var_lib($1)
|
|
|
|
@@ -79,3 +83,21 @@ interface(`git_read_generic_sys_content_files',`
|
|
fs_read_nfs_files($1)
|
|
')
|
|
')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Create Git user content with a
|
|
+## named file transition.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`git_filetrans_user_content',`
|
|
+ gen_require(`
|
|
+ type git_user_content_t;
|
|
+ ')
|
|
+ userdom_user_home_dir_filetrans($1, git_user_content_t, dir, "public_git")
|
|
+')
|
|
diff --git a/git.te b/git.te
|
|
index dc49c71..2609364 100644
|
|
--- a/git.te
|
|
+++ b/git.te
|
|
@@ -49,14 +49,6 @@ gen_tunable(git_session_users, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
-## Determine whether Git session daemons
|
|
-## can send syslog messages.
|
|
-## </p>
|
|
-## </desc>
|
|
-gen_tunable(git_session_send_syslog_msg, false)
|
|
-
|
|
-## <desc>
|
|
-## <p>
|
|
## Determine whether Git system daemon
|
|
## can search home directories.
|
|
## </p>
|
|
@@ -93,10 +85,10 @@ type git_session_t, git_daemon;
|
|
userdom_user_application_domain(git_session_t, gitd_exec_t)
|
|
role git_session_roles types git_session_t;
|
|
|
|
-type git_sys_content_t;
|
|
+type git_sys_content_t alias git_system_content_t;
|
|
files_type(git_sys_content_t)
|
|
|
|
-type git_user_content_t;
|
|
+type git_user_content_t alias git_session_content_t;
|
|
userdom_user_home_content(git_user_content_t)
|
|
|
|
########################################
|
|
@@ -110,6 +102,8 @@ list_dirs_pattern(git_session_t, git_user_content_t, git_user_content_t)
|
|
read_files_pattern(git_session_t, git_user_content_t, git_user_content_t)
|
|
userdom_search_user_home_dirs(git_session_t)
|
|
|
|
+kernel_read_system_state(git_session_t)
|
|
+
|
|
corenet_all_recvfrom_netlabel(git_session_t)
|
|
corenet_all_recvfrom_unlabeled(git_session_t)
|
|
corenet_tcp_bind_generic_node(git_session_t)
|
|
@@ -130,9 +124,7 @@ tunable_policy(`git_session_bind_all_unreserved_ports',`
|
|
corenet_tcp_sendrecv_all_ports(git_session_t)
|
|
')
|
|
|
|
-tunable_policy(`git_session_send_syslog_msg',`
|
|
- logging_send_syslog_msg(git_session_t)
|
|
-')
|
|
+logging_send_syslog_msg(git_session_t)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_getattr_nfs(git_session_t)
|
|
@@ -158,6 +150,9 @@ tunable_policy(`use_samba_home_dirs',`
|
|
list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
|
|
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t)
|
|
|
|
+kernel_read_network_state(git_system_t)
|
|
+kernel_read_system_state(git_system_t)
|
|
+
|
|
corenet_all_recvfrom_unlabeled(git_system_t)
|
|
corenet_all_recvfrom_netlabel(git_system_t)
|
|
corenet_tcp_sendrecv_generic_if(git_system_t)
|
|
@@ -266,12 +261,9 @@ tunable_policy(`git_cgi_use_nfs',`
|
|
|
|
allow git_daemon self:fifo_file rw_fifo_file_perms;
|
|
|
|
-kernel_read_system_state(git_daemon)
|
|
+#kernel_read_system_state(git_daemon)
|
|
|
|
corecmd_exec_bin(git_daemon)
|
|
|
|
-files_read_usr_files(git_daemon)
|
|
-
|
|
fs_search_auto_mountpoints(git_daemon)
|
|
|
|
-miscfiles_read_localization(git_daemon)
|
|
diff --git a/gitosis.te b/gitosis.te
|
|
index 582db0a..d77a1a5 100644
|
|
--- a/gitosis.te
|
|
+++ b/gitosis.te
|
|
@@ -52,12 +52,8 @@ corecmd_exec_shell(gitosis_t)
|
|
|
|
dev_read_urand(gitosis_t)
|
|
|
|
-files_read_etc_files(gitosis_t)
|
|
-files_read_usr_files(gitosis_t)
|
|
files_search_var_lib(gitosis_t)
|
|
|
|
-miscfiles_read_localization(gitosis_t)
|
|
-
|
|
sysnet_read_config(gitosis_t)
|
|
|
|
tunable_policy(`gitosis_can_sendmail',`
|
|
diff --git a/glance.if b/glance.if
|
|
index 9eacb2c..229782f 100644
|
|
--- a/glance.if
|
|
+++ b/glance.if
|
|
@@ -1,5 +1,30 @@
|
|
## <summary>OpenStack image registry and delivery service.</summary>
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## glance daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`glance_basic_types_template',`
|
|
+ gen_require(`
|
|
+ attribute glance_domain;
|
|
+ ')
|
|
+
|
|
+ type $1_t, glance_domain;
|
|
+ type $1_exec_t;
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+
|
|
+ corenet_all_recvfrom_unlabeled($1_t)
|
|
+ corenet_all_recvfrom_netlabel($1_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to
|
|
@@ -26,9 +51,9 @@ interface(`glance_domtrans_registry',`
|
|
## run glance api.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`glance_domtrans_api',`
|
|
@@ -242,8 +267,13 @@ interface(`glance_admin',`
|
|
type glance_registry_initrc_exec_t, glance_api_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 { glance_api_t glance_registry_t }:process signal_perms;
|
|
- ps_process_pattern($1, { glance_api_t glance_registry_t })
|
|
+ allow $1 glance_registry_t:process signal_perms;
|
|
+ ps_process_pattern($1, glance_registry_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 glance_registry_t:process ptrace;
|
|
+ allow $1 glance_api_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, { glance_api_initrc_exec_t glance_registry_initrc_exec_t })
|
|
domain_system_change_exemption($1)
|
|
diff --git a/glance.te b/glance.te
|
|
index 5cd0909..337e872 100644
|
|
--- a/glance.te
|
|
+++ b/glance.te
|
|
@@ -7,8 +7,7 @@ policy_module(glance, 1.1.0)
|
|
|
|
attribute glance_domain;
|
|
|
|
-type glance_registry_t, glance_domain;
|
|
-type glance_registry_exec_t;
|
|
+glance_basic_types_template(glance_registry)
|
|
init_daemon_domain(glance_registry_t, glance_registry_exec_t)
|
|
|
|
type glance_registry_initrc_exec_t;
|
|
@@ -17,8 +16,10 @@ init_script_file(glance_registry_initrc_exec_t)
|
|
type glance_registry_tmp_t;
|
|
files_tmp_file(glance_registry_tmp_t)
|
|
|
|
-type glance_api_t, glance_domain;
|
|
-type glance_api_exec_t;
|
|
+type glance_registry_tmpfs_t;
|
|
+files_tmpfs_file(glance_registry_tmpfs_t)
|
|
+
|
|
+glance_basic_types_template(glance_api)
|
|
init_daemon_domain(glance_api_t, glance_api_exec_t)
|
|
|
|
type glance_api_initrc_exec_t;
|
|
@@ -41,6 +42,7 @@ files_pid_file(glance_var_run_t)
|
|
# Common local policy
|
|
#
|
|
|
|
+allow glance_domain self:process signal_perms;
|
|
allow glance_domain self:fifo_file rw_fifo_file_perms;
|
|
allow glance_domain self:unix_stream_socket create_stream_socket_perms;
|
|
allow glance_domain self:tcp_socket { accept listen };
|
|
@@ -56,27 +58,23 @@ manage_files_pattern(glance_domain, glance_var_lib_t, glance_var_lib_t)
|
|
manage_dirs_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
|
|
manage_files_pattern(glance_domain, glance_var_run_t, glance_var_run_t)
|
|
|
|
-kernel_read_system_state(glance_domain)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(glance_domain)
|
|
-corenet_all_recvfrom_netlabel(glance_domain)
|
|
corenet_tcp_sendrecv_generic_if(glance_domain)
|
|
corenet_tcp_sendrecv_generic_node(glance_domain)
|
|
corenet_tcp_sendrecv_all_ports(glance_domain)
|
|
corenet_tcp_bind_generic_node(glance_domain)
|
|
+corenet_tcp_connect_mysqld_port(glance_domain)
|
|
+corenet_tcp_connect_http_port(glance_domain)
|
|
|
|
corecmd_exec_bin(glance_domain)
|
|
corecmd_exec_shell(glance_domain)
|
|
|
|
dev_read_urand(glance_domain)
|
|
+dev_read_sysfs(glance_domain)
|
|
|
|
-files_read_etc_files(glance_domain)
|
|
-files_read_usr_files(glance_domain)
|
|
+auth_read_passwd(glance_domain)
|
|
|
|
libs_exec_ldconfig(glance_domain)
|
|
|
|
-miscfiles_read_localization(glance_domain)
|
|
-
|
|
sysnet_dns_name_resolve(glance_domain)
|
|
|
|
########################################
|
|
@@ -88,8 +86,14 @@ manage_dirs_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tm
|
|
manage_files_pattern(glance_registry_t, glance_registry_tmp_t, glance_registry_tmp_t)
|
|
files_tmp_filetrans(glance_registry_t, glance_registry_tmp_t, { dir file })
|
|
|
|
+manage_dirs_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
|
|
+manage_files_pattern(glance_registry_t, glance_registry_tmpfs_t, glance_registry_tmpfs_t)
|
|
+fs_tmpfs_filetrans(glance_registry_t, glance_registry_tmpfs_t,{ dir file })
|
|
+
|
|
+corenet_tcp_bind_generic_node(glance_registry_t)
|
|
corenet_sendrecv_glance_registry_server_packets(glance_registry_t)
|
|
corenet_tcp_bind_glance_registry_port(glance_registry_t)
|
|
+corenet_tcp_connect_all_ephemeral_ports(glance_registry_t)
|
|
|
|
logging_send_syslog_msg(glance_registry_t)
|
|
|
|
@@ -108,13 +112,22 @@ manage_files_pattern(glance_api_t, glance_tmp_t, glance_tmp_t)
|
|
files_tmp_filetrans(glance_api_t, glance_tmp_t, { dir file })
|
|
can_exec(glance_api_t, glance_tmp_t)
|
|
|
|
-corenet_sendrecv_armtechdaemon_server_packets(glance_api_t)
|
|
-corenet_tcp_bind_armtechdaemon_port(glance_api_t)
|
|
-
|
|
-corenet_sendrecv_hplip_server_packets(glance_api_t)
|
|
-corenet_tcp_bind_hplip_port(glance_api_t)
|
|
+corenet_tcp_bind_generic_node(glance_api_t)
|
|
|
|
+corenet_tcp_bind_glance_port(glance_api_t)
|
|
corenet_sendrecv_glance_registry_client_packets(glance_api_t)
|
|
+corenet_tcp_connect_amqp_port(glance_api_t)
|
|
corenet_tcp_connect_glance_registry_port(glance_api_t)
|
|
+corenet_tcp_connect_mysqld_port(glance_api_t)
|
|
+corenet_tcp_connect_http_port(glance_api_t)
|
|
+
|
|
+corenet_tcp_connect_all_ephemeral_ports(glance_api_t)
|
|
+
|
|
+corenet_sendrecv_hplip_server_packets(glance_api_t)
|
|
+corenet_tcp_bind_hplip_port(glance_api_t)
|
|
|
|
fs_getattr_xattr_fs(glance_api_t)
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_stream_connect(glance_api_t)
|
|
+')
|
|
diff --git a/glusterd.fc b/glusterd.fc
|
|
new file mode 100644
|
|
index 0000000..9614520
|
|
--- /dev/null
|
|
+++ b/glusterd.fc
|
|
@@ -0,0 +1,16 @@
|
|
+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
|
|
+
|
|
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
|
|
+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
|
|
+
|
|
+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
|
|
+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
|
|
+
|
|
+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
|
|
+
|
|
+/var/lib/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_lib_t,s0)
|
|
+
|
|
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
|
|
+
|
|
+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
|
+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
|
diff --git a/glusterd.if b/glusterd.if
|
|
new file mode 100644
|
|
index 0000000..1ed97fe
|
|
--- /dev/null
|
|
+++ b/glusterd.if
|
|
@@ -0,0 +1,150 @@
|
|
+
|
|
+## <summary>policy for glusterd</summary>
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to glusterd.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`glusterd_domtrans',`
|
|
+ gen_require(`
|
|
+ type glusterd_t, glusterd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, glusterd_exec_t, glusterd_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute glusterd server in the glusterd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`glusterd_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type glusterd_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read glusterd's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`glusterd_read_log',`
|
|
+ gen_require(`
|
|
+ type glusterd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, glusterd_log_t, glusterd_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to glusterd log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`glusterd_append_log',`
|
|
+ gen_require(`
|
|
+ type glusterd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, glusterd_log_t, glusterd_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage glusterd log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`glusterd_manage_log',`
|
|
+ gen_require(`
|
|
+ type glusterd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, glusterd_log_t, glusterd_log_t)
|
|
+ manage_files_pattern($1, glusterd_log_t, glusterd_log_t)
|
|
+ manage_lnk_files_pattern($1, glusterd_log_t, glusterd_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an glusterd environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`glusterd_admin',`
|
|
+ gen_require(`
|
|
+ type glusterd_t;
|
|
+ type glusterd_initrc_exec_t;
|
|
+ type glusterd_log_t;
|
|
+ type glusterd_tmp_t;
|
|
+ type glusterd_conf_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 glusterd_t:process { signal_perms };
|
|
+ ps_process_pattern($1, glusterd_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 glusterd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ glusterd_initrc_domtrans($1)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 glusterd_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, glusterd_log_t)
|
|
+
|
|
+ admin_pattern($1, glusterd_tmp_t)
|
|
+
|
|
+ admin_pattern($1, glusterd_conf_t)
|
|
+
|
|
+')
|
|
+
|
|
diff --git a/glusterd.te b/glusterd.te
|
|
new file mode 100644
|
|
index 0000000..a3bdd8d
|
|
--- /dev/null
|
|
+++ b/glusterd.te
|
|
@@ -0,0 +1,189 @@
|
|
+policy_module(glusterfs, 1.1.2)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow glusterfsd to modify public files used for public file
|
|
+## transfer services. Files/Directories must be labeled
|
|
+## public_content_rw_t.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(gluster_anon_write, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow glusterfsd to share any file/directory read only.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(gluster_export_all_ro, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow glusterfsd to share any file/directory read/write.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(gluster_export_all_rw, true)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type glusterd_t;
|
|
+type glusterd_exec_t;
|
|
+init_daemon_domain(glusterd_t, glusterd_exec_t)
|
|
+
|
|
+type glusterd_conf_t;
|
|
+files_type(glusterd_conf_t)
|
|
+
|
|
+type glusterd_initrc_exec_t;
|
|
+init_script_file(glusterd_initrc_exec_t)
|
|
+
|
|
+type glusterd_tmp_t;
|
|
+files_tmp_file(glusterd_tmp_t)
|
|
+
|
|
+type glusterd_log_t;
|
|
+logging_log_file(glusterd_log_t)
|
|
+
|
|
+type glusterd_var_run_t;
|
|
+files_pid_file(glusterd_var_run_t)
|
|
+
|
|
+type glusterd_var_lib_t;
|
|
+files_type(glusterd_var_lib_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Local policy
|
|
+#
|
|
+
|
|
+allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner fsetid kill setgid setuid net_admin };
|
|
+
|
|
+allow glusterd_t self:capability2 block_suspend;
|
|
+allow glusterd_t self:process { getcap setcap setrlimit signal_perms };
|
|
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow glusterd_t self:tcp_socket { accept listen };
|
|
+allow glusterd_t self:unix_stream_socket { accept listen connectto };
|
|
+
|
|
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
|
|
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
|
|
+files_etc_filetrans(glusterd_t, glusterd_conf_t, { dir file }, "glusterfs")
|
|
+
|
|
+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
|
|
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
|
|
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
|
|
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
|
|
+allow glusterd_t glusterd_tmp_t:dir mounton;
|
|
+
|
|
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
+logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
|
|
+
|
|
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
|
|
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
|
|
+manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
|
|
+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
|
|
+
|
|
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
|
|
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
|
|
+#manage_sock_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
|
|
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
|
|
+relabel_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
|
|
+
|
|
+can_exec(glusterd_t, glusterd_exec_t)
|
|
+
|
|
+kernel_read_system_state(glusterd_t)
|
|
+kernel_read_network_state(glusterd_t)
|
|
+kernel_read_net_sysctls(glusterd_t)
|
|
+kernel_request_load_module(glusterd_t)
|
|
+
|
|
+corecmd_exec_bin(glusterd_t)
|
|
+corecmd_exec_shell(glusterd_t)
|
|
+
|
|
+corenet_all_recvfrom_unlabeled(glusterd_t)
|
|
+corenet_all_recvfrom_netlabel(glusterd_t)
|
|
+corenet_tcp_sendrecv_generic_if(glusterd_t)
|
|
+corenet_udp_sendrecv_generic_if(glusterd_t)
|
|
+corenet_tcp_sendrecv_generic_node(glusterd_t)
|
|
+corenet_udp_sendrecv_generic_node(glusterd_t)
|
|
+corenet_tcp_sendrecv_all_ports(glusterd_t)
|
|
+corenet_udp_sendrecv_all_ports(glusterd_t)
|
|
+corenet_tcp_bind_generic_node(glusterd_t)
|
|
+corenet_udp_bind_generic_node(glusterd_t)
|
|
+
|
|
+corenet_tcp_connect_gluster_port(glusterd_t)
|
|
+corenet_tcp_bind_gluster_port(glusterd_t)
|
|
+
|
|
+# replacement for rpc.mountd
|
|
+corenet_sendrecv_all_server_packets(glusterd_t)
|
|
+corenet_tcp_bind_all_reserved_ports(glusterd_t)
|
|
+corenet_udp_bind_all_rpc_ports(glusterd_t)
|
|
+corenet_tcp_bind_all_rpc_ports(glusterd_t)
|
|
+corenet_tcp_bind_nfs_port(glusterd_t)
|
|
+corenet_udp_bind_nfs_port(glusterd_t)
|
|
+corenet_udp_bind_mountd_port(glusterd_t)
|
|
+corenet_tcp_bind_mountd_port(glusterd_t)
|
|
+corenet_udp_bind_ipp_port(glusterd_t)
|
|
+
|
|
+corenet_sendrecv_all_client_packets(glusterd_t)
|
|
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
|
|
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
|
|
+corenet_tcp_connect_ssh_port(glusterd_t)
|
|
+
|
|
+dev_read_sysfs(glusterd_t)
|
|
+dev_read_urand(glusterd_t)
|
|
+
|
|
+domain_read_all_domains_state(glusterd_t)
|
|
+
|
|
+domain_use_interactive_fds(glusterd_t)
|
|
+
|
|
+fs_mount_all_fs(glusterd_t)
|
|
+fs_unmount_all_fs(glusterd_t)
|
|
+fs_getattr_all_fs(glusterd_t)
|
|
+
|
|
+files_mounton_mnt(glusterd_t)
|
|
+
|
|
+storage_rw_fuse(glusterd_t)
|
|
+
|
|
+auth_use_nsswitch(glusterd_t)
|
|
+
|
|
+fs_getattr_all_fs(glusterd_t)
|
|
+
|
|
+logging_send_syslog_msg(glusterd_t)
|
|
+libs_exec_ldconfig(glusterd_t)
|
|
+
|
|
+miscfiles_read_localization(glusterd_t)
|
|
+miscfiles_read_public_files(glusterd_t)
|
|
+
|
|
+userdom_manage_user_home_dirs(glusterd_t)
|
|
+userdom_filetrans_home_content(glusterd_t)
|
|
+
|
|
+mount_domtrans(glusterd_t)
|
|
+tunable_policy(`gluster_anon_write',`
|
|
+ miscfiles_manage_public_files(glusterd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`gluster_export_all_ro',`
|
|
+ fs_read_noxattr_fs_files(glusterd_t)
|
|
+ files_read_non_security_files(glusterd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`gluster_export_all_rw',`
|
|
+ fs_manage_noxattr_fs_files(glusterd_t)
|
|
+ files_manage_non_security_dirs(glusterd_t)
|
|
+ files_manage_non_security_files(glusterd_t)
|
|
+ files_relabel_base_file_types(glusterd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rpc_domtrans_rpcd(glusterd_t)
|
|
+ rpc_kill_rpcd(glusterd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rsync_exec(glusterd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_exec(glusterd_t)
|
|
+')
|
|
diff --git a/glusterfs.fc b/glusterfs.fc
|
|
deleted file mode 100644
|
|
index 4bd6ade..0000000
|
|
--- a/glusterfs.fc
|
|
+++ /dev/null
|
|
@@ -1,16 +0,0 @@
|
|
-/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
|
|
-
|
|
-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
|
|
-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
|
|
-
|
|
-/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
|
|
-/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
|
|
-
|
|
-/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
|
|
-
|
|
-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
|
|
-
|
|
-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
|
|
-
|
|
-/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
|
-/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
|
|
diff --git a/glusterfs.if b/glusterfs.if
|
|
deleted file mode 100644
|
|
index 05233c8..0000000
|
|
--- a/glusterfs.if
|
|
+++ /dev/null
|
|
@@ -1,71 +0,0 @@
|
|
-## <summary>Cluster File System binary, daemon and command line.</summary>
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an glusterfs environment.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
-#
|
|
-interface(`glusterd_admin',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use glusterfs_admin() instead.')
|
|
- glusterfs_admin($1, $2)
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an glusterfs environment.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
-#
|
|
-interface(`glusterfs_admin',`
|
|
- gen_require(`
|
|
- type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
|
|
- type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
|
|
- type glusterd_var_run_t;
|
|
- ')
|
|
-
|
|
- init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 glusterd_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- allow $1 glusterd_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, glusterd_t)
|
|
-
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, glusterd_conf_t)
|
|
-
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, glusterd_log_t)
|
|
-
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, glusterd_tmp_t)
|
|
-
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, glusterd_var_lib_t)
|
|
-
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, glusterd_var_run_t)
|
|
-')
|
|
diff --git a/glusterfs.te b/glusterfs.te
|
|
deleted file mode 100644
|
|
index 4e95c7e..0000000
|
|
--- a/glusterfs.te
|
|
+++ /dev/null
|
|
@@ -1,105 +0,0 @@
|
|
-policy_module(glusterfs, 1.1.2)
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Declarations
|
|
-#
|
|
-
|
|
-type glusterd_t;
|
|
-type glusterd_exec_t;
|
|
-init_daemon_domain(glusterd_t, glusterd_exec_t)
|
|
-
|
|
-type glusterd_conf_t;
|
|
-files_type(glusterd_conf_t)
|
|
-
|
|
-type glusterd_initrc_exec_t;
|
|
-init_script_file(glusterd_initrc_exec_t)
|
|
-
|
|
-type glusterd_tmp_t;
|
|
-files_tmp_file(glusterd_tmp_t)
|
|
-
|
|
-type glusterd_log_t;
|
|
-logging_log_file(glusterd_log_t)
|
|
-
|
|
-type glusterd_var_run_t;
|
|
-files_pid_file(glusterd_var_run_t)
|
|
-
|
|
-type glusterd_var_lib_t;
|
|
-files_type(glusterd_var_lib_t)
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Local policy
|
|
-#
|
|
-
|
|
-allow glusterd_t self:capability { sys_admin sys_resource dac_override chown dac_read_search fowner };
|
|
-allow glusterd_t self:process { setrlimit signal };
|
|
-allow glusterd_t self:fifo_file rw_fifo_file_perms;
|
|
-allow glusterd_t self:tcp_socket { accept listen };
|
|
-allow glusterd_t self:unix_stream_socket { accept listen };
|
|
-
|
|
-manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
|
|
-manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
|
|
-files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
|
|
-
|
|
-manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
|
|
-manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
|
|
-manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
|
|
-files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
|
|
-
|
|
-manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
-append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
-create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
-setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
|
|
-logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
|
|
-
|
|
-manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
|
|
-manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
|
|
-manage_sock_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
|
|
-files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file sock_file })
|
|
-
|
|
-manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
|
|
-manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
|
|
-files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
|
|
-
|
|
-can_exec(glusterd_t, glusterd_exec_t)
|
|
-
|
|
-kernel_read_system_state(glusterd_t)
|
|
-
|
|
-corecmd_exec_bin(glusterd_t)
|
|
-corecmd_exec_shell(glusterd_t)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(glusterd_t)
|
|
-corenet_all_recvfrom_netlabel(glusterd_t)
|
|
-corenet_tcp_sendrecv_generic_if(glusterd_t)
|
|
-corenet_udp_sendrecv_generic_if(glusterd_t)
|
|
-corenet_tcp_sendrecv_generic_node(glusterd_t)
|
|
-corenet_udp_sendrecv_generic_node(glusterd_t)
|
|
-corenet_tcp_sendrecv_all_ports(glusterd_t)
|
|
-corenet_udp_sendrecv_all_ports(glusterd_t)
|
|
-corenet_tcp_bind_generic_node(glusterd_t)
|
|
-corenet_udp_bind_generic_node(glusterd_t)
|
|
-
|
|
-# Too coarse?
|
|
-corenet_sendrecv_all_server_packets(glusterd_t)
|
|
-corenet_tcp_bind_all_reserved_ports(glusterd_t)
|
|
-corenet_udp_bind_all_rpc_ports(glusterd_t)
|
|
-corenet_udp_bind_ipp_port(glusterd_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(glusterd_t)
|
|
-corenet_tcp_connect_all_unreserved_ports(glusterd_t)
|
|
-
|
|
-dev_read_sysfs(glusterd_t)
|
|
-dev_read_urand(glusterd_t)
|
|
-
|
|
-domain_read_all_domains_state(glusterd_t)
|
|
-
|
|
-domain_use_interactive_fds(glusterd_t)
|
|
-
|
|
-files_read_usr_files(glusterd_t)
|
|
-
|
|
-auth_use_nsswitch(glusterd_t)
|
|
-
|
|
-logging_send_syslog_msg(glusterd_t)
|
|
-
|
|
-miscfiles_read_localization(glusterd_t)
|
|
diff --git a/gnome.fc b/gnome.fc
|
|
index e39de43..5818f74 100644
|
|
--- a/gnome.fc
|
|
+++ b/gnome.fc
|
|
@@ -1,15 +1,58 @@
|
|
-HOME_DIR/\.gconf(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
|
|
-HOME_DIR/\.gconfd(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
|
|
-HOME_DIR/\.gnome(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
|
-HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
|
-HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
|
|
-HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
|
+HOME_DIR/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
|
|
+HOME_DIR/\.cache/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
|
+HOME_DIR/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
|
|
+HOME_DIR/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
|
|
+HOME_DIR/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
|
+HOME_DIR/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
|
+HOME_DIR/\.nv(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
|
|
+HOME_DIR/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
|
|
+HOME_DIR/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
|
+HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
|
|
+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
|
|
+HOME_DIR/\.grl-metadata-store gen_context(system_u:object_r:gstreamer_home_t,s0)
|
|
+HOME_DIR/\.grl-bookmarks gen_context(system_u:object_r:gstreamer_home_t,s0)
|
|
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
|
|
+HOME_DIR/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
|
|
+HOME_DIR/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
|
|
+HOME_DIR/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
|
|
+HOME_DIR/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
|
|
+HOME_DIR/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
|
|
+HOME_DIR/\.local/share/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
|
|
+HOME_DIR/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
|
|
+HOME_DIR/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
|
|
|
-/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
|
|
+/var/run/user/[^/]*/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0)
|
|
+/var/run/user/[^/]*/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
|
+/var/run/user/[^/]*/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
|
|
+
|
|
+/root/\.cache(/.*)? gen_context(system_u:object_r:cache_home_t,s0)
|
|
+/root/\.color/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
|
|
+/root/\.config(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
|
+/root/\.kde(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
|
+/root/\.gconf(d)?(/.*)? gen_context(system_u:object_r:gconf_home_t,s0)
|
|
+/root/\.dbus(/.*)? gen_context(system_u:object_r:dbus_home_t,s0)
|
|
+/root/\.gnome2(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
|
|
+/root/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gkeyringd_gnome_home_t,s0)
|
|
+/root/\.gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
|
|
+/root/\.cache/gstreamer-.* gen_context(system_u:object_r:gstreamer_home_t,s0)
|
|
+/root/\.local.* gen_context(system_u:object_r:gconf_home_t,s0)
|
|
+/root/\.local/share(/.*)? gen_context(system_u:object_r:data_home_t,s0)
|
|
+/root/\.local/share/icc(/.*)? gen_context(system_u:object_r:icc_data_home_t,s0)
|
|
+/root/\.Xdefaults gen_context(system_u:object_r:config_home_t,s0)
|
|
+/root/\.xine(/.*)? gen_context(system_u:object_r:config_home_t,s0)
|
|
+
|
|
+/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
|
|
|
|
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
|
|
|
|
+/usr/share/config(/.*)? gen_context(system_u:object_r:config_usr_t,s0)
|
|
+
|
|
/usr/bin/gnome-keyring-daemon -- gen_context(system_u:object_r:gkeyringd_exec_t,s0)
|
|
|
|
-/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
|
|
-/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
|
|
+# Don't use because toolchain is broken
|
|
+#/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
|
|
+
|
|
+/usr/libexec/gconf-defaults-mechanism -- gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
|
|
+
|
|
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
|
+/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
|
|
diff --git a/gnome.if b/gnome.if
|
|
index ab09d61..4b2e5f6 100644
|
|
--- a/gnome.if
|
|
+++ b/gnome.if
|
|
@@ -1,52 +1,77 @@
|
|
-## <summary>GNU network object model environment.</summary>
|
|
+## <summary>GNU network object model environment (GNOME)</summary>
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Role access for gnome. (Deprecated)
|
|
+## Role access for gnome. (Deprecated)
|
|
## </summary>
|
|
## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## User domain for the role.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## User domain for the role.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`gnome_role',`
|
|
- refpolicywarn(`$0($*) has been deprecated')
|
|
+ refpolicywarn(`$0($*) has been deprecated')
|
|
+ ')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## The role template for the gnome-keyring-daemon.
|
|
+## </summary>
|
|
+## <param name="user_prefix">
|
|
+## <summary>
|
|
+## The user prefix.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="user_role">
|
|
+## <summary>
|
|
+## The user role.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="user_domain">
|
|
+## <summary>
|
|
+## The user domain associated with the role.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_role_gkeyringd',`
|
|
+ refpolicywarn(`$0($*) has been deprecated')
|
|
')
|
|
|
|
-#######################################
|
|
+######################################
|
|
## <summary>
|
|
-## The role template for gnome.
|
|
+## The role template for gnome.
|
|
## </summary>
|
|
## <param name="role_prefix">
|
|
-## <summary>
|
|
-## The prefix of the user domain (e.g., user
|
|
-## is the prefix for user_t).
|
|
-## </summary>
|
|
+## <summary>
|
|
+## The prefix of the user domain (e.g., user
|
|
+## is the prefix for user_t).
|
|
+## </summary>
|
|
## </param>
|
|
## <param name="user_role">
|
|
-## <summary>
|
|
-## The role associated with the user domain.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## The role associated with the user domain.
|
|
+## </summary>
|
|
## </param>
|
|
## <param name="user_domain">
|
|
-## <summary>
|
|
-## The type of the user domain.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## The type of the user domain.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
template(`gnome_role_template',`
|
|
- gen_require(`
|
|
+ gen_require(`
|
|
attribute gnomedomain, gkeyringd_domain;
|
|
attribute_role gconfd_roles;
|
|
- type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t;
|
|
+ type gkeyringd_exec_t, gkeyring_gnome_home_t, gkeyring_tmp_t;
|
|
type gconfd_t, gconfd_exec_t, gconf_tmp_t;
|
|
type gconf_home_t;
|
|
+ class dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
@@ -79,9 +104,11 @@ template(`gnome_role_template',`
|
|
userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf")
|
|
userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd")
|
|
|
|
- allow $3 gconfd_t:process { ptrace signal_perms };
|
|
+ allow $3 gconfd_t:process { signal_perms };
|
|
+ allow $3 gconfd_t:unix_stream_socket connectto;
|
|
ps_process_pattern($3, gconfd_t)
|
|
|
|
+
|
|
########################################
|
|
#
|
|
# Gkeyringd policy
|
|
@@ -89,37 +116,91 @@ template(`gnome_role_template',`
|
|
|
|
domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
|
|
|
|
- allow $3 { gnome_home_t gnome_keyring_home_t gnome_keyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
|
|
- allow $3 { gnome_home_t gnome_keyring_home_t }:file { relabel_file_perms manage_file_perms };
|
|
+ allow $3 { gnome_home_t gkeyring_gnome_home_t gkeyring_tmp_t }:dir { relabel_dir_perms manage_dir_perms };
|
|
+ allow $3 { gnome_home_t gkeyring_gnome_home_t }:file { relabel_file_perms manage_file_perms };
|
|
|
|
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome")
|
|
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2")
|
|
- userdom_user_home_dir_filetrans($3, gnome_home_t, dir, ".gnome2_private")
|
|
+ userdom_home_manager($1_gkeyringd_t)
|
|
|
|
- gnome_home_filetrans($3, gnome_keyring_home_t, dir, "keyrings")
|
|
+ gnome_home_dir_filetrans($3, gnome_home_t, ".gnome")
|
|
+ gnome_home_dir_filetrans($3, gnome_home_t, ".gnome2")
|
|
+ gnome_home_dir_filetrans($3, gnome_home_t, ".gnome2_private")
|
|
+ gnome_home_dir_filetrans($3, gkeyring_gnome_home_t, "keyrings")
|
|
|
|
- allow $3 gnome_keyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
|
|
+ allow $3 gkeyring_tmp_t:sock_file { relabel_sock_file_perms manage_sock_file_perms };
|
|
|
|
ps_process_pattern($3, $1_gkeyringd_t)
|
|
- allow $3 $1_gkeyringd_t:process { ptrace signal_perms };
|
|
+ allow $3 $1_gkeyringd_t:process signal_perms;
|
|
+ dontaudit $3 gkeyringd_exec_t:file entrypoint;
|
|
+
|
|
+ allow $1_gkeyringd_t $3:process sigkill;
|
|
+ allow $3 $1_gkeyringd_t:fd use;
|
|
+ allow $3 $1_gkeyringd_t:fifo_file rw_fifo_file_perms;
|
|
+
|
|
+ dontaudit $1_gkeyringd_t $3:unix_stream_socket { getattr read write };
|
|
+ stream_connect_pattern($3, gkeyringd_tmp_t, gkeyringd_tmp_t, $1_gkeyringd_t)
|
|
+
|
|
+ kernel_read_system_state($1_gkeyringd_t)
|
|
|
|
corecmd_bin_domtrans($1_gkeyringd_t, $3)
|
|
corecmd_shell_domtrans($1_gkeyringd_t, $3)
|
|
|
|
- gnome_stream_connect_gkeyringd($1, $3)
|
|
+ gnome_stream_connect_gkeyringd($3)
|
|
+
|
|
+ ps_process_pattern($1_gkeyringd_t, $3)
|
|
+
|
|
+ auth_use_nsswitch($1_gkeyringd_t)
|
|
+
|
|
+ logging_send_syslog_msg($1_gkeyringd_t)
|
|
+
|
|
+ allow $1_gkeyringd_t $3:dbus send_msg;
|
|
+ allow $3 $1_gkeyringd_t:dbus send_msg;
|
|
|
|
optional_policy(`
|
|
- dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
|
|
+ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
|
|
+ dbus_session_bus_client($1_gkeyringd_t)
|
|
+ gnome_manage_generic_home_dirs($1_gkeyringd_t)
|
|
+ gnome_read_generic_data_home_files($1_gkeyringd_t)
|
|
+ gnome_read_generic_data_home_dirs($1_gkeyringd_t)
|
|
|
|
optional_policy(`
|
|
- gnome_dbus_chat_gkeyringd($1, $3)
|
|
+ telepathy_mission_control_read_state($1_gkeyringd_t)
|
|
+ telepathy_gabble_stream_connect_to($1_gkeyringd_t,gkeyringd_tmp_t,gkeyringd_tmp_t)
|
|
')
|
|
')
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow domain to run gkeyring in the $1_gkeyringd_t domain.
|
|
+## </summary>
|
|
+## <param name="user_prefix">
|
|
+## <summary>
|
|
+## The user prefix.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="user_role">
|
|
+## <summary>
|
|
+## The user role.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="user_domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_run_gkeyringd',`
|
|
+ gen_require(`
|
|
+ type $1_gkeyringd_t;
|
|
+ type gkeyringd_exec_t;
|
|
+ ')
|
|
+ role $2 types $1_gkeyringd_t;
|
|
+ domtrans_pattern($3, gkeyringd_exec_t, $1_gkeyringd_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Execute gconf in the caller domain.
|
|
+## gconf connection template.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -127,18 +208,18 @@ template(`gnome_role_template',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_exec_gconf',`
|
|
+interface(`gnome_stream_connect_gconf',`
|
|
gen_require(`
|
|
- type gconfd_exec_t;
|
|
+ type gconfd_t, gconf_tmp_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- can_exec($1, gconfd_exec_t)
|
|
+ read_files_pattern($1, gconf_tmp_t, gconf_tmp_t)
|
|
+ allow $1 gconfd_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read gconf configuration content.
|
|
+## Connect to gkeyringd with a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -146,119 +227,114 @@ interface(`gnome_exec_gconf',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_read_gconf_config',`
|
|
+interface(`gnome_stream_connect_gkeyringd',`
|
|
gen_require(`
|
|
- type gconf_etc_t;
|
|
+ attribute gkeyringd_domain;
|
|
+ type gkeyringd_tmp_t;
|
|
+ type gconf_tmp_t;
|
|
+ type cache_home_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
- allow $1 gconf_etc_t:dir list_dir_perms;
|
|
- allow $1 gconf_etc_t:file read_file_perms;
|
|
- allow $1 gconf_etc_t:lnk_file read_lnk_file_perms;
|
|
+ allow $1 gconf_tmp_t:dir search_dir_perms;
|
|
+ userdom_search_user_tmp_dirs($1)
|
|
+ stream_connect_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t, gkeyringd_domain)
|
|
+ stream_connect_pattern($1, cache_home_t, cache_home_t, gkeyringd_domain)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read
|
|
-## inherited gconf configuration files.
|
|
+## Run gconfd in gconfd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain to not audit.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
|
|
+interface(`gnome_domtrans_gconfd',`
|
|
gen_require(`
|
|
- type gconf_etc_t;
|
|
+ type gconfd_t, gconfd_exec_t;
|
|
')
|
|
|
|
- dontaudit $1 gconf_etc_t:file read;
|
|
+ domtrans_pattern($1, gconfd_exec_t, gconfd_t)
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## gconf configuration content.
|
|
+## Dontaudit read gnome homedir content (.config)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_manage_gconf_config',`
|
|
+interface(`gnome_dontaudit_read_config',`
|
|
gen_require(`
|
|
- type gconf_etc_t;
|
|
+ attribute gnome_home_type;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
- allow $1 gconf_etc_t:dir manage_dir_perms;
|
|
- allow $1 gconf_etc_t:file manage_file_perms;
|
|
- allow $1 gconf_etc_t:lnk_file manage_lnk_file_perms;
|
|
+ dontaudit $1 gnome_home_type:dir read_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to gconf using a unix
|
|
-## domain stream socket.
|
|
+## Dontaudit search gnome homedir content (.config)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_stream_connect_gconf',`
|
|
+interface(`gnome_dontaudit_search_config',`
|
|
gen_require(`
|
|
- type gconfd_t, gconf_tmp_t;
|
|
+ attribute gnome_home_type;
|
|
')
|
|
|
|
- files_search_tmp($1)
|
|
- stream_connect_pattern($1, gconf_tmp_t, gconf_tmp_t, gconfd_t)
|
|
+ dontaudit $1 gnome_home_type:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Run gconfd in gconfd domain.
|
|
+## Dontaudit write gnome homedir content (.config)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_domtrans_gconfd',`
|
|
+interface(`gnome_dontaudit_append_config_files',`
|
|
gen_require(`
|
|
- type gconfd_t, gconfd_exec_t;
|
|
+ attribute gnome_home_type;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, gconfd_exec_t, gconfd_t)
|
|
+ dontaudit $1 gnome_home_type:file append;
|
|
')
|
|
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Create generic gnome home directories.
|
|
+## Dontaudit write gnome homedir content (.config)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_create_generic_home_dirs',`
|
|
+interface(`gnome_dontaudit_write_config_files',`
|
|
gen_require(`
|
|
- type gnome_home_t;
|
|
+ attribute gnome_home_type;
|
|
')
|
|
|
|
- allow $1 gnome_home_t:dir create_dir_perms;
|
|
+ dontaudit $1 gnome_home_type:file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Set attributes of generic gnome
|
|
-## user home directories. (Deprecated)
|
|
+## manage gnome homedir content (.config)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -266,15 +342,21 @@ interface(`gnome_create_generic_home_dirs',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_setattr_config_dirs',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use gnome_setattr_generic_home_dirs() instead.')
|
|
- gnome_setattr_generic_home_dirs($1)
|
|
+interface(`gnome_manage_config',`
|
|
+ gen_require(`
|
|
+ attribute gnome_home_type;
|
|
+ ')
|
|
+
|
|
+ allow $1 gnome_home_type:dir manage_dir_perms;
|
|
+ allow $1 gnome_home_type:file manage_file_perms;
|
|
+ allow $1 gnome_home_type:lnk_file manage_lnk_file_perms;
|
|
+ allow $1 gnome_home_type:sock_file manage_sock_file_perms;
|
|
+ userdom_search_user_home_dirs($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Set attributes of generic gnome
|
|
-## user home directories.
|
|
+## Send general signals to all gconf domains.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -282,57 +364,89 @@ interface(`gnome_setattr_config_dirs',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_setattr_generic_home_dirs',`
|
|
+interface(`gnome_signal_all',`
|
|
gen_require(`
|
|
- type gnome_home_t;
|
|
+ attribute gnomedomain;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
|
|
+ allow $1 gnomedomain:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read generic gnome user home content. (Deprecated)
|
|
+## Create objects in a Gnome cache home directory
|
|
+## with an automatic type transition to
|
|
+## a specified private type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <param name="private_type">
|
|
+## <summary>
|
|
+## The type of the object to create.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="object_class">
|
|
+## <summary>
|
|
+## The class of the object to be created.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="name" optional="true">
|
|
+## <summary>
|
|
+## The name of the object being created.
|
|
+## </summary>
|
|
+## </param>
|
|
#
|
|
-interface(`gnome_read_config',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use gnome_read_generic_home_content() instead.')
|
|
- gnome_read_generic_home_content($1)
|
|
+interface(`gnome_cache_filetrans',`
|
|
+ gen_require(`
|
|
+ type cache_home_t;
|
|
+ ')
|
|
+
|
|
+ filetrans_pattern($1, cache_home_t, $2, $3, $4)
|
|
+ userdom_search_user_home_dirs($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read generic gnome home content.
|
|
+## Create objects in a Gnome cache home directory
|
|
+## with an automatic type transition to
|
|
+## a specified private type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <param name="private_type">
|
|
+## <summary>
|
|
+## The type of the object to create.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="object_class">
|
|
+## <summary>
|
|
+## The class of the object to be created.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="name" optional="true">
|
|
+## <summary>
|
|
+## The name of the object being created.
|
|
+## </summary>
|
|
+## </param>
|
|
#
|
|
-interface(`gnome_read_generic_home_content',`
|
|
+interface(`gnome_config_filetrans',`
|
|
gen_require(`
|
|
- type gnome_home_t;
|
|
+ type config_home_t;
|
|
')
|
|
|
|
+ filetrans_pattern($1, config_home_t, $2, $3, $4)
|
|
userdom_search_user_home_dirs($1)
|
|
- allow $1 gnome_home_t:dir list_dir_perms;
|
|
- allow $1 gnome_home_t:file read_file_perms;
|
|
- allow $1 gnome_home_t:fifo_file read_fifo_file_perms;
|
|
- allow $1 gnome_home_t:lnk_file read_lnk_file_perms;
|
|
- allow $1 gnome_home_t:sock_file read_sock_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## generic gnome user home content. (Deprecated)
|
|
+## Read generic cache home files (.cache)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -340,15 +454,18 @@ interface(`gnome_read_generic_home_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_manage_config',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use gnome_manage_generic_home_content() instead.')
|
|
- gnome_manage_generic_home_content($1)
|
|
+interface(`gnome_read_generic_cache_files',`
|
|
+ gen_require(`
|
|
+ type cache_home_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, cache_home_t, cache_home_t)
|
|
+ userdom_search_user_home_dirs($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## generic gnome home content.
|
|
+## Create generic cache home dir (.cache)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -356,22 +473,18 @@ interface(`gnome_manage_config',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_manage_generic_home_content',`
|
|
+interface(`gnome_create_generic_cache_dir',`
|
|
gen_require(`
|
|
- type gnome_home_t;
|
|
+ type cache_home_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 gnome_home_t:dir manage_dir_perms;
|
|
- allow $1 gnome_home_t:file manage_file_perms;
|
|
- allow $1 gnome_home_t:fifo_file manage_fifo_file_perms;
|
|
- allow $1 gnome_home_t:lnk_file manage_lnk_file_perms;
|
|
- allow $1 gnome_home_t:sock_file manage_sock_file_perms;
|
|
+ allow $1 cache_home_t:dir create_dir_perms;
|
|
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search generic gnome home directories.
|
|
+## Set attributes of cache home dir (.cache)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -379,53 +492,37 @@ interface(`gnome_manage_generic_home_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_search_generic_home',`
|
|
+interface(`gnome_setattr_cache_home_dir',`
|
|
gen_require(`
|
|
- type gnome_home_t;
|
|
+ type cache_home_t;
|
|
')
|
|
|
|
+ setattr_dirs_pattern($1, cache_home_t, cache_home_t)
|
|
userdom_search_user_home_dirs($1)
|
|
- allow $1 gnome_home_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create objects in gnome user home
|
|
-## directories with a private type.
|
|
+## Manage cache home dir (.cache)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="private_type">
|
|
-## <summary>
|
|
-## Private file type.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
#
|
|
-interface(`gnome_home_filetrans',`
|
|
+interface(`gnome_manage_cache_home_dir',`
|
|
gen_require(`
|
|
- type gnome_home_t;
|
|
+ type cache_home_t;
|
|
')
|
|
|
|
+ manage_dirs_pattern($1, cache_home_t, cache_home_t)
|
|
userdom_search_user_home_dirs($1)
|
|
- filetrans_pattern($1, gnome_home_t, $2, $3, $4)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create generic gconf home directories.
|
|
+## append to generic cache home files (.cache)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -433,17 +530,18 @@ interface(`gnome_home_filetrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_create_generic_gconf_home_dirs',`
|
|
+interface(`gnome_append_generic_cache_files',`
|
|
gen_require(`
|
|
- type gconf_home_t;
|
|
+ type cache_home_t;
|
|
')
|
|
|
|
- allow $1 gconf_home_t:dir create_dir_perms;
|
|
+ append_files_pattern($1, cache_home_t, cache_home_t)
|
|
+ userdom_search_user_home_dirs($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read generic gconf home content.
|
|
+## write to generic cache home files (.cache)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -451,23 +549,18 @@ interface(`gnome_create_generic_gconf_home_dirs',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_read_generic_gconf_home_content',`
|
|
+interface(`gnome_write_generic_cache_files',`
|
|
gen_require(`
|
|
- type gconf_home_t;
|
|
+ type cache_home_t;
|
|
')
|
|
|
|
+ write_files_pattern($1, cache_home_t, cache_home_t)
|
|
userdom_search_user_home_dirs($1)
|
|
- allow $1 gconf_home_t:dir list_dir_perms;
|
|
- allow $1 gconf_home_t:file read_file_perms;
|
|
- allow $1 gconf_home_t:fifo_file read_fifo_file_perms;
|
|
- allow $1 gconf_home_t:lnk_file read_lnk_file_perms;
|
|
- allow $1 gconf_home_t:sock_file read_sock_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## generic gconf home content.
|
|
+## Manage a sock_file in the generic cache home files (.cache)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -475,82 +568,73 @@ interface(`gnome_read_generic_gconf_home_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_manage_generic_gconf_home_content',`
|
|
+interface(`gnome_manage_generic_cache_sockets',`
|
|
gen_require(`
|
|
- type gconf_home_t;
|
|
+ type cache_home_t;
|
|
')
|
|
|
|
userdom_search_user_home_dirs($1)
|
|
- allow $1 gconf_home_t:dir manage_dir_perms;
|
|
- allow $1 gconf_home_t:file manage_file_perms;
|
|
- allow $1 gconf_home_t:fifo_file manage_fifo_file_perms;
|
|
- allow $1 gconf_home_t:lnk_file manage_lnk_file_perms;
|
|
- allow $1 gconf_home_t:sock_file manage_sock_file_perms;
|
|
+ manage_sock_files_pattern($1, cache_home_t, cache_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search generic gconf home directories.
|
|
+## Dontaudit read/write to generic cache home files (.cache)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_search_generic_gconf_home',`
|
|
+interface(`gnome_dontaudit_rw_generic_cache_files',`
|
|
gen_require(`
|
|
- type gconf_home_t;
|
|
+ type cache_home_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 gconf_home_t:dir search_dir_perms;
|
|
+ dontaudit $1 cache_home_t:file rw_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create objects in user home
|
|
-## directories with the generic gconf
|
|
-## home type.
|
|
+## read gnome homedir content (.config)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
#
|
|
-interface(`gnome_home_filetrans_gconf_home',`
|
|
+interface(`gnome_read_config',`
|
|
gen_require(`
|
|
- type gconf_home_t;
|
|
+ attribute gnome_home_type;
|
|
')
|
|
|
|
- userdom_user_home_dir_filetrans($1, gconf_home_t, $2, $3)
|
|
+ list_dirs_pattern($1, gnome_home_type, gnome_home_type)
|
|
+ read_files_pattern($1, gnome_home_type, gnome_home_type)
|
|
+ read_lnk_files_pattern($1, gnome_home_type, gnome_home_type)
|
|
+ gnome_read_usr_config($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create objects in user home
|
|
-## directories with the generic gnome
|
|
-## home type.
|
|
+## Create objects in a Gnome gconf home directory
|
|
+## with an automatic type transition to
|
|
+## a specified private type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <param name="private_type">
|
|
+## <summary>
|
|
+## The type of the object to create.
|
|
+## </summary>
|
|
+## </param>
|
|
## <param name="object_class">
|
|
## <summary>
|
|
-## Class of the object being created.
|
|
+## The class of the object to be created.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="name" optional="true">
|
|
@@ -559,52 +643,77 @@ interface(`gnome_home_filetrans_gconf_home',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_home_filetrans_gnome_home',`
|
|
+interface(`gnome_data_filetrans',`
|
|
gen_require(`
|
|
- type gnome_home_t;
|
|
+ type data_home_t;
|
|
')
|
|
|
|
- userdom_user_home_dir_filetrans($1, gnome_home_t, $2, $3)
|
|
+ filetrans_pattern($1, data_home_t, $2, $3, $4)
|
|
+ gnome_search_gconf($1)
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Create objects in gnome gconf home
|
|
-## directories with a private type.
|
|
+## Read generic data home files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="private_type">
|
|
-## <summary>
|
|
-## Private file type.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
+#
|
|
+interface(`gnome_read_generic_data_home_files',`
|
|
+ gen_require(`
|
|
+ type data_home_t, gconf_home_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
|
|
+ read_lnk_files_pattern($1, { gconf_home_t data_home_t }, data_home_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Read generic data home dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
-## <param name="name" optional="true">
|
|
+#
|
|
+interface(`gnome_read_generic_data_home_dirs',`
|
|
+ gen_require(`
|
|
+ type data_home_t, gconf_home_t;
|
|
+ ')
|
|
+
|
|
+ list_dirs_pattern($1, { gconf_home_t data_home_t }, data_home_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Manage gconf data home files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_gconf_home_filetrans',`
|
|
+interface(`gnome_manage_data',`
|
|
gen_require(`
|
|
+ type data_home_t;
|
|
type gconf_home_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- filetrans_pattern($1, gconf_home_t, $2, $3, $4)
|
|
+ allow $1 gconf_home_t:dir search_dir_perms;
|
|
+ manage_dirs_pattern($1, data_home_t, data_home_t)
|
|
+ manage_files_pattern($1, data_home_t, data_home_t)
|
|
+ manage_lnk_files_pattern($1, data_home_t, data_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read generic gnome keyring home files.
|
|
+## Read icc data home content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -612,93 +721,86 @@ interface(`gnome_gconf_home_filetrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_read_keyring_home_files',`
|
|
+interface(`gnome_read_home_icc_data_content',`
|
|
gen_require(`
|
|
- type gnome_home_t, gnome_keyring_home_t;
|
|
+ type icc_data_home_t, gconf_home_t, data_home_t;
|
|
')
|
|
|
|
userdom_search_user_home_dirs($1)
|
|
- read_files_pattern($1, { gnome_home_t gnome_keyring_home_t }, gnome_keyring_home_t)
|
|
+ allow $1 { gconf_home_t data_home_t }:dir search_dir_perms;
|
|
+ list_dirs_pattern($1, icc_data_home_t, icc_data_home_t)
|
|
+ read_files_pattern($1, icc_data_home_t, icc_data_home_t)
|
|
+ read_lnk_files_pattern($1, icc_data_home_t, icc_data_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send and receive messages from
|
|
-## gnome keyring daemon over dbus.
|
|
+## Read inherited icc data home files.
|
|
## </summary>
|
|
-## <param name="role_prefix">
|
|
-## <summary>
|
|
-## The prefix of the user domain (e.g., user
|
|
-## is the prefix for user_t).
|
|
-## </summary>
|
|
-## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_dbus_chat_gkeyringd',`
|
|
+interface(`gnome_read_inherited_home_icc_data_files',`
|
|
gen_require(`
|
|
- type $1_gkeyringd_t;
|
|
- class dbus send_msg;
|
|
+ type icc_data_home_t;
|
|
')
|
|
|
|
- allow $2 $1_gkeyringd_t:dbus send_msg;
|
|
- allow $1_gkeyringd_t $2:dbus send_msg;
|
|
+ allow $1 icc_data_home_t:file read_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send and receive messages from all
|
|
-## gnome keyring daemon over dbus.
|
|
+## Create gconf_home_t objects in the /root directory
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <param name="object_class">
|
|
+## <summary>
|
|
+## The class of the object to be created.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="name" optional="true">
|
|
+## <summary>
|
|
+## The name of the object being created.
|
|
+## </summary>
|
|
+## </param>
|
|
#
|
|
-interface(`gnome_dbus_chat_all_gkeyringd',`
|
|
+interface(`gnome_admin_home_gconf_filetrans',`
|
|
gen_require(`
|
|
- attribute gkeyringd_domain;
|
|
- class dbus send_msg;
|
|
+ type gconf_home_t;
|
|
')
|
|
|
|
- allow $1 gkeyringd_domain:dbus send_msg;
|
|
- allow gkeyringd_domain $1:dbus send_msg;
|
|
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, $2, $3)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to gnome keyring daemon
|
|
-## with a unix stream socket.
|
|
+## Do not audit attempts to read
|
|
+## inherited gconf config files.
|
|
## </summary>
|
|
-## <param name="role_prefix">
|
|
-## <summary>
|
|
-## The prefix of the user domain (e.g., user
|
|
-## is the prefix for user_t).
|
|
-## </summary>
|
|
-## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_stream_connect_gkeyringd',`
|
|
+interface(`gnome_dontaudit_read_inherited_gconf_config_files',`
|
|
gen_require(`
|
|
- type $1_gkeyringd_t, gnome_keyring_tmp_t;
|
|
+ type gconf_etc_t;
|
|
')
|
|
|
|
- files_search_tmp($2)
|
|
- stream_connect_pattern($2, gnome_keyring_tmp_t, gnome_keyring_tmp_t, $1_gkeyringd_t)
|
|
+ dontaudit $1 gconf_etc_t:file read_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to all gnome keyring daemon
|
|
-## with a unix stream socket.
|
|
+## read gconf config files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -706,12 +808,912 @@ interface(`gnome_stream_connect_gkeyringd',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`gnome_stream_connect_all_gkeyringd',`
|
|
+interface(`gnome_read_gconf_config',`
|
|
gen_require(`
|
|
- attribute gkeyringd_domain;
|
|
- type gnome_keyring_tmp_t;
|
|
+ type gconf_etc_t;
|
|
')
|
|
|
|
- files_search_tmp($1)
|
|
- stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
|
|
+ allow $1 gconf_etc_t:dir list_dir_perms;
|
|
+ read_files_pattern($1, gconf_etc_t, gconf_etc_t)
|
|
+ files_search_etc($1)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Manage gconf config files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_manage_gconf_config',`
|
|
+ gen_require(`
|
|
+ type gconf_etc_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 gconf_etc_t:dir list_dir_perms;
|
|
+ manage_files_pattern($1, gconf_etc_t, gconf_etc_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute gconf programs in
|
|
+## in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_exec_gconf',`
|
|
+ gen_require(`
|
|
+ type gconfd_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, gconfd_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute gnome keyringd in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_exec_keyringd',`
|
|
+ gen_require(`
|
|
+ type gkeyringd_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, gkeyringd_exec_t)
|
|
+ corecmd_search_bin($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search gconf home data dirs
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_search_gconf_data_dir',`
|
|
+ gen_require(`
|
|
+ type gconf_home_t;
|
|
+ type data_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ allow $1 gconf_home_t:dir list_dir_perms;
|
|
+ allow $1 data_home_t:dir search_dir_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read gconf home files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_read_gconf_home_files',`
|
|
+ gen_require(`
|
|
+ type gconf_home_t;
|
|
+ type data_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ allow $1 gconf_home_t:dir list_dir_perms;
|
|
+ allow $1 data_home_t:dir list_dir_perms;
|
|
+ read_files_pattern($1, gconf_home_t, gconf_home_t)
|
|
+ read_files_pattern($1, data_home_t, data_home_t)
|
|
+ read_lnk_files_pattern($1, gconf_home_t, gconf_home_t)
|
|
+ read_lnk_files_pattern($1, data_home_t, data_home_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search gkeyringd temporary directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_search_gkeyringd_tmp_dirs',`
|
|
+ gen_require(`
|
|
+ type gkeyringd_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_tmp($1)
|
|
+ allow $1 gkeyringd_tmp_t:dir search_dir_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## List gkeyringd temporary directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_list_gkeyringd_tmp_dirs',`
|
|
+ gen_require(`
|
|
+ type gkeyringd_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_tmp($1)
|
|
+ allow $1 gkeyringd_tmp_t:dir list_dir_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Delete gkeyringd temporary
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_delete_gkeyringd_tmp_content',`
|
|
+ gen_require(`
|
|
+ type gkeyringd_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_tmp($1)
|
|
+ delete_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
|
+ delete_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
|
+ delete_sock_files_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Manage gkeyringd temporary directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_manage_gkeyringd_tmp_dirs',`
|
|
+ gen_require(`
|
|
+ type gkeyringd_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_tmp($1)
|
|
+ manage_dirs_pattern($1, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## search gconf homedir (.local)
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_search_gconf',`
|
|
+ gen_require(`
|
|
+ type gconf_home_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 gconf_home_t:dir search_dir_perms;
|
|
+ userdom_search_user_home_dirs($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Set attributes of Gnome config dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_setattr_config_dirs',`
|
|
+ gen_require(`
|
|
+ type gnome_home_t;
|
|
+ ')
|
|
+
|
|
+ setattr_dirs_pattern($1, gnome_home_t, gnome_home_t)
|
|
+ files_search_home($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage generic gnome home files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_manage_generic_home_files',`
|
|
+ gen_require(`
|
|
+ type gnome_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ manage_files_pattern($1, gnome_home_t, gnome_home_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage generic gnome home directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_manage_generic_home_dirs',`
|
|
+ gen_require(`
|
|
+ type gnome_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ allow $1 gnome_home_t:dir manage_dir_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append gconf home files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_append_gconf_home_files',`
|
|
+ gen_require(`
|
|
+ type gconf_home_t;
|
|
+ ')
|
|
+
|
|
+ append_files_pattern($1, gconf_home_t, gconf_home_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## manage gconf home files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_manage_gconf_home_files',`
|
|
+ gen_require(`
|
|
+ type gconf_home_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 gconf_home_t:dir list_dir_perms;
|
|
+ manage_files_pattern($1, gconf_home_t, gconf_home_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to gnome over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="user_domain">
|
|
+## <summary>
|
|
+## The type of the user domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_stream_connect',`
|
|
+ gen_require(`
|
|
+ attribute gnome_home_type;
|
|
+ ')
|
|
+
|
|
+ # Connect to pulseaudit server
|
|
+ stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## list gnome homedir content (.config)
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_list_home_config',`
|
|
+ gen_require(`
|
|
+ type config_home_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 config_home_t:dir list_dir_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Set attributes of gnome homedir content (.config)
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_setattr_home_config',`
|
|
+ gen_require(`
|
|
+ type config_home_t;
|
|
+ ')
|
|
+
|
|
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
|
|
+ userdom_search_user_home_dirs($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## read gnome homedir content (.config)
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_read_home_config',`
|
|
+ gen_require(`
|
|
+ type config_home_t;
|
|
+ ')
|
|
+
|
|
+ list_dirs_pattern($1, config_home_t, config_home_t)
|
|
+ read_files_pattern($1, config_home_t, config_home_t)
|
|
+ read_lnk_files_pattern($1, config_home_t, config_home_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## delete gnome homedir content (.config)
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_delete_home_config',`
|
|
+ gen_require(`
|
|
+ type config_home_t;
|
|
+ ')
|
|
+
|
|
+ delete_files_pattern($1, config_home_t, config_home_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## setattr gnome homedir content (.config)
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_setattr_home_config_dirs',`
|
|
+ gen_require(`
|
|
+ type config_home_t;
|
|
+ ')
|
|
+
|
|
+ setattr_dirs_pattern($1, config_home_t, config_home_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## manage gnome homedir content (.config)
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_manage_home_config',`
|
|
+ gen_require(`
|
|
+ type config_home_t;
|
|
+ ')
|
|
+
|
|
+ manage_files_pattern($1, config_home_t, config_home_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## delete gnome homedir content (.config)
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_delete_home_config_dirs',`
|
|
+ gen_require(`
|
|
+ type config_home_t;
|
|
+ ')
|
|
+
|
|
+ delete_dirs_pattern($1, config_home_t, config_home_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## manage gnome homedir content (.config)
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_manage_home_config_dirs',`
|
|
+ gen_require(`
|
|
+ type config_home_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, config_home_t, config_home_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## manage gstreamer home content files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_manage_gstreamer_home_files',`
|
|
+ gen_require(`
|
|
+ type gstreamer_home_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
|
|
+ manage_files_pattern($1, gstreamer_home_t, gstreamer_home_t)
|
|
+ gnome_filetrans_gstreamer_home_content($1)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow to execute gstreamer home content files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_exec_gstreamer_home_files',`
|
|
+ gen_require(`
|
|
+ type gstreamer_home_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, gstreamer_home_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## file name transition gstreamer home content files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_filetrans_gstreamer_home_content',`
|
|
+ gen_require(`
|
|
+ type gstreamer_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-bookmarks")
|
|
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-metadata-store")
|
|
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, file, ".grl-podcasts")
|
|
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.12")
|
|
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-0.10")
|
|
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.0")
|
|
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-1.2")
|
|
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-10")
|
|
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".gstreamer-12")
|
|
+ userdom_user_home_dir_filetrans($1, gstreamer_home_t, dir, ".orc")
|
|
+ userdom_user_tmp_filetrans($1, gstreamer_home_t, dir, ".orc")
|
|
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.12")
|
|
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-0.10")
|
|
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.0")
|
|
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-1.2")
|
|
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-10")
|
|
+ gnome_cache_filetrans($1, gstreamer_home_t, dir, "gstreamer-12")
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## manage gstreamer home content files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_manage_gstreamer_home_dirs',`
|
|
+ gen_require(`
|
|
+ type gstreamer_home_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, gstreamer_home_t, gstreamer_home_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read/Write all inherited gnome home config
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_rw_inherited_config',`
|
|
+ gen_require(`
|
|
+ attribute gnome_home_type;
|
|
+ ')
|
|
+
|
|
+ allow $1 gnome_home_type:file rw_inherited_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Dontaudit Read/Write all inherited gnome home config
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_dontaudit_rw_inherited_config',`
|
|
+ gen_require(`
|
|
+ attribute gnome_home_type;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 gnome_home_type:file rw_inherited_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send and receive messages from
|
|
+## gconf system service over dbus.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_dbus_chat_gconfdefault',`
|
|
+ gen_require(`
|
|
+ type gconfdefaultsm_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ allow $1 gconfdefaultsm_t:dbus send_msg;
|
|
+ allow gconfdefaultsm_t $1:dbus send_msg;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send and receive messages from
|
|
+## gkeyringd over dbus.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_dbus_chat_gkeyringd',`
|
|
+ gen_require(`
|
|
+ attribute gkeyringd_domain;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ allow $1 gkeyringd_domain:dbus send_msg;
|
|
+ allow gkeyringd_domain $1:dbus send_msg;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send signull signal to gkeyringd processes.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_signull_gkeyringd',`
|
|
+ gen_require(`
|
|
+ attribute gkeyringd_domain;
|
|
+ ')
|
|
+
|
|
+ allow $1 gkeyringd_domain:process signull;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the domain to read gkeyringd state files in /proc.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_read_gkeyringd_state',`
|
|
+ gen_require(`
|
|
+ attribute gkeyringd_domain;
|
|
+ ')
|
|
+
|
|
+ ps_process_pattern($1, gkeyringd_domain)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create directories in user home directories
|
|
+## with the gnome home file type.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_home_dir_filetrans',`
|
|
+ gen_require(`
|
|
+ type gnome_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir)
|
|
+ userdom_search_user_home_dirs($1)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow read kde config content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_read_usr_config',`
|
|
+ gen_require(`
|
|
+ type config_usr_t;
|
|
+ ')
|
|
+
|
|
+ files_search_usr($1)
|
|
+ list_dirs_pattern($1, config_usr_t, config_usr_t)
|
|
+ read_files_pattern($1, config_usr_t, config_usr_t)
|
|
+ read_lnk_files_pattern($1, config_usr_t, config_usr_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow manage kde config content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_manage_usr_config',`
|
|
+ gen_require(`
|
|
+ type config_usr_t;
|
|
+ ')
|
|
+
|
|
+ files_search_usr($1)
|
|
+ manage_dirs_pattern($1, config_usr_t, config_usr_t)
|
|
+ manage_files_pattern($1, config_usr_t, config_usr_t)
|
|
+ manage_lnk_files_pattern($1, config_usr_t, config_usr_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute gnome-keyring in the user gkeyring domain
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_transition_gkeyringd',`
|
|
+ gen_require(`
|
|
+ attribute gkeyringd_domain;
|
|
+ ')
|
|
+
|
|
+ allow $1 gkeyringd_domain:process transition;
|
|
+ dontaudit $1 gkeyringd_domain:process { noatsecure siginh rlimitinh };
|
|
+ allow gkeyringd_domain $1:process { sigchld signull };
|
|
+ allow gkeyringd_domain $1:fifo_file rw_inherited_fifo_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create gnome content in the user home directory
|
|
+## with an correct label.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_filetrans_home_content',`
|
|
+
|
|
+gen_require(`
|
|
+ type config_home_t;
|
|
+ type cache_home_t;
|
|
+ type dbus_home_t;
|
|
+ type gconf_home_t;
|
|
+ type gnome_home_t;
|
|
+ type data_home_t, icc_data_home_t;
|
|
+ type gkeyringd_gnome_home_t;
|
|
+')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".config")
|
|
+ userdom_user_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
|
|
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".xine")
|
|
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".cache")
|
|
+ userdom_user_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
|
|
+ userdom_user_home_dir_filetrans($1, cache_home_t, dir, ".nv")
|
|
+ userdom_user_home_dir_filetrans($1, config_home_t, dir, ".kde")
|
|
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
|
|
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
|
|
+ userdom_user_home_dir_filetrans($1, gconf_home_t, dir, ".local")
|
|
+ userdom_user_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
|
|
+
|
|
+ # ~/.color/icc: legacy
|
|
+ userdom_user_home_content_filetrans($1, icc_data_home_t, dir, "icc")
|
|
+ filetrans_pattern($1, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
|
|
+ filetrans_pattern($1, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
|
|
+ filetrans_pattern($1, gconf_home_t, data_home_t, dir, "share")
|
|
+ filetrans_pattern($1, data_home_t, icc_data_home_t, dir, "icc")
|
|
+ filetrans_pattern($1, cache_home_t, cache_home_t, dir, "fontconfig")
|
|
+ userdom_user_tmp_filetrans($1, config_home_t, dir, "dconf")
|
|
+ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
|
|
+ gnome_filetrans_gstreamer_home_content($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create gnome dconf dir in the user home directory
|
|
+## with an correct label.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_filetrans_config_home_content',`
|
|
+ gen_require(`
|
|
+ type config_home_t;
|
|
+ ')
|
|
+
|
|
+ gnome_cache_filetrans($1, config_home_t, dir, "dconf")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create gnome directory in the /root directory
|
|
+## with an correct label.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_filetrans_admin_home_content',`
|
|
+
|
|
+gen_require(`
|
|
+ type config_home_t;
|
|
+ type cache_home_t;
|
|
+ type dbus_home_t;
|
|
+ type gstreamer_home_t;
|
|
+ type gconf_home_t;
|
|
+ type gnome_home_t;
|
|
+ type icc_data_home_t;
|
|
+')
|
|
+
|
|
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".config")
|
|
+ userdom_admin_home_dir_filetrans($1, config_home_t, file, ".Xdefaults")
|
|
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".xine")
|
|
+ userdom_admin_home_dir_filetrans($1, cache_home_t, dir, ".cache")
|
|
+ userdom_admin_home_dir_filetrans($1, dbus_home_t, dir, ".dbus")
|
|
+ userdom_admin_home_dir_filetrans($1, config_home_t, dir, ".kde")
|
|
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconf")
|
|
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".gconfd")
|
|
+ userdom_admin_home_dir_filetrans($1, gconf_home_t, dir, ".local")
|
|
+ userdom_admin_home_dir_filetrans($1, gnome_home_t, dir, ".gnome2")
|
|
+ gnome_filetrans_gstreamer_home_content($1)
|
|
+ # /root/.color/icc: legacy
|
|
+ userdom_admin_home_dir_filetrans($1, icc_data_home_t, dir, "icc")
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Execute gnome-keyring executable
|
|
+## in the specified domain.
|
|
+## </summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## Execute a telepathy executable
|
|
+## in the specified domain. This allows
|
|
+## the specified domain to execute any file
|
|
+## on these filesystems in the specified
|
|
+## domain.
|
|
+## </p>
|
|
+## <p>
|
|
+## No interprocess communication (signals, pipes,
|
|
+## etc.) is provided by this interface since
|
|
+## the domains are not owned by this module.
|
|
+## </p>
|
|
+## <p>
|
|
+## This interface was added to handle
|
|
+## the ssh-agent policy.
|
|
+## </p>
|
|
+## </desc>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="target_domain">
|
|
+## <summary>
|
|
+## The type of the new process.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gnome_command_domtrans_gkeyringd', `
|
|
+ gen_require(`
|
|
+ type gkeyringd_exec_t;
|
|
+ ')
|
|
+
|
|
+ allow $2 gkeyringd_exec_t:file entrypoint;
|
|
+ domain_transition_pattern($1, gkeyringd_exec_t, $2)
|
|
+ type_transition $1 gkeyringd_exec_t:process $2;
|
|
')
|
|
diff --git a/gnome.te b/gnome.te
|
|
index 63893eb..3b275e6 100644
|
|
--- a/gnome.te
|
|
+++ b/gnome.te
|
|
@@ -5,14 +5,33 @@ policy_module(gnome, 2.3.0)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute gkeyringd_domain;
|
|
attribute gnomedomain;
|
|
+attribute gnome_home_type;
|
|
+attribute gkeyringd_domain;
|
|
attribute_role gconfd_roles;
|
|
|
|
type gconf_etc_t;
|
|
files_config_file(gconf_etc_t)
|
|
|
|
-type gconf_home_t;
|
|
+type data_home_t, gnome_home_type;
|
|
+userdom_user_home_content(data_home_t)
|
|
+
|
|
+type config_home_t, gnome_home_type;
|
|
+userdom_user_home_content(config_home_t)
|
|
+
|
|
+type cache_home_t, gnome_home_type;
|
|
+userdom_user_home_content(cache_home_t)
|
|
+
|
|
+type gstreamer_home_t, gnome_home_type;
|
|
+userdom_user_home_content(gstreamer_home_t)
|
|
+
|
|
+type dbus_home_t, gnome_home_type;
|
|
+userdom_user_home_content(dbus_home_t)
|
|
+
|
|
+type icc_data_home_t, gnome_home_type;
|
|
+userdom_user_home_content(icc_data_home_t)
|
|
+
|
|
+type gconf_home_t, gnome_home_type;
|
|
typealias gconf_home_t alias { user_gconf_home_t staff_gconf_home_t sysadm_gconf_home_t };
|
|
typealias gconf_home_t alias { auditadm_gconf_home_t secadm_gconf_home_t };
|
|
typealias gconf_home_t alias unconfined_gconf_home_t;
|
|
@@ -31,105 +50,225 @@ typealias gconfd_t alias { auditadm_gconfd_t secadm_gconfd_t };
|
|
userdom_user_application_domain(gconfd_t, gconfd_exec_t)
|
|
role gconfd_roles types gconfd_t;
|
|
|
|
-type gnome_home_t;
|
|
+type gnome_home_t, gnome_home_type;
|
|
typealias gnome_home_t alias { user_gnome_home_t staff_gnome_home_t sysadm_gnome_home_t };
|
|
typealias gnome_home_t alias { auditadm_gnome_home_t secadm_gnome_home_t };
|
|
typealias gnome_home_t alias unconfined_gnome_home_t;
|
|
userdom_user_home_content(gnome_home_t)
|
|
|
|
+# type KDE /usr/share/config files
|
|
+type config_usr_t;
|
|
+files_type(config_usr_t)
|
|
+
|
|
type gkeyringd_exec_t;
|
|
-application_executable_file(gkeyringd_exec_t)
|
|
+corecmd_executable_file(gkeyringd_exec_t)
|
|
|
|
-type gnome_keyring_home_t;
|
|
-userdom_user_home_content(gnome_keyring_home_t)
|
|
+type gkeyringd_gnome_home_t;
|
|
+userdom_user_home_content(gkeyringd_gnome_home_t)
|
|
|
|
-type gnome_keyring_tmp_t;
|
|
-userdom_user_tmp_file(gnome_keyring_tmp_t)
|
|
+type gkeyringd_tmp_t;
|
|
+userdom_user_tmp_content(gkeyringd_tmp_t)
|
|
+
|
|
+type gconfdefaultsm_t;
|
|
+type gconfdefaultsm_exec_t;
|
|
+init_daemon_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
|
|
+
|
|
+type gnomesystemmm_t;
|
|
+type gnomesystemmm_exec_t;
|
|
+init_daemon_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
|
|
|
|
##############################
|
|
#
|
|
-# Common local Policy
|
|
+# Local Policy
|
|
#
|
|
|
|
-allow gnomedomain self:process { getsched signal };
|
|
-allow gnomedomain self:fifo_file rw_fifo_file_perms;
|
|
+allow gconfd_t self:process getsched;
|
|
+allow gconfd_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
-dev_read_urand(gnomedomain)
|
|
+manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
|
|
+manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
|
|
+userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
|
|
|
|
-domain_use_interactive_fds(gnomedomain)
|
|
+manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
|
|
+manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
|
|
+userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
|
|
|
|
-files_read_etc_files(gnomedomain)
|
|
+allow gconfd_t gconf_etc_t:dir list_dir_perms;
|
|
+read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
|
|
+
|
|
+dev_read_urand(gconfd_t)
|
|
|
|
-miscfiles_read_localization(gnomedomain)
|
|
|
|
-logging_send_syslog_msg(gnomedomain)
|
|
|
|
-userdom_use_user_terminals(gnomedomain)
|
|
+logging_send_syslog_msg(gconfd_t)
|
|
+
|
|
+userdom_manage_user_tmp_sockets(gconfd_t)
|
|
+userdom_manage_user_tmp_dirs(gconfd_t)
|
|
+userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
|
|
|
|
optional_policy(`
|
|
- xserver_rw_xdm_pipes(gnomedomain)
|
|
- xserver_use_xdm_fds(gnomedomain)
|
|
+ nscd_dontaudit_search_pid(gconfd_t)
|
|
')
|
|
|
|
-##############################
|
|
+optional_policy(`
|
|
+ xserver_use_xdm_fds(gconfd_t)
|
|
+ xserver_rw_xdm_pipes(gconfd_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
#
|
|
-# Conf daemon local Policy
|
|
+# gconf-defaults-mechanisms local policy
|
|
#
|
|
|
|
-allow gconfd_t gconf_etc_t:dir list_dir_perms;
|
|
-read_files_pattern(gconfd_t, gconf_etc_t, gconf_etc_t)
|
|
+allow gconfdefaultsm_t self:capability { dac_override sys_nice };
|
|
+allow gconfdefaultsm_t self:process getsched;
|
|
+allow gconfdefaultsm_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
-manage_dirs_pattern(gconfd_t, gconf_home_t, gconf_home_t)
|
|
-manage_files_pattern(gconfd_t, gconf_home_t, gconf_home_t)
|
|
-userdom_user_home_dir_filetrans(gconfd_t, gconf_home_t, dir)
|
|
+corecmd_search_bin(gconfdefaultsm_t)
|
|
|
|
-manage_dirs_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
|
|
-manage_files_pattern(gconfd_t, gconf_tmp_t, gconf_tmp_t)
|
|
-userdom_user_tmp_filetrans(gconfd_t, gconf_tmp_t, { dir file })
|
|
+auth_read_passwd(gconfdefaultsm_t)
|
|
|
|
-userdom_manage_user_tmp_dirs(gconfd_t)
|
|
-userdom_tmp_filetrans_user_tmp(gconfd_t, dir)
|
|
+gnome_manage_gconf_home_files(gconfdefaultsm_t)
|
|
+gnome_manage_gconf_config(gconfdefaultsm_t)
|
|
+
|
|
+userdom_read_all_users_state(gconfdefaultsm_t)
|
|
+userdom_search_user_home_dirs(gconfdefaultsm_t)
|
|
+
|
|
+userdom_dontaudit_search_admin_dir(gconfdefaultsm_t)
|
|
|
|
optional_policy(`
|
|
- nscd_dontaudit_search_pid(gconfd_t)
|
|
+ consolekit_dbus_chat(gconfdefaultsm_t)
|
|
')
|
|
|
|
-##############################
|
|
+optional_policy(`
|
|
+ dbus_system_domain(gconfdefaultsm_t, gconfdefaultsm_exec_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nscd_dontaudit_search_pid(gconfdefaultsm_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ policykit_domtrans_auth(gconfdefaultsm_t)
|
|
+ policykit_dbus_chat(gconfdefaultsm_t)
|
|
+ policykit_read_lib(gconfdefaultsm_t)
|
|
+ policykit_read_reload(gconfdefaultsm_t)
|
|
+')
|
|
+
|
|
+userdom_home_manager(gconfdefaultsm_t)
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# gnome-system-monitor-mechanisms local policy
|
|
+#
|
|
+
|
|
+allow gnomesystemmm_t self:capability { sys_admin sys_nice };
|
|
+allow gnomesystemmm_t self:fifo_file rw_fifo_file_perms;
|
|
+
|
|
+rw_files_pattern(gnomesystemmm_t, config_usr_t, config_usr_t)
|
|
+
|
|
+kernel_read_system_state(gnomesystemmm_t)
|
|
+
|
|
+corecmd_search_bin(gnomesystemmm_t)
|
|
+
|
|
+domain_kill_all_domains(gnomesystemmm_t)
|
|
+domain_search_all_domains_state(gnomesystemmm_t)
|
|
+domain_setpriority_all_domains(gnomesystemmm_t)
|
|
+domain_signal_all_domains(gnomesystemmm_t)
|
|
+domain_sigstop_all_domains(gnomesystemmm_t)
|
|
+
|
|
+fs_getattr_xattr_fs(gnomesystemmm_t)
|
|
+
|
|
+auth_read_passwd(gnomesystemmm_t)
|
|
+
|
|
+logging_send_syslog_msg(gnomesystemmm_t)
|
|
+
|
|
+userdom_read_all_users_state(gnomesystemmm_t)
|
|
+userdom_dontaudit_search_admin_dir(gnomesystemmm_t)
|
|
+
|
|
+optional_policy(`
|
|
+ consolekit_dbus_chat(gnomesystemmm_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_domain(gnomesystemmm_t, gnomesystemmm_exec_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_manage_home_config(gnomesystemmm_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nscd_dontaudit_search_pid(gnomesystemmm_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ policykit_dbus_chat(gnomesystemmm_t)
|
|
+ policykit_domtrans_auth(gnomesystemmm_t)
|
|
+ policykit_read_lib(gnomesystemmm_t)
|
|
+ policykit_read_reload(gnomesystemmm_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
#
|
|
-# Keyring-daemon local policy
|
|
+# gnome-keyring-daemon local policy
|
|
#
|
|
|
|
allow gkeyringd_domain self:capability ipc_lock;
|
|
-allow gkeyringd_domain self:process { getcap setcap };
|
|
+allow gkeyringd_domain self:process { getcap getsched setcap signal };
|
|
+allow gkeyringd_domain self:fifo_file rw_fifo_file_perms;
|
|
allow gkeyringd_domain self:unix_stream_socket { connectto accept listen };
|
|
|
|
-allow gkeyringd_domain gnome_home_t:dir create_dir_perms;
|
|
-gnome_home_filetrans_gnome_home(gkeyringd_domain, dir, ".gnome2")
|
|
+manage_files_pattern(gkeyringd_domain, config_home_t, config_home_t)
|
|
|
|
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
|
|
-manage_files_pattern(gkeyringd_domain, gnome_keyring_home_t, gnome_keyring_home_t)
|
|
-gnome_home_filetrans(gkeyringd_domain, gnome_keyring_home_t, dir, "keyrings")
|
|
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
|
|
+manage_files_pattern(gkeyringd_domain, gkeyringd_gnome_home_t, gkeyringd_gnome_home_t)
|
|
+allow gkeyringd_domain data_home_t:dir create_dir_perms;
|
|
+allow gkeyringd_domain gconf_home_t:dir create_dir_perms;
|
|
+filetrans_pattern(gkeyringd_domain, gconf_home_t, data_home_t, dir, "share")
|
|
+filetrans_pattern(gkeyringd_domain, gnome_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
|
|
+filetrans_pattern(gkeyringd_domain, data_home_t, gkeyringd_gnome_home_t, dir, "keyrings")
|
|
+filetrans_pattern(gkeyringd_domain, gnome_home_t, data_home_t, dir, "keyrings")
|
|
|
|
-manage_dirs_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
|
|
-manage_sock_files_pattern(gkeyringd_domain, gnome_keyring_tmp_t, gnome_keyring_tmp_t)
|
|
-files_tmp_filetrans(gkeyringd_domain, gnome_keyring_tmp_t, dir)
|
|
+manage_dirs_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
|
+manage_sock_files_pattern(gkeyringd_domain, gkeyringd_tmp_t, gkeyringd_tmp_t)
|
|
+files_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, dir)
|
|
+userdom_user_tmp_filetrans(gkeyringd_domain, gkeyringd_tmp_t, { sock_file dir })
|
|
|
|
-kernel_read_system_state(gkeyringd_domain)
|
|
kernel_read_crypto_sysctls(gkeyringd_domain)
|
|
|
|
+corecmd_search_bin(gkeyringd_domain)
|
|
+
|
|
dev_read_rand(gkeyringd_domain)
|
|
+dev_read_urand(gkeyringd_domain)
|
|
dev_read_sysfs(gkeyringd_domain)
|
|
|
|
-files_read_usr_files(gkeyringd_domain)
|
|
+# for nscd?
|
|
+files_search_pids(gkeyringd_domain)
|
|
|
|
-fs_getattr_all_fs(gkeyringd_domain)
|
|
+fs_getattr_xattr_fs(gkeyringd_domain)
|
|
+fs_getattr_tmpfs(gkeyringd_domain)
|
|
|
|
-selinux_getattr_fs(gkeyringd_domain)
|
|
+userdom_user_home_dir_filetrans(gkeyringd_domain, gconf_home_t, dir, ".local")
|
|
|
|
optional_policy(`
|
|
- ssh_read_user_home_files(gkeyringd_domain)
|
|
+ xserver_append_xdm_home_files(gkeyringd_domain)
|
|
+ xserver_read_xdm_home_files(gkeyringd_domain)
|
|
+ xserver_use_xdm_fds(gkeyringd_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
- telepathy_mission_control_read_state(gkeyringd_domain)
|
|
+ gnome_read_home_config(gkeyringd_domain)
|
|
+ gnome_read_generic_cache_files(gkeyringd_domain)
|
|
+ gnome_write_generic_cache_files(gkeyringd_domain)
|
|
+ gnome_manage_cache_home_dir(gkeyringd_domain)
|
|
+ gnome_manage_generic_cache_sockets(gkeyringd_domain)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_read_user_home_files(gkeyringd_domain)
|
|
+')
|
|
+
|
|
+domain_use_interactive_fds(gnomedomain)
|
|
+
|
|
+userdom_use_inherited_user_terminals(gnomedomain)
|
|
diff --git a/gnomeclock.fc b/gnomeclock.fc
|
|
index f9ba8cd..6906301 100644
|
|
--- a/gnomeclock.fc
|
|
+++ b/gnomeclock.fc
|
|
@@ -1,7 +1,10 @@
|
|
+/usr/lib/systemd/systemd-timedated -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
|
+
|
|
/usr/libexec/gnome-clock-applet-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
|
|
|
-/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
|
+/usr/libexec/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
|
|
|
-/usr/libexec/kde(3|4)/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
|
+/usr/libexec/kde3/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
|
+/usr/libexec/kde4/kcmdatetimehelper -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
|
|
|
/usr/lib/gnome-settings-daemon/gsd-datetime-mechanism -- gen_context(system_u:object_r:gnomeclock_exec_t,s0)
|
|
diff --git a/gnomeclock.if b/gnomeclock.if
|
|
index 3f55702..25c7ab8 100644
|
|
--- a/gnomeclock.if
|
|
+++ b/gnomeclock.if
|
|
@@ -2,8 +2,7 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run gnomeclock.
|
|
+## Execute a domain transition to run gnomeclock.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -16,15 +15,13 @@ interface(`gnomeclock_domtrans',`
|
|
type gnomeclock_t, gnomeclock_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, gnomeclock_exec_t, gnomeclock_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute gnomeclock in the gnomeclock
|
|
-## domain, and allow the specified
|
|
-## role the gnomeclock domain.
|
|
+## Execute gnomeclock in the gnomeclock domain, and
|
|
+## allow the specified role the gnomeclock domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -39,11 +36,11 @@ interface(`gnomeclock_domtrans',`
|
|
#
|
|
interface(`gnomeclock_run',`
|
|
gen_require(`
|
|
- attribute_role gnomeclock_roles;
|
|
+ type gnomeclock_t;
|
|
')
|
|
|
|
gnomeclock_domtrans($1)
|
|
- roleattribute $2 gnomeclock_roles;
|
|
+ role $2 types gnomeclock_t;
|
|
')
|
|
|
|
########################################
|
|
@@ -69,9 +66,8 @@ interface(`gnomeclock_dbus_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to send and
|
|
-## receive messages from gnomeclock
|
|
-## over dbus.
|
|
+## Do not audit send and receive messages from
|
|
+## gnomeclock over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
diff --git a/gnomeclock.te b/gnomeclock.te
|
|
index 7cd7435..79bff0d 100644
|
|
--- a/gnomeclock.te
|
|
+++ b/gnomeclock.te
|
|
@@ -5,82 +5,95 @@ policy_module(gnomeclock, 1.1.0)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute_role gnomeclock_roles;
|
|
-
|
|
type gnomeclock_t;
|
|
type gnomeclock_exec_t;
|
|
-init_system_domain(gnomeclock_t, gnomeclock_exec_t)
|
|
-role gnomeclock_roles types gnomeclock_t;
|
|
+init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
|
|
+
|
|
+type gnomeclock_tmp_t;
|
|
+files_tmp_file(gnomeclock_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# gnomeclock local policy
|
|
#
|
|
|
|
-allow gnomeclock_t self:capability { sys_nice sys_time };
|
|
+allow gnomeclock_t self:capability { sys_nice sys_time dac_override };
|
|
allow gnomeclock_t self:process { getattr getsched signal };
|
|
allow gnomeclock_t self:fifo_file rw_fifo_file_perms;
|
|
-allow gnomeclock_t self:unix_stream_socket { accept listen };
|
|
+allow gnomeclock_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow gnomeclock_t self:unix_dgram_socket create_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
|
|
+manage_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
|
|
+manage_lnk_files_pattern(gnomeclock_t, gnomeclock_tmp_t, gnomeclock_tmp_t)
|
|
+files_tmp_filetrans(gnomeclock_t, gnomeclock_tmp_t, { file dir })
|
|
|
|
kernel_read_system_state(gnomeclock_t)
|
|
|
|
corecmd_exec_bin(gnomeclock_t)
|
|
corecmd_exec_shell(gnomeclock_t)
|
|
+corecmd_dontaudit_access_check_bin(gnomeclock_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(gnomeclock_t)
|
|
-corenet_all_recvfrom_netlabel(gnomeclock_t)
|
|
-corenet_tcp_sendrecv_generic_if(gnomeclock_t)
|
|
-corenet_tcp_sendrecv_generic_node(gnomeclock_t)
|
|
+corenet_tcp_connect_time_port(gnomeclock_t)
|
|
|
|
-# tcp:37 (time)
|
|
-corenet_sendrecv_inetd_child_client_packets(gnomeclock_t)
|
|
-corenet_tcp_connect_inetd_child_port(gnomeclock_t)
|
|
-corenet_tcp_sendrecv_inetd_child_port(gnomeclock_t)
|
|
-
|
|
-dev_read_sysfs(gnomeclock_t)
|
|
-dev_read_urand(gnomeclock_t)
|
|
dev_rw_realtime_clock(gnomeclock_t)
|
|
+dev_read_urand(gnomeclock_t)
|
|
+dev_write_kmsg(gnomeclock_t)
|
|
+dev_read_sysfs(gnomeclock_t)
|
|
|
|
-files_read_usr_files(gnomeclock_t)
|
|
+files_read_etc_runtime_files(gnomeclock_t)
|
|
|
|
fs_getattr_xattr_fs(gnomeclock_t)
|
|
|
|
auth_use_nsswitch(gnomeclock_t)
|
|
|
|
+init_dbus_chat(gnomeclock_t)
|
|
+
|
|
+logging_stream_connect_syslog(gnomeclock_t)
|
|
logging_send_syslog_msg(gnomeclock_t)
|
|
|
|
-miscfiles_etc_filetrans_localization(gnomeclock_t)
|
|
miscfiles_manage_localization(gnomeclock_t)
|
|
-miscfiles_read_localization(gnomeclock_t)
|
|
+miscfiles_etc_filetrans_localization(gnomeclock_t)
|
|
|
|
userdom_read_all_users_state(gnomeclock_t)
|
|
|
|
optional_policy(`
|
|
- chronyd_initrc_domtrans(gnomeclock_t)
|
|
+ chronyd_systemctl(gnomeclock_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ clock_read_adjtime(gnomeclock_t)
|
|
clock_domtrans(gnomeclock_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
|
|
+ consolekit_dbus_chat(gnomeclock_t)
|
|
+')
|
|
|
|
- optional_policy(`
|
|
- consolekit_dbus_chat(gnomeclock_t)
|
|
- ')
|
|
+optional_policy(`
|
|
+ consoletype_exec(gnomeclock_t)
|
|
+')
|
|
|
|
- optional_policy(`
|
|
- policykit_dbus_chat(gnomeclock_t)
|
|
- ')
|
|
+optional_policy(`
|
|
+dbus_system_domain(gnomeclock_t, gnomeclock_exec_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_manage_usr_config(gnomeclock_t)
|
|
+ gnome_manage_home_config(gnomeclock_t)
|
|
+ gnome_filetrans_admin_home_content(gnomeclock_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ntp_domtrans_ntpdate(gnomeclock_t)
|
|
ntp_initrc_domtrans(gnomeclock_t)
|
|
+ init_dontaudit_getattr_all_script_files(gnomeclock_t)
|
|
+ init_dontaudit_getattr_exec(gnomeclock_t)
|
|
+ ntp_systemctl(gnomeclock_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ policykit_dbus_chat(gnomeclock_t)
|
|
policykit_domtrans_auth(gnomeclock_t)
|
|
policykit_read_lib(gnomeclock_t)
|
|
policykit_read_reload(gnomeclock_t)
|
|
diff --git a/gpg.fc b/gpg.fc
|
|
index 888cd2c..c02fa56 100644
|
|
--- a/gpg.fc
|
|
+++ b/gpg.fc
|
|
@@ -1,10 +1,14 @@
|
|
-HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
|
|
-HOME_DIR/\.gnupg/log-socket -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
|
|
+HOME_DIR/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
|
|
+HOME_DIR/\.gnupg/log-socket gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
|
|
+
|
|
+/etc/mail/spamassassin/sa-update-keys(/.*)? gen_context(system_u:object_r:gpg_secret_t,s0)
|
|
+
|
|
+/root/\.gnupg(/.+)? gen_context(system_u:object_r:gpg_secret_t,s0)
|
|
|
|
/usr/bin/gpg(2)? -- gen_context(system_u:object_r:gpg_exec_t,s0)
|
|
-/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
|
|
+/usr/bin/gpgsm -- gen_context(system_u:object_r:gpg_exec_t,s0)
|
|
/usr/bin/gpg-agent -- gen_context(system_u:object_r:gpg_agent_exec_t,s0)
|
|
/usr/bin/pinentry.* -- gen_context(system_u:object_r:pinentry_exec_t,s0)
|
|
|
|
/usr/lib/gnupg/.* -- gen_context(system_u:object_r:gpg_exec_t,s0)
|
|
-/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
|
|
+/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
|
|
diff --git a/gpg.if b/gpg.if
|
|
index 180f1b7..3c8757e 100644
|
|
--- a/gpg.if
|
|
+++ b/gpg.if
|
|
@@ -2,57 +2,79 @@
|
|
|
|
############################################################
|
|
## <summary>
|
|
-## Role access for gpg.
|
|
+## Role access for gpg
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`gpg_role',`
|
|
gen_require(`
|
|
- attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
|
|
- type gpg_t, gpg_exec_t, gpg_agent_t;
|
|
- type gpg_agent_exec_t, gpg_agent_tmp_t, gpg_helper_t;
|
|
- type gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_secret_t;
|
|
+ attribute_role gpg_roles, gpg_agent_roles, gpg_helper_roles, gpg_pinentry_roles;
|
|
+ type gpg_t, gpg_exec_t;
|
|
+ type gpg_agent_t, gpg_agent_exec_t;
|
|
+ type gpg_agent_tmp_t;
|
|
+ type gpg_helper_t, gpg_pinentry_t;
|
|
+ type gpg_pinentry_tmp_t;
|
|
')
|
|
|
|
- roleattribute $1 gpg_roles;
|
|
- roleattribute $1 gpg_agent_roles;
|
|
- roleattribute $1 gpg_helper_roles;
|
|
- roleattribute $1 gpg_pinentry_roles;
|
|
+ roleattribute $1 gpg_roles;
|
|
+ roleattribute $1 gpg_agent_roles;
|
|
+ roleattribute $1 gpg_helper_roles;
|
|
+ roleattribute $1 gpg_pinentry_roles;
|
|
|
|
+ # transition from the userdomain to the derived domain
|
|
domtrans_pattern($2, gpg_exec_t, gpg_t)
|
|
- domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
|
|
|
|
- allow $2 { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($2, { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t })
|
|
+ # allow ps to show gpg
|
|
+ ps_process_pattern($2, gpg_t)
|
|
+ allow $2 gpg_t:process { signull sigstop signal sigkill };
|
|
|
|
- allow gpg_pinentry_t $2:process signull;
|
|
+ # communicate with the user
|
|
allow gpg_helper_t $2:fd use;
|
|
- allow { gpg_t gpg_agent_t gpg_helper_t gpg_pinentry_t } $2:fifo_file { read write };
|
|
+ allow gpg_helper_t $2:fifo_file write;
|
|
+
|
|
+ # allow ps to show gpg-agent
|
|
+ ps_process_pattern($2, gpg_agent_t)
|
|
|
|
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 { gpg_agent_tmp_t gpg_secret_t }:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 gpg_secret_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
- allow $2 { gpg_agent_tmp_t gpg_pinentry_tmp_t gpg_secret_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
|
- filetrans_pattern($2, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
|
|
- userdom_user_home_dir_filetrans($2, gpg_secret_t, dir, ".gnupg")
|
|
+ # Allow the user shell to signal the gpg-agent program.
|
|
+ allow $2 gpg_agent_t:process { signal sigkill };
|
|
+
|
|
+ manage_dirs_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
|
+ manage_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
|
+ manage_sock_files_pattern($2, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
|
+ files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
|
|
+
|
|
+ # Transition from the user domain to the agent domain.
|
|
+ domtrans_pattern($2, gpg_agent_exec_t, gpg_agent_t)
|
|
+
|
|
+ manage_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
|
|
+ relabel_sock_files_pattern($2, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
|
|
+
|
|
+ allow gpg_pinentry_t $2:fifo_file { read write };
|
|
|
|
optional_policy(`
|
|
gpg_pinentry_dbus_chat($2)
|
|
')
|
|
+
|
|
+ allow $2 gpg_agent_t:unix_stream_socket { rw_socket_perms connectto };
|
|
+ ifdef(`hide_broken_symptoms',`
|
|
+ #Leaked File Descriptors
|
|
+ dontaudit gpg_t $2:fifo_file rw_fifo_file_perms;
|
|
+ dontaudit gpg_agent_t $2:fifo_file rw_fifo_file_perms;
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the gpg in the gpg domain.
|
|
+## Transition to a user gpg domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -65,13 +87,12 @@ interface(`gpg_domtrans',`
|
|
type gpg_t, gpg_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, gpg_exec_t, gpg_t)
|
|
')
|
|
|
|
-########################################
|
|
+######################################
|
|
## <summary>
|
|
-## Execute the gpg in the caller domain.
|
|
+## Execute gpg in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -88,76 +109,46 @@ interface(`gpg_exec',`
|
|
can_exec($1, gpg_exec_t)
|
|
')
|
|
|
|
-########################################
|
|
-## <summary>
|
|
-## Execute gpg in a specified domain.
|
|
-## </summary>
|
|
-## <desc>
|
|
-## <p>
|
|
-## Execute gpg in a specified domain.
|
|
-## </p>
|
|
-## <p>
|
|
-## No interprocess communication (signals, pipes,
|
|
-## etc.) is provided by this interface since
|
|
-## the domains are not owned by this module.
|
|
-## </p>
|
|
-## </desc>
|
|
-## <param name="source_domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="target_domain">
|
|
-## <summary>
|
|
-## Domain to transition to.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`gpg_spec_domtrans',`
|
|
- gen_require(`
|
|
- type gpg_exec_t;
|
|
- ')
|
|
-
|
|
- corecmd_search_bin($1)
|
|
- domain_auto_trans($1, gpg_exec_t, $2)
|
|
-')
|
|
-
|
|
######################################
|
|
## <summary>
|
|
-## Execute gpg in the gpg web domain. (Deprecated)
|
|
+## Transition to a gpg web domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`gpg_domtrans_web',`
|
|
- refpolicywarn(`$0($*) has been deprecated.')
|
|
+ gen_require(`
|
|
+ type gpg_web_t, gpg_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, gpg_exec_t, gpg_web_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Make gpg executable files an
|
|
-## entrypoint for the specified domain.
|
|
+## Make gpg an entrypoint for
|
|
+## the specified domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## The domain for which gpg_exec_t is an entrypoint.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## The domain for which cifs_t is an entrypoint.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`gpg_entry_type',`
|
|
- gen_require(`
|
|
- type gpg_exec_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type gpg_exec_t;
|
|
+ ')
|
|
|
|
- domain_entry_file($1, gpg_exec_t)
|
|
+ domain_entry_file($1, gpg_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to gpg.
|
|
+## Send generic signals to user gpg processes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -175,7 +166,7 @@ interface(`gpg_signal',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write gpg agent pipes.
|
|
+## Read and write GPG agent pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -184,6 +175,7 @@ interface(`gpg_signal',`
|
|
## </param>
|
|
#
|
|
interface(`gpg_rw_agent_pipes',`
|
|
+ # Just wants read/write could this be a leak?
|
|
gen_require(`
|
|
type gpg_agent_t;
|
|
')
|
|
@@ -193,8 +185,8 @@ interface(`gpg_rw_agent_pipes',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send messages to and from gpg
|
|
-## pinentry over DBUS.
|
|
+## Send messages to and from GPG
|
|
+## Pinentry over DBUS.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -214,7 +206,7 @@ interface(`gpg_pinentry_dbus_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## List gpg user secrets.
|
|
+## List Gnu Privacy Guard user secrets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -230,3 +222,39 @@ interface(`gpg_list_user_secrets',`
|
|
list_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
|
|
userdom_search_user_home_dirs($1)
|
|
')
|
|
+###########################
|
|
+## <summary>
|
|
+## Allow to manage gpg named home content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gpg_manage_home_content',`
|
|
+ gen_require(`
|
|
+ type gpg_secret_t;
|
|
+ ')
|
|
+
|
|
+ manage_files_pattern($1, gpg_secret_t, gpg_secret_t)
|
|
+ manage_dirs_pattern($1, gpg_secret_t, gpg_secret_t)
|
|
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to gpg named home content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gpg_filetrans_home_content',`
|
|
+ gen_require(`
|
|
+ type gpg_secret_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, gpg_secret_t, dir, ".gnupg")
|
|
+')
|
|
diff --git a/gpg.te b/gpg.te
|
|
index 0e97e82..edabe2e 100644
|
|
--- a/gpg.te
|
|
+++ b/gpg.te
|
|
@@ -4,15 +4,7 @@ policy_module(gpg, 2.8.0)
|
|
#
|
|
# Declarations
|
|
#
|
|
-
|
|
-## <desc>
|
|
-## <p>
|
|
-## Determine whether GPG agent can manage
|
|
-## generic user home content files. This is
|
|
-## required by the --write-env-file option.
|
|
-## </p>
|
|
-## </desc>
|
|
-gen_tunable(gpg_agent_env_file, false)
|
|
+attribute gpgdomain;
|
|
|
|
attribute_role gpg_roles;
|
|
roleattribute system_r gpg_roles;
|
|
@@ -24,7 +16,23 @@ roleattribute system_r gpg_helper_roles;
|
|
|
|
attribute_role gpg_pinentry_roles;
|
|
|
|
-type gpg_t;
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow usage of the gpg-agent --write-env-file option.
|
|
+## This also allows gpg-agent to manage user files.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(gpg_agent_env_file, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow gpg web domain to modify public files
|
|
+## used for public file transfer services.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(gpg_web_anon_write, false)
|
|
+
|
|
+type gpg_t, gpgdomain;
|
|
type gpg_exec_t;
|
|
typealias gpg_t alias { user_gpg_t staff_gpg_t sysadm_gpg_t };
|
|
typealias gpg_t alias { auditadm_gpg_t secadm_gpg_t };
|
|
@@ -69,95 +77,100 @@ type gpg_pinentry_tmpfs_t;
|
|
userdom_user_tmpfs_file(gpg_pinentry_tmpfs_t)
|
|
|
|
optional_policy(`
|
|
- pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
|
|
+ pulseaudio_tmpfs_content(gpg_pinentry_tmpfs_t)
|
|
')
|
|
|
|
+type gpg_web_t;
|
|
+domain_type(gpg_web_t)
|
|
+gpg_entry_type(gpg_web_t)
|
|
+role system_r types gpg_web_t;
|
|
+
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# GPG local policy
|
|
#
|
|
|
|
-allow gpg_t self:capability { ipc_lock setuid };
|
|
-allow gpg_t self:process { signal signull setrlimit getcap setcap getsched setsched setpgid };
|
|
-dontaudit gpg_t self:netlink_audit_socket r_netlink_socket_perms;
|
|
-allow gpg_t self:fifo_file rw_fifo_file_perms;
|
|
-allow gpg_t self:tcp_socket { accept listen };
|
|
+allow gpgdomain self:capability { ipc_lock setuid };
|
|
+allow gpgdomain self:process { getsched setsched };
|
|
+#at setrlimit is for ulimit -c 0
|
|
+allow gpgdomain self:process { signal signull setrlimit getcap setcap setpgid };
|
|
+dontaudit gpgdomain self:netlink_audit_socket r_netlink_socket_perms;
|
|
+
|
|
+allow gpgdomain self:fifo_file rw_fifo_file_perms;
|
|
+allow gpgdomain self:tcp_socket create_stream_socket_perms;
|
|
|
|
manage_dirs_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
|
manage_files_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
|
files_tmp_filetrans(gpg_t, gpg_agent_tmp_t, { dir file })
|
|
|
|
-manage_dirs_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
|
|
+
|
|
+allow gpg_t gpg_secret_t:dir create_dir_perms;
|
|
manage_sock_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
|
|
manage_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
|
|
manage_lnk_files_pattern(gpg_t, gpg_secret_t, gpg_secret_t)
|
|
-userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir)
|
|
-
|
|
-stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
|
|
-
|
|
-domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
|
|
-domtrans_pattern(gpg_t, gpg_helper_exec_t, gpg_helper_t)
|
|
+userdom_user_home_dir_filetrans(gpg_t, gpg_secret_t, dir, ".gnupg")
|
|
|
|
kernel_read_sysctl(gpg_t)
|
|
+kernel_read_system_state(gpg_t)
|
|
+kernel_getattr_core_if(gpg_t)
|
|
|
|
corecmd_exec_shell(gpg_t)
|
|
corecmd_exec_bin(gpg_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(gpg_t)
|
|
corenet_all_recvfrom_netlabel(gpg_t)
|
|
corenet_tcp_sendrecv_generic_if(gpg_t)
|
|
+corenet_udp_sendrecv_generic_if(gpg_t)
|
|
corenet_tcp_sendrecv_generic_node(gpg_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(gpg_t)
|
|
-corenet_tcp_connect_all_ports(gpg_t)
|
|
+corenet_udp_sendrecv_generic_node(gpg_t)
|
|
corenet_tcp_sendrecv_all_ports(gpg_t)
|
|
+corenet_udp_sendrecv_all_ports(gpg_t)
|
|
+corenet_tcp_connect_all_ports(gpg_t)
|
|
+corenet_sendrecv_all_client_packets(gpg_t)
|
|
|
|
-dev_read_generic_usb_dev(gpg_t)
|
|
dev_read_rand(gpg_t)
|
|
dev_read_urand(gpg_t)
|
|
-
|
|
-files_read_usr_files(gpg_t)
|
|
-files_dontaudit_search_var(gpg_t)
|
|
+dev_read_generic_usb_dev(gpg_t)
|
|
+dev_dontaudit_getattr_all(gpg_t)
|
|
|
|
fs_getattr_xattr_fs(gpg_t)
|
|
fs_list_inotifyfs(gpg_t)
|
|
|
|
domain_use_interactive_fds(gpg_t)
|
|
|
|
-auth_use_nsswitch(gpg_t)
|
|
+files_dontaudit_search_var(gpg_t)
|
|
|
|
-logging_send_syslog_msg(gpg_t)
|
|
+auth_use_nsswitch(gpg_t)
|
|
|
|
-miscfiles_read_localization(gpg_t)
|
|
+init_dontaudit_getattr_initctl(gpg_t)
|
|
|
|
-userdom_use_user_terminals(gpg_t)
|
|
+logging_send_syslog_msg(gpg_t)
|
|
|
|
-userdom_manage_user_tmp_files(gpg_t)
|
|
+userdom_use_inherited_user_terminals(gpg_t)
|
|
+# sign/encrypt user files
|
|
+userdom_manage_all_user_tmp_content(gpg_t)
|
|
+#userdom_manage_user_home_content(gpg_t)
|
|
userdom_manage_user_home_content_files(gpg_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
|
|
+userdom_manage_user_home_content_dirs(gpg_t)
|
|
+userdom_filetrans_home_content(gpg_t)
|
|
+userdom_stream_connect(gpg_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(gpg_t)
|
|
- fs_manage_nfs_files(gpg_t)
|
|
-')
|
|
+mta_manage_config(gpg_t)
|
|
+mta_read_spool(gpg_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(gpg_t)
|
|
- fs_manage_cifs_files(gpg_t)
|
|
-')
|
|
+userdom_home_manager(gpg_t)
|
|
|
|
optional_policy(`
|
|
- gnome_read_generic_home_content(gpg_t)
|
|
- gnome_stream_connect_all_gkeyringd(gpg_t)
|
|
+ gpm_dontaudit_getattr_gpmctl(gpg_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mozilla_dontaudit_rw_user_home_files(gpg_t)
|
|
+ gnome_manage_config(gpg_t)
|
|
+ gnome_stream_connect_gkeyringd(gpg_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mta_read_spool_files(gpg_t)
|
|
- mta_write_config(gpg_t)
|
|
+ mozilla_read_user_home_files(gpg_t)
|
|
+ mozilla_write_user_home_files(gpg_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -165,37 +178,51 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- cron_system_entry(gpg_t, gpg_exec_t)
|
|
- cron_read_system_job_tmp_files(gpg_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
xserver_use_xdm_fds(gpg_t)
|
|
xserver_rw_xdm_pipes(gpg_t)
|
|
')
|
|
|
|
+#optional_policy(`
|
|
+# cron_system_entry(gpg_t, gpg_exec_t)
|
|
+# cron_read_system_job_tmp_files(gpg_t)
|
|
+#')
|
|
+
|
|
########################################
|
|
#
|
|
-# Helper local policy
|
|
+# GPG helper local policy
|
|
#
|
|
|
|
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
|
|
+
|
|
allow gpg_helper_t self:process { getsched setsched };
|
|
+
|
|
+# for helper programs (which automatically fetch keys)
|
|
+# Note: this is only tested with the hkp interface. If you use eg the
|
|
+# mail interface you will likely need additional permissions.
|
|
+
|
|
allow gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow gpg_helper_t self:tcp_socket { connect connected_socket_perms };
|
|
+allow gpg_helper_t self:udp_socket { connect connected_socket_perms };
|
|
|
|
-dontaudit gpg_helper_t gpg_secret_t:file read_file_perms;
|
|
+dontaudit gpg_helper_t gpg_secret_t:file read;
|
|
|
|
-corenet_all_recvfrom_unlabeled(gpg_helper_t)
|
|
corenet_all_recvfrom_netlabel(gpg_helper_t)
|
|
corenet_tcp_sendrecv_generic_if(gpg_helper_t)
|
|
+corenet_raw_sendrecv_generic_if(gpg_helper_t)
|
|
+corenet_udp_sendrecv_generic_if(gpg_helper_t)
|
|
corenet_tcp_sendrecv_generic_node(gpg_helper_t)
|
|
+corenet_udp_sendrecv_generic_node(gpg_helper_t)
|
|
+corenet_raw_sendrecv_generic_node(gpg_helper_t)
|
|
corenet_tcp_sendrecv_all_ports(gpg_helper_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(gpg_helper_t)
|
|
+corenet_udp_sendrecv_all_ports(gpg_helper_t)
|
|
+corenet_tcp_bind_generic_node(gpg_helper_t)
|
|
+corenet_udp_bind_generic_node(gpg_helper_t)
|
|
corenet_tcp_connect_all_ports(gpg_helper_t)
|
|
|
|
+
|
|
auth_use_nsswitch(gpg_helper_t)
|
|
|
|
-userdom_use_user_terminals(gpg_helper_t)
|
|
+userdom_use_inherited_user_terminals(gpg_helper_t)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_dontaudit_rw_nfs_files(gpg_helper_t)
|
|
@@ -207,29 +234,35 @@ tunable_policy(`use_samba_home_dirs',`
|
|
|
|
########################################
|
|
#
|
|
-# Agent local policy
|
|
+# GPG agent local policy
|
|
#
|
|
+domtrans_pattern(gpg_t, gpg_agent_exec_t, gpg_agent_t)
|
|
|
|
+# rlimit: gpg-agent wants to prevent coredumps
|
|
allow gpg_agent_t self:process setrlimit;
|
|
-allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+
|
|
+allow gpg_agent_t self:unix_stream_socket { create_stream_socket_perms connectto } ;
|
|
allow gpg_agent_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
|
|
manage_dirs_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
|
|
manage_sock_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
|
|
manage_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
|
|
manage_lnk_files_pattern(gpg_agent_t, gpg_secret_t, gpg_secret_t)
|
|
|
|
+# Allow the gpg-agent to manage its tmp files (socket)
|
|
manage_dirs_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
|
manage_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
|
manage_sock_files_pattern(gpg_agent_t, gpg_agent_tmp_t, gpg_agent_tmp_t)
|
|
files_tmp_filetrans(gpg_agent_t, gpg_agent_tmp_t, { file sock_file dir })
|
|
|
|
-filetrans_pattern(gpg_agent_t, gpg_secret_t, gpg_agent_tmp_t, sock_file, "log-socket")
|
|
-
|
|
-domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
|
|
+# allow gpg to connect to the gpg agent
|
|
+stream_connect_pattern(gpg_t, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
|
|
|
|
-kernel_dontaudit_search_sysctl(gpg_agent_t)
|
|
+kernel_read_system_state(gpg_agent_t)
|
|
|
|
+corecmd_read_bin_symlinks(gpg_agent_t)
|
|
+corecmd_search_bin(gpg_agent_t)
|
|
corecmd_exec_shell(gpg_agent_t)
|
|
|
|
dev_read_rand(gpg_agent_t)
|
|
@@ -239,37 +272,40 @@ domain_use_interactive_fds(gpg_agent_t)
|
|
|
|
fs_dontaudit_list_inotifyfs(gpg_agent_t)
|
|
|
|
-miscfiles_read_localization(gpg_agent_t)
|
|
|
|
-userdom_use_user_terminals(gpg_agent_t)
|
|
+# Write to the user domain tty.
|
|
+userdom_use_inherited_user_terminals(gpg_agent_t)
|
|
+# read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
|
|
userdom_search_user_home_dirs(gpg_agent_t)
|
|
+userdom_filetrans_home_content(gpg_agent_t)
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
userdom_dontaudit_read_user_tmp_files(gpg_agent_t)
|
|
+ userdom_dontaudit_write_user_tmp_files(gpg_agent_t)
|
|
')
|
|
|
|
tunable_policy(`gpg_agent_env_file',`
|
|
+ # write ~/.gpg-agent-info or a similar to the users home dir
|
|
+ # or subdir (gpg-agent --write-env-file option)
|
|
+ #
|
|
userdom_manage_user_home_content_dirs(gpg_agent_t)
|
|
userdom_manage_user_home_content_files(gpg_agent_t)
|
|
- userdom_user_home_dir_filetrans_user_home_content(gpg_agent_t, file)
|
|
')
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(gpg_agent_t)
|
|
- fs_manage_nfs_files(gpg_agent_t)
|
|
- fs_manage_nfs_symlinks(gpg_agent_t)
|
|
-')
|
|
+userdom_home_manager(gpg_agent_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(gpg_agent_t)
|
|
- fs_manage_cifs_files(gpg_agent_t)
|
|
- fs_manage_cifs_symlinks(gpg_agent_t)
|
|
+optional_policy(`
|
|
+ gnome_manage_config(gpg_agent_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mozilla_dontaudit_rw_user_home_files(gpg_agent_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ pcscd_stream_connect(gpg_agent_t)
|
|
+')
|
|
+
|
|
##############################
|
|
#
|
|
# Pinentry local policy
|
|
@@ -277,8 +313,17 @@ optional_policy(`
|
|
|
|
allow gpg_pinentry_t self:process { getcap getsched setsched signal };
|
|
allow gpg_pinentry_t self:fifo_file rw_fifo_file_perms;
|
|
+allow gpg_pinentry_t self:netlink_route_socket create_netlink_socket_perms;
|
|
allow gpg_pinentry_t self:shm create_shm_perms;
|
|
-allow gpg_pinentry_t self:tcp_socket { accept listen };
|
|
+allow gpg_pinentry_t self:tcp_socket create_stream_socket_perms;
|
|
+allow gpg_pinentry_t self:unix_dgram_socket sendto;
|
|
+allow gpg_pinentry_t self:unix_stream_socket { connect create getattr read shutdown write };
|
|
+
|
|
+can_exec(gpg_pinentry_t, pinentry_exec_t)
|
|
+
|
|
+# we need to allow gpg-agent to call pinentry so it can get the passphrase
|
|
+# from the user.
|
|
+domtrans_pattern(gpg_agent_t, pinentry_exec_t, gpg_pinentry_t)
|
|
|
|
manage_sock_files_pattern(gpg_pinentry_t, gpg_pinentry_tmp_t, gpg_pinentry_tmp_t)
|
|
userdom_user_tmp_filetrans(gpg_pinentry_t, gpg_pinentry_tmp_t, sock_file)
|
|
@@ -287,53 +332,86 @@ manage_dirs_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
|
|
manage_files_pattern(gpg_pinentry_t, gpg_pinentry_tmpfs_t, gpg_pinentry_tmpfs_t)
|
|
fs_tmpfs_filetrans(gpg_pinentry_t, gpg_pinentry_tmpfs_t, { file dir })
|
|
|
|
-can_exec(gpg_pinentry_t, pinentry_exec_t)
|
|
-
|
|
+# read /proc/meminfo
|
|
kernel_read_system_state(gpg_pinentry_t)
|
|
|
|
corecmd_exec_shell(gpg_pinentry_t)
|
|
corecmd_exec_bin(gpg_pinentry_t)
|
|
|
|
corenet_all_recvfrom_netlabel(gpg_pinentry_t)
|
|
-corenet_all_recvfrom_unlabeled(gpg_pinentry_t)
|
|
+corenet_sendrecv_pulseaudio_client_packets(gpg_pinentry_t)
|
|
+corenet_tcp_bind_generic_node(gpg_pinentry_t)
|
|
+corenet_tcp_connect_pulseaudio_port(gpg_pinentry_t)
|
|
corenet_tcp_sendrecv_generic_if(gpg_pinentry_t)
|
|
corenet_tcp_sendrecv_generic_node(gpg_pinentry_t)
|
|
+corenet_tcp_sendrecv_generic_port(gpg_pinentry_t)
|
|
|
|
dev_read_urand(gpg_pinentry_t)
|
|
dev_read_rand(gpg_pinentry_t)
|
|
|
|
-domain_use_interactive_fds(gpg_pinentry_t)
|
|
-
|
|
-files_read_usr_files(gpg_pinentry_t)
|
|
+# read /etc/X11/qtrc
|
|
|
|
fs_dontaudit_list_inotifyfs(gpg_pinentry_t)
|
|
+fs_getattr_tmpfs(gpg_pinentry_t)
|
|
|
|
auth_use_nsswitch(gpg_pinentry_t)
|
|
|
|
logging_send_syslog_msg(gpg_pinentry_t)
|
|
|
|
miscfiles_read_fonts(gpg_pinentry_t)
|
|
-miscfiles_read_localization(gpg_pinentry_t)
|
|
|
|
+# for .Xauthority
|
|
+userdom_read_user_home_content_files(gpg_pinentry_t)
|
|
+userdom_read_user_tmpfs_files(gpg_pinentry_t)
|
|
+# Bug: user pulseaudio files need open,read and unlink:
|
|
+allow gpg_pinentry_t user_tmpfs_t:file unlink;
|
|
+userdom_signull_unpriv_users(gpg_pinentry_t)
|
|
userdom_use_user_terminals(gpg_pinentry_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_read_nfs_files(gpg_pinentry_t)
|
|
-')
|
|
+userdom_home_reader(gpg_pinentry_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_read_cifs_files(gpg_pinentry_t)
|
|
+optional_policy(`
|
|
+ gnome_read_home_config(gpg_pinentry_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- dbus_all_session_bus_client(gpg_pinentry_t)
|
|
+ dbus_session_bus_client(gpg_pinentry_t)
|
|
dbus_system_bus_client(gpg_pinentry_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
|
|
+ gnome_write_generic_cache_files(gpg_pinentry_t)
|
|
+ gnome_read_generic_cache_files(gpg_pinentry_t)
|
|
+ gnome_read_gconf_home_files(gpg_pinentry_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ pulseaudio_run(gpg_pinentry_t, gpg_pinentry_roles)
|
|
+ pulseaudio_stream_connect(gpg_pinentry_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_user_x_domain_template(gpg_pinentry, gpg_pinentry_t, gpg_pinentry_tmpfs_t)
|
|
+
|
|
+')
|
|
+
|
|
+#############################
|
|
+#
|
|
+# gpg web local policy
|
|
+#
|
|
+
|
|
+allow gpg_web_t self:process setrlimit;
|
|
+
|
|
+dev_read_rand(gpg_web_t)
|
|
+dev_read_urand(gpg_web_t)
|
|
+
|
|
+can_exec(gpg_web_t, gpg_exec_t)
|
|
+
|
|
+
|
|
+
|
|
+apache_dontaudit_rw_tmp_files(gpg_web_t)
|
|
+apache_manage_sys_content_rw(gpg_web_t)
|
|
+
|
|
+tunable_policy(`gpg_web_anon_write',`
|
|
+ miscfiles_manage_public_files(gpg_web_t)
|
|
')
|
|
diff --git a/gpm.te b/gpm.te
|
|
index 69734fd..d99009a 100644
|
|
--- a/gpm.te
|
|
+++ b/gpm.te
|
|
@@ -13,7 +13,7 @@ type gpm_initrc_exec_t;
|
|
init_script_file(gpm_initrc_exec_t)
|
|
|
|
type gpm_conf_t;
|
|
-files_type(gpm_conf_t)
|
|
+files_config_file(gpm_conf_t)
|
|
|
|
type gpm_tmp_t;
|
|
files_tmp_file(gpm_tmp_t)
|
|
@@ -57,7 +57,6 @@ dev_read_sysfs(gpm_t)
|
|
dev_rw_input_dev(gpm_t)
|
|
dev_rw_mouse(gpm_t)
|
|
|
|
-files_read_etc_files(gpm_t)
|
|
|
|
fs_getattr_all_fs(gpm_t)
|
|
fs_search_auto_mountpoints(gpm_t)
|
|
@@ -68,11 +67,9 @@ domain_use_interactive_fds(gpm_t)
|
|
|
|
logging_send_syslog_msg(gpm_t)
|
|
|
|
-miscfiles_read_localization(gpm_t)
|
|
-
|
|
-userdom_use_user_terminals(gpm_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(gpm_t)
|
|
userdom_dontaudit_search_user_home_dirs(gpm_t)
|
|
+userdom_use_inherited_user_terminals(gpm_t)
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(gpm_t)
|
|
diff --git a/gpsd.te b/gpsd.te
|
|
index fe3895e..a820546 100644
|
|
--- a/gpsd.te
|
|
+++ b/gpsd.te
|
|
@@ -28,11 +28,12 @@ files_pid_file(gpsd_var_run_t)
|
|
#
|
|
|
|
allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config };
|
|
-dontaudit gpsd_t self:capability { dac_read_search dac_override };
|
|
+dontaudit gpsd_t self:capability { sys_ptrace dac_read_search dac_override };
|
|
allow gpsd_t self:process { setsched signal_perms };
|
|
allow gpsd_t self:shm create_shm_perms;
|
|
allow gpsd_t self:unix_dgram_socket sendto;
|
|
allow gpsd_t self:tcp_socket { accept listen };
|
|
+allow gpsd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
|
|
manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t)
|
|
@@ -62,13 +63,13 @@ domain_dontaudit_read_all_domains_state(gpsd_t)
|
|
|
|
term_use_unallocated_ttys(gpsd_t)
|
|
term_setattr_unallocated_ttys(gpsd_t)
|
|
+term_use_usb_ttys(gpsd_t)
|
|
+term_setattr_usb_ttys(gpsd_t)
|
|
|
|
auth_use_nsswitch(gpsd_t)
|
|
|
|
logging_send_syslog_msg(gpsd_t)
|
|
|
|
-miscfiles_read_localization(gpsd_t)
|
|
-
|
|
optional_policy(`
|
|
chronyd_rw_shm(gpsd_t)
|
|
chronyd_stream_connect(gpsd_t)
|
|
diff --git a/gssproxy.fc b/gssproxy.fc
|
|
new file mode 100644
|
|
index 0000000..f4659d1
|
|
--- /dev/null
|
|
+++ b/gssproxy.fc
|
|
@@ -0,0 +1,8 @@
|
|
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_file_t,s0)
|
|
+
|
|
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
|
|
+
|
|
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
|
|
+
|
|
+/var/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_var_run_t,s0)
|
|
+/var/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_var_run_t,s0)
|
|
diff --git a/gssproxy.if b/gssproxy.if
|
|
new file mode 100644
|
|
index 0000000..3ce0ac0
|
|
--- /dev/null
|
|
+++ b/gssproxy.if
|
|
@@ -0,0 +1,198 @@
|
|
+
|
|
+## <summary>policy for gssproxy</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the gssproxy domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gssproxy_domtrans',`
|
|
+ gen_require(`
|
|
+ type gssproxy_t, gssproxy_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search gssproxy lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gssproxy_search_lib',`
|
|
+ gen_require(`
|
|
+ type gssproxy_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read gssproxy lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gssproxy_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type gssproxy_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage gssproxy lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gssproxy_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type gssproxy_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage gssproxy lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gssproxy_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type gssproxy_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read gssproxy PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gssproxy_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type gssproxy_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute gssproxy server in the gssproxy domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gssproxy_systemctl',`
|
|
+ gen_require(`
|
|
+ type gssproxy_t;
|
|
+ type gssproxy_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 gssproxy_unit_file_t:file read_file_perms;
|
|
+ allow $1 gssproxy_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, gssproxy_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to gssproxy over an unix
|
|
+## domain stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`gssproxy_stream_connect',`
|
|
+ gen_require(`
|
|
+ type gssproxy_t, gssproxy_var_run_t, gssproxy_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, gssproxy_var_run_t, gssproxy_var_run_t, gssproxy_t)
|
|
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an gssproxy environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`gssproxy_admin',`
|
|
+ gen_require(`
|
|
+ type gssproxy_t;
|
|
+ type gssproxy_var_lib_t;
|
|
+ type gssproxy_var_run_t;
|
|
+ type gssproxy_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 gssproxy_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, gssproxy_t)
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ admin_pattern($1, gssproxy_var_lib_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, gssproxy_var_run_t)
|
|
+
|
|
+ gssproxy_systemctl($1)
|
|
+ admin_pattern($1, gssproxy_unit_file_t)
|
|
+ allow $1 gssproxy_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/gssproxy.te b/gssproxy.te
|
|
new file mode 100644
|
|
index 0000000..5044e7b
|
|
--- /dev/null
|
|
+++ b/gssproxy.te
|
|
@@ -0,0 +1,66 @@
|
|
+policy_module(gssproxy, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type gssproxy_t;
|
|
+type gssproxy_exec_t;
|
|
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
|
|
+
|
|
+type gssproxy_var_lib_t;
|
|
+files_type(gssproxy_var_lib_t)
|
|
+
|
|
+type gssproxy_var_run_t;
|
|
+files_pid_file(gssproxy_var_run_t)
|
|
+
|
|
+type gssproxy_unit_file_t;
|
|
+systemd_unit_file(gssproxy_unit_file_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# gssproxy local policy
|
|
+#
|
|
+allow gssproxy_t self:capability2 block_suspend;
|
|
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
|
|
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
|
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
|
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
|
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
|
|
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
|
|
+
|
|
+manage_dirs_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
|
|
+manage_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
|
|
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
|
|
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_run_t, gssproxy_var_run_t)
|
|
+files_pid_filetrans(gssproxy_t, gssproxy_var_run_t, { dir file lnk_file sock_file })
|
|
+
|
|
+kernel_rw_rpc_sysctls(gssproxy_t)
|
|
+
|
|
+domain_use_interactive_fds(gssproxy_t)
|
|
+
|
|
+files_read_etc_files(gssproxy_t)
|
|
+
|
|
+auth_use_nsswitch(gssproxy_t)
|
|
+
|
|
+dev_read_urand(gssproxy_t)
|
|
+
|
|
+logging_send_syslog_msg(gssproxy_t)
|
|
+
|
|
+miscfiles_read_localization(gssproxy_t)
|
|
+
|
|
+userdom_manage_user_tmp_dirs(gssproxy_t)
|
|
+userdom_manage_user_tmp_files(gssproxy_t)
|
|
+
|
|
+optional_policy(`
|
|
+ kerberos_use(gssproxy_t)
|
|
+ kerberos_filetrans_named_content(gssproxy_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ kerberos_keytab_template(gssproxy, gssproxy_t)
|
|
+ kerberos_manage_host_rcache(gssproxy_t)
|
|
+')
|
|
diff --git a/guest.te b/guest.te
|
|
index 19cdbe1..0605776 100644
|
|
--- a/guest.te
|
|
+++ b/guest.te
|
|
@@ -20,4 +20,4 @@ optional_policy(`
|
|
apache_role(guest_r, guest_t)
|
|
')
|
|
|
|
-#gen_user(guest_u, user, guest_r, s0, s0)
|
|
+gen_user(guest_u, user, guest_r, s0, s0)
|
|
diff --git a/hadoop.te b/hadoop.te
|
|
index e151378..04d173d 100644
|
|
--- a/hadoop.te
|
|
+++ b/hadoop.te
|
|
@@ -155,7 +155,6 @@ dev_read_urand(hadoop_t)
|
|
domain_use_interactive_fds(hadoop_t)
|
|
|
|
files_dontaudit_search_spool(hadoop_t)
|
|
-files_read_usr_files(hadoop_t)
|
|
|
|
fs_getattr_xattr_fs(hadoop_t)
|
|
|
|
@@ -263,8 +262,6 @@ kernel_read_system_state(hadoop_initrc_domain)
|
|
corecmd_exec_bin(hadoop_initrc_domain)
|
|
corecmd_exec_shell(hadoop_initrc_domain)
|
|
|
|
-files_read_etc_files(hadoop_initrc_domain)
|
|
-files_read_usr_files(hadoop_initrc_domain)
|
|
files_search_locks(hadoop_initrc_domain)
|
|
files_search_pids(hadoop_initrc_domain)
|
|
|
|
@@ -453,7 +450,6 @@ dev_read_urand(zookeeper_t)
|
|
|
|
domain_use_interactive_fds(zookeeper_t)
|
|
|
|
-files_read_usr_files(zookeeper_t)
|
|
|
|
auth_use_nsswitch(zookeeper_t)
|
|
|
|
@@ -537,7 +533,6 @@ dev_read_rand(zookeeper_server_t)
|
|
dev_read_sysfs(zookeeper_server_t)
|
|
dev_read_urand(zookeeper_server_t)
|
|
|
|
-files_read_usr_files(zookeeper_server_t)
|
|
|
|
fs_getattr_xattr_fs(zookeeper_server_t)
|
|
|
|
diff --git a/hal.te b/hal.te
|
|
index bbccc79..6c6524a 100644
|
|
--- a/hal.te
|
|
+++ b/hal.te
|
|
@@ -61,7 +61,6 @@ files_type(hald_var_lib_t)
|
|
# Common local policy
|
|
#
|
|
|
|
-files_read_usr_files(hald_domain)
|
|
|
|
miscfiles_read_localization(hald_domain)
|
|
|
|
@@ -437,7 +436,6 @@ write_files_pattern(hald_keymap_t, hald_log_t, hald_log_t)
|
|
|
|
dev_rw_input_dev(hald_keymap_t)
|
|
|
|
-files_read_etc_files(hald_keymap_t)
|
|
|
|
logging_search_logs(hald_keymap_t)
|
|
|
|
diff --git a/hddtemp.if b/hddtemp.if
|
|
index 1728071..77e71ea 100644
|
|
--- a/hddtemp.if
|
|
+++ b/hddtemp.if
|
|
@@ -60,9 +60,13 @@ interface(`hddtemp_admin',`
|
|
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 hddtemp_t:process { ptrace signal_perms };
|
|
+ allow $1 hddtemp_t:process signal_perms;
|
|
ps_process_pattern($1, hddtemp_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 hddtemp_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, hddtemp_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 hddtemp_initrc_exec_t system_r;
|
|
diff --git a/hddtemp.te b/hddtemp.te
|
|
index 9e11b98..29065e6 100644
|
|
--- a/hddtemp.te
|
|
+++ b/hddtemp.te
|
|
@@ -26,7 +26,6 @@ allow hddtemp_t self:tcp_socket { accept listen };
|
|
|
|
allow hddtemp_t hddtemp_etc_t:file read_file_perms;
|
|
|
|
-corenet_all_recvfrom_unlabeled(hddtemp_t)
|
|
corenet_all_recvfrom_netlabel(hddtemp_t)
|
|
corenet_tcp_sendrecv_generic_if(hddtemp_t)
|
|
corenet_tcp_sendrecv_generic_node(hddtemp_t)
|
|
@@ -36,9 +35,6 @@ corenet_tcp_bind_hddtemp_port(hddtemp_t)
|
|
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
|
|
corenet_tcp_sendrecv_hddtemp_port(hddtemp_t)
|
|
|
|
-files_search_etc(hddtemp_t)
|
|
-files_read_usr_files(hddtemp_t)
|
|
-
|
|
storage_raw_read_fixed_disk(hddtemp_t)
|
|
storage_raw_read_removable_device(hddtemp_t)
|
|
|
|
@@ -46,4 +42,3 @@ auth_use_nsswitch(hddtemp_t)
|
|
|
|
logging_send_syslog_msg(hddtemp_t)
|
|
|
|
-miscfiles_read_localization(hddtemp_t)
|
|
diff --git a/howl.te b/howl.te
|
|
index b9e60ec..0477728 100644
|
|
--- a/howl.te
|
|
+++ b/howl.te
|
|
@@ -36,7 +36,6 @@ kernel_request_load_module(howl_t)
|
|
kernel_list_proc(howl_t)
|
|
kernel_read_proc_symlinks(howl_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(howl_t)
|
|
corenet_all_recvfrom_netlabel(howl_t)
|
|
corenet_tcp_sendrecv_generic_if(howl_t)
|
|
corenet_udp_sendrecv_generic_if(howl_t)
|
|
@@ -65,8 +64,6 @@ init_dontaudit_write_utmp(howl_t)
|
|
|
|
logging_send_syslog_msg(howl_t)
|
|
|
|
-miscfiles_read_localization(howl_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(howl_t)
|
|
userdom_dontaudit_search_user_home_dirs(howl_t)
|
|
|
|
diff --git a/hypervkvp.fc b/hypervkvp.fc
|
|
index b46130e..e2ae3b2 100644
|
|
--- a/hypervkvp.fc
|
|
+++ b/hypervkvp.fc
|
|
@@ -1,3 +1,10 @@
|
|
-/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
|
|
|
|
-/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
|
|
+/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_file_t,s0)
|
|
+
|
|
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
|
|
+/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
|
|
+
|
|
+/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0)
|
|
+
|
|
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvp_var_lib_t,s0)
|
|
diff --git a/hypervkvp.if b/hypervkvp.if
|
|
index 6517fad..17c3627 100644
|
|
--- a/hypervkvp.if
|
|
+++ b/hypervkvp.if
|
|
@@ -1,32 +1,111 @@
|
|
-## <summary>HyperV key value pair (KVP).</summary>
|
|
+
|
|
+## <summary>policy for hypervkvp</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the hypervkvp domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`hypervkvp_domtrans',`
|
|
+ gen_require(`
|
|
+ type hypervkvp_t, hypervkvp_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search hypervkvp lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`hypervkvp_search_lib',`
|
|
+ gen_require(`
|
|
+ type hypervkvp_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 hypervkvp_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an hypervkvp environment.
|
|
+## Read hypervkvp lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`hypervkvp_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type hypervkvp_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ allow $1 hypervkvp_var_lib_t:dir list_dir_perms;
|
|
+ read_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## hypervkvp lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`hypervkvp_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type hypervkvp_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an hypervkvp environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`hypervkvp_admin',`
|
|
gen_require(`
|
|
- type hypervkvpd_t, hypervkvpd_initrc_exec_t;
|
|
+ type hypervkvp_t;
|
|
+ type hypervkvp_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 hypervkvp_t:process signal_perms;
|
|
+ ps_process_pattern($1, hypervkvp_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 hypervkvp_t:process ptrace;
|
|
')
|
|
|
|
- allow $1 hypervkvpd_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, hypervkvpd_t)
|
|
+ hypervkvp_manage_lib_files($1)
|
|
|
|
- init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 hypervkvpd_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ hypervkvp_systemctl($1)
|
|
+ admin_pattern($1, hypervkvp_unit_file_t)
|
|
+ allow $1 hypervkvp_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/hypervkvp.te b/hypervkvp.te
|
|
index 4eb7041..d2ad022 100644
|
|
--- a/hypervkvp.te
|
|
+++ b/hypervkvp.te
|
|
@@ -5,24 +5,55 @@ policy_module(hypervkvp, 1.0.0)
|
|
# Declarations
|
|
#
|
|
|
|
-type hypervkvpd_t;
|
|
-type hypervkvpd_exec_t;
|
|
-init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
|
|
+attribute hyperv_domain;
|
|
|
|
-type hypervkvpd_initrc_exec_t;
|
|
-init_script_file(hypervkvpd_initrc_exec_t)
|
|
+type hypervkvp_t, hyperv_domain;
|
|
+type hypervkvp_exec_t;
|
|
+init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
|
|
+
|
|
+type hypervkvp_initrc_exec_t;
|
|
+init_script_file(hypervkvp_initrc_exec_t)
|
|
+
|
|
+type hypervkvp_unit_file_t;
|
|
+systemd_unit_file(hypervkvp_unit_file_t)
|
|
+
|
|
+type hypervkvp_var_lib_t;
|
|
+files_type(hypervkvp_var_lib_t)
|
|
+
|
|
+type hypervvssd_t, hyperv_domain;
|
|
+type hypervvssd_exec_t;
|
|
+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)
|
|
+
|
|
+type hypervvssd_unit_file_t;
|
|
+systemd_unit_file(hypervvssd_unit_file_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# hyperv domain local policy
|
|
+#
|
|
+
|
|
+allow hyperv_domain self:capability net_admin;
|
|
+allow hyperv_domain self:netlink_socket create_socket_perms;
|
|
+
|
|
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+########################################
|
|
#
|
|
+# hypervkvp local policy
|
|
#
|
|
|
|
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
|
|
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+manage_dirs_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
|
|
+manage_files_pattern(hypervkvp_t, hypervkvp_var_lib_t, hypervkvp_var_lib_t)
|
|
+files_var_lib_filetrans(hypervkvp_t, hypervkvp_var_lib_t, dir)
|
|
+
|
|
+logging_send_syslog_msg(hypervkvp_t)
|
|
|
|
-logging_send_syslog_msg(hypervkvpd_t)
|
|
+sysnet_dns_name_resolve(hypervkvp_t)
|
|
|
|
-miscfiles_read_localization(hypervkvpd_t)
|
|
+########################################
|
|
+#
|
|
+# hypervvssd local policy
|
|
+#
|
|
|
|
-sysnet_dns_name_resolve(hypervkvpd_t)
|
|
+logging_send_syslog_msg(hypervvssd_t)
|
|
diff --git a/i18n_input.te b/i18n_input.te
|
|
index 369a056..65fde93 100644
|
|
--- a/i18n_input.te
|
|
+++ b/i18n_input.te
|
|
@@ -45,7 +45,6 @@ can_exec(i18n_input_t, i18n_input_exec_t)
|
|
kernel_read_kernel_sysctls(i18n_input_t)
|
|
kernel_read_system_state(i18n_input_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(i18n_input_t)
|
|
corenet_all_recvfrom_netlabel(i18n_input_t)
|
|
corenet_tcp_sendrecv_generic_if(i18n_input_t)
|
|
corenet_tcp_sendrecv_generic_node(i18n_input_t)
|
|
@@ -68,7 +67,6 @@ fs_getattr_all_fs(i18n_input_t)
|
|
fs_search_auto_mountpoints(i18n_input_t)
|
|
|
|
files_read_etc_runtime_files(i18n_input_t)
|
|
-files_read_usr_files(i18n_input_t)
|
|
|
|
auth_use_nsswitch(i18n_input_t)
|
|
|
|
@@ -76,20 +74,9 @@ init_stream_connect_script(i18n_input_t)
|
|
|
|
logging_send_syslog_msg(i18n_input_t)
|
|
|
|
-miscfiles_read_localization(i18n_input_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(i18n_input_t)
|
|
userdom_read_user_home_content_files(i18n_input_t)
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_read_nfs_files(i18n_input_t)
|
|
- fs_read_nfs_symlinks(i18n_input_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_read_cifs_files(i18n_input_t)
|
|
- fs_read_cifs_symlinks(i18n_input_t)
|
|
-')
|
|
+userdom_home_reader(i18n_input_t)
|
|
|
|
optional_policy(`
|
|
canna_stream_connect(i18n_input_t)
|
|
diff --git a/icecast.if b/icecast.if
|
|
index 580b533..c267cea 100644
|
|
--- a/icecast.if
|
|
+++ b/icecast.if
|
|
@@ -176,6 +176,14 @@ interface(`icecast_admin',`
|
|
type icecast_var_run_t;
|
|
')
|
|
|
|
+ allow $1 icecast_t:process signal_perms;
|
|
+ ps_process_pattern($1, icecast_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 icecast_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ # Allow icecast_t to restart the apache service
|
|
icecast_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 icecast_initrc_exec_t system_r;
|
|
diff --git a/icecast.te b/icecast.te
|
|
index a9e573a..d375214 100644
|
|
--- a/icecast.te
|
|
+++ b/icecast.te
|
|
@@ -65,12 +65,8 @@ dev_read_sysfs(icecast_t)
|
|
dev_read_urand(icecast_t)
|
|
dev_read_rand(icecast_t)
|
|
|
|
-domain_use_interactive_fds(icecast_t)
|
|
-
|
|
auth_use_nsswitch(icecast_t)
|
|
|
|
-miscfiles_read_localization(icecast_t)
|
|
-
|
|
tunable_policy(`icecast_use_any_tcp_ports',`
|
|
corenet_tcp_connect_all_ports(icecast_t)
|
|
corenet_sendrecv_all_client_packets(icecast_t)
|
|
diff --git a/ifplugd.if b/ifplugd.if
|
|
index 8999899..96909ae 100644
|
|
--- a/ifplugd.if
|
|
+++ b/ifplugd.if
|
|
@@ -119,7 +119,7 @@ interface(`ifplugd_admin',`
|
|
type ifplugd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 ifplugd_t:process { ptrace signal_perms };
|
|
+ allow $1 ifplugd_t:process signal_perms;
|
|
ps_process_pattern($1, ifplugd_t)
|
|
|
|
init_labeled_script_domtrans($1, ifplugd_initrc_exec_t)
|
|
diff --git a/ifplugd.te b/ifplugd.te
|
|
index b0546b4..98d7326 100644
|
|
--- a/ifplugd.te
|
|
+++ b/ifplugd.te
|
|
@@ -10,7 +10,7 @@ type ifplugd_exec_t;
|
|
init_daemon_domain(ifplugd_t, ifplugd_exec_t)
|
|
|
|
type ifplugd_etc_t;
|
|
-files_type(ifplugd_etc_t)
|
|
+files_config_file(ifplugd_etc_t)
|
|
|
|
type ifplugd_initrc_exec_t;
|
|
init_script_file(ifplugd_initrc_exec_t)
|
|
@@ -49,14 +49,11 @@ corecmd_exec_shell(ifplugd_t)
|
|
dev_read_sysfs(ifplugd_t)
|
|
|
|
domain_read_confined_domains_state(ifplugd_t)
|
|
-domain_dontaudit_read_all_domains_state(ifplugd_t)
|
|
|
|
auth_use_nsswitch(ifplugd_t)
|
|
|
|
logging_send_syslog_msg(ifplugd_t)
|
|
|
|
-miscfiles_read_localization(ifplugd_t)
|
|
-
|
|
netutils_domtrans(ifplugd_t)
|
|
|
|
sysnet_domtrans_ifconfig(ifplugd_t)
|
|
diff --git a/imaze.te b/imaze.te
|
|
index 1eb24d8..b320d51 100644
|
|
--- a/imaze.te
|
|
+++ b/imaze.te
|
|
@@ -45,7 +45,6 @@ kernel_list_proc(imazesrv_t)
|
|
kernel_read_kernel_sysctls(imazesrv_t)
|
|
kernel_read_proc_symlinks(imazesrv_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(imazesrv_t)
|
|
corenet_all_recvfrom_netlabel(imazesrv_t)
|
|
corenet_tcp_sendrecv_generic_if(imazesrv_t)
|
|
corenet_udp_sendrecv_generic_if(imazesrv_t)
|
|
@@ -71,8 +70,6 @@ auth_use_nsswitch(imazesrv_t)
|
|
|
|
logging_send_syslog_msg(imazesrv_t)
|
|
|
|
-miscfiles_read_localization(imazesrv_t)
|
|
-
|
|
userdom_use_unpriv_users_fds(imazesrv_t)
|
|
userdom_dontaudit_search_user_home_dirs(imazesrv_t)
|
|
|
|
diff --git a/inetd.if b/inetd.if
|
|
index fbb54e7..05c3777 100644
|
|
--- a/inetd.if
|
|
+++ b/inetd.if
|
|
@@ -37,6 +37,12 @@ interface(`inetd_core_service_domain',`
|
|
|
|
domtrans_pattern(inetd_t, $2, $1)
|
|
allow inetd_t $1:process { siginh sigkill };
|
|
+
|
|
+ init_domain($1, $2)
|
|
+
|
|
+ optional_policy(`
|
|
+ abrt_stream_connect($1)
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
diff --git a/inetd.te b/inetd.te
|
|
index c6450df..ea5acd7 100644
|
|
--- a/inetd.te
|
|
+++ b/inetd.te
|
|
@@ -37,9 +37,9 @@ ifdef(`enable_mcs',`
|
|
# Local policy
|
|
#
|
|
|
|
-allow inetd_t self:capability { setuid setgid sys_resource };
|
|
+allow inetd_t self:capability { setuid setgid };
|
|
dontaudit inetd_t self:capability sys_tty_config;
|
|
-allow inetd_t self:process { setsched setexec setrlimit };
|
|
+allow inetd_t self:process { setsched setexec };
|
|
allow inetd_t self:fifo_file rw_fifo_file_perms;
|
|
allow inetd_t self:tcp_socket { accept listen };
|
|
allow inetd_t self:fd use;
|
|
@@ -61,6 +61,7 @@ kernel_read_system_state(inetd_t)
|
|
kernel_tcp_recvfrom_unlabeled(inetd_t)
|
|
|
|
corecmd_bin_domtrans(inetd_t, inetd_child_t)
|
|
+corecmd_exec_shell(inetd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(inetd_t)
|
|
corenet_all_recvfrom_netlabel(inetd_t)
|
|
@@ -98,6 +99,11 @@ corenet_sendrecv_inetd_child_server_packets(inetd_t)
|
|
corenet_tcp_bind_inetd_child_port(inetd_t)
|
|
corenet_udp_bind_inetd_child_port(inetd_t)
|
|
|
|
+corenet_tcp_bind_echo_port(inetd_t)
|
|
+corenet_udp_bind_echo_port(inetd_t)
|
|
+corenet_tcp_bind_time_port(inetd_t)
|
|
+corenet_udp_bind_time_port(inetd_t)
|
|
+
|
|
corenet_sendrecv_ircd_server_packets(inetd_t)
|
|
corenet_tcp_bind_ircd_port(inetd_t)
|
|
|
|
@@ -157,8 +163,6 @@ auth_use_nsswitch(inetd_t)
|
|
|
|
logging_send_syslog_msg(inetd_t)
|
|
|
|
-miscfiles_read_localization(inetd_t)
|
|
-
|
|
mls_fd_share_all_levels(inetd_t)
|
|
mls_socket_read_to_clearance(inetd_t)
|
|
mls_socket_write_to_clearance(inetd_t)
|
|
@@ -188,7 +192,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- tftp_read_config_files(inetd_t)
|
|
+ tftp_read_config(inetd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -220,6 +224,14 @@ kernel_read_kernel_sysctls(inetd_child_t)
|
|
kernel_read_network_state(inetd_child_t)
|
|
kernel_read_system_state(inetd_child_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(inetd_child_t)
|
|
+corenet_tcp_sendrecv_generic_if(inetd_child_t)
|
|
+corenet_udp_sendrecv_generic_if(inetd_child_t)
|
|
+corenet_tcp_sendrecv_generic_node(inetd_child_t)
|
|
+corenet_udp_sendrecv_generic_node(inetd_child_t)
|
|
+corenet_tcp_sendrecv_all_ports(inetd_child_t)
|
|
+corenet_udp_sendrecv_all_ports(inetd_child_t)
|
|
+
|
|
dev_read_urand(inetd_child_t)
|
|
|
|
fs_getattr_xattr_fs(inetd_child_t)
|
|
@@ -230,7 +242,11 @@ auth_use_nsswitch(inetd_child_t)
|
|
|
|
logging_send_syslog_msg(inetd_child_t)
|
|
|
|
-miscfiles_read_localization(inetd_child_t)
|
|
+sysnet_read_config(inetd_child_t)
|
|
+
|
|
+optional_policy(`
|
|
+ kerberos_use(inetd_child_t)
|
|
+')
|
|
|
|
optional_policy(`
|
|
unconfined_domain(inetd_child_t)
|
|
diff --git a/inn.if b/inn.if
|
|
index eb87f23..d3d32c3 100644
|
|
--- a/inn.if
|
|
+++ b/inn.if
|
|
@@ -124,6 +124,7 @@ interface(`inn_read_config',`
|
|
type innd_etc_t;
|
|
')
|
|
|
|
+ files_search_etc($1)
|
|
allow $1 innd_etc_t:dir list_dir_perms;
|
|
allow $1 innd_etc_t:file read_file_perms;
|
|
allow $1 innd_etc_t:lnk_file read_lnk_file_perms;
|
|
@@ -144,12 +145,31 @@ interface(`inn_read_news_lib',`
|
|
type innd_var_lib_t;
|
|
')
|
|
|
|
+ files_search_var_lib($1)
|
|
allow $1 innd_var_lib_t:dir list_dir_perms;
|
|
allow $1 innd_var_lib_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Write innd inherited news library content.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`inn_write_inherited_news_lib',`
|
|
+ gen_require(`
|
|
+ type innd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 innd_var_lib_t:file write_inherited_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Read innd news spool content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -163,6 +183,7 @@ interface(`inn_read_news_spool',`
|
|
type news_spool_t;
|
|
')
|
|
|
|
+ files_search_spool($1)
|
|
allow $1 news_spool_t:dir list_dir_perms;
|
|
allow $1 news_spool_t:file read_file_perms;
|
|
allow $1 news_spool_t:lnk_file read_lnk_file_perms;
|
|
@@ -226,8 +247,15 @@ interface(`inn_domtrans',`
|
|
interface(`inn_admin',`
|
|
gen_require(`
|
|
type innd_t, innd_etc_t, innd_log_t;
|
|
- type news_spool_t, innd_var_lib_t;
|
|
- type innd_var_run_t, innd_initrc_exec_t;
|
|
+ type news_spool_t, innd_var_lib_t, innd_var_run_t;
|
|
+ type innd_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 innd_t:process signal_perms;
|
|
+ ps_process_pattern($1, innd_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 innd_t:process ptrace;
|
|
')
|
|
|
|
init_labeled_script_domtrans($1, innd_initrc_exec_t)
|
|
diff --git a/inn.te b/inn.te
|
|
index d39f0cc..cb277f0 100644
|
|
--- a/inn.te
|
|
+++ b/inn.te
|
|
@@ -26,6 +26,7 @@ files_pid_file(innd_var_run_t)
|
|
|
|
type news_spool_t;
|
|
files_mountpoint(news_spool_t)
|
|
+files_spool_file(news_spool_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -54,7 +55,7 @@ manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
|
|
manage_dirs_pattern(innd_t, innd_var_run_t, innd_var_run_t)
|
|
manage_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
|
|
manage_sock_files_pattern(innd_t, innd_var_run_t, innd_var_run_t)
|
|
-files_pid_filetrans(innd_t, innd_var_run_t, file)
|
|
+files_pid_filetrans(innd_t, innd_var_run_t, { dir file })
|
|
|
|
manage_dirs_pattern(innd_t, news_spool_t, news_spool_t)
|
|
manage_files_pattern(innd_t, news_spool_t, news_spool_t)
|
|
@@ -65,7 +66,6 @@ can_exec(innd_t, innd_exec_t)
|
|
kernel_read_kernel_sysctls(innd_t)
|
|
kernel_read_system_state(innd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(innd_t)
|
|
corenet_all_recvfrom_netlabel(innd_t)
|
|
corenet_tcp_sendrecv_generic_if(innd_t)
|
|
corenet_tcp_sendrecv_generic_node(innd_t)
|
|
@@ -91,18 +91,16 @@ fs_search_auto_mountpoints(innd_t)
|
|
|
|
files_list_spool(innd_t)
|
|
files_read_etc_runtime_files(innd_t)
|
|
-files_read_usr_files(innd_t)
|
|
|
|
auth_use_nsswitch(innd_t)
|
|
|
|
logging_send_syslog_msg(innd_t)
|
|
|
|
-miscfiles_read_localization(innd_t)
|
|
-
|
|
seutil_dontaudit_search_config(innd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(innd_t)
|
|
userdom_dontaudit_search_user_home_dirs(innd_t)
|
|
+userdom_dgram_send(innd_t)
|
|
|
|
mta_send_mail(innd_t)
|
|
|
|
diff --git a/iodine.fc b/iodine.fc
|
|
index ca07a87..6ea129c 100644
|
|
--- a/iodine.fc
|
|
+++ b/iodine.fc
|
|
@@ -1,3 +1,5 @@
|
|
/etc/rc\.d/init\.d/((iodined)|(iodine-server)) -- gen_context(system_u:object_r:iodined_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/iodine-server.* -- gen_context(system_u:object_r:iodined_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/iodined -- gen_context(system_u:object_r:iodined_exec_t,s0)
|
|
diff --git a/iodine.if b/iodine.if
|
|
index a0bfbd0..47f7c75 100644
|
|
--- a/iodine.if
|
|
+++ b/iodine.if
|
|
@@ -2,6 +2,30 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute iodined server in the iodined domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`iodined_systemctl',`
|
|
+ gen_require(`
|
|
+ type iodined_t;
|
|
+ type iodined_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 iodined_unit_file_t:file read_file_perms;
|
|
+ allow $1 iodined_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, iodined_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an iodined environment
|
|
## </summary>
|
|
diff --git a/iodine.te b/iodine.te
|
|
index d443fee..475b7f4 100644
|
|
--- a/iodine.te
|
|
+++ b/iodine.te
|
|
@@ -12,6 +12,9 @@ init_daemon_domain(iodined_t, iodined_exec_t)
|
|
type iodined_initrc_exec_t;
|
|
init_script_file(iodined_initrc_exec_t)
|
|
|
|
+type iodined_unit_file_t;
|
|
+systemd_unit_file(iodined_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -43,7 +46,6 @@ corenet_udp_sendrecv_dns_port(iodined_t)
|
|
|
|
corecmd_exec_shell(iodined_t)
|
|
|
|
-files_read_etc_files(iodined_t)
|
|
|
|
logging_send_syslog_msg(iodined_t)
|
|
|
|
diff --git a/irc.fc b/irc.fc
|
|
index 48e7739..c3285c2 100644
|
|
--- a/irc.fc
|
|
+++ b/irc.fc
|
|
@@ -1,6 +1,6 @@
|
|
HOME_DIR/\.ircmotd -- gen_context(system_u:object_r:irc_home_t,s0)
|
|
HOME_DIR/\.irssi(/.*)? gen_context(system_u:object_r:irc_home_t,s0)
|
|
-HOME_DIR/irclogs(/.*)? gen_context(system_u:object_r:irc_log_home_t,s0)
|
|
+HOME_DIR/irclog(/.*)? gen_context(system_u:object_r:issi_home_t,s0)
|
|
|
|
/etc/irssi\.conf -- gen_context(system_u:object_r:irc_conf_t,s0)
|
|
|
|
diff --git a/irc.if b/irc.if
|
|
index ac00fb0..36ef2e5 100644
|
|
--- a/irc.if
|
|
+++ b/irc.if
|
|
@@ -20,6 +20,7 @@ interface(`irc_role',`
|
|
attribute_role irc_roles;
|
|
type irc_t, irc_exec_t, irc_home_t;
|
|
type irc_tmp_t, irc_log_home_t;
|
|
+ type irssi_t, irssi_exec_t, irssi_home_t;
|
|
')
|
|
|
|
########################################
|
|
@@ -37,12 +38,42 @@ interface(`irc_role',`
|
|
domtrans_pattern($2, irc_exec_t, irc_t)
|
|
|
|
ps_process_pattern($2, irc_t)
|
|
- allow $2 irc_t:process { ptrace signal_perms };
|
|
-
|
|
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 { irc_home_t irc_log_home_t irc_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
- userdom_user_home_dir_filetrans($2, irc_home_t, dir, ".irssi")
|
|
- userdom_user_home_dir_filetrans($2, irc_home_t, file, ".ircmotd")
|
|
- userdom_user_home_dir_filetrans($2, irc_log_home_t, dir, "irclogs")
|
|
+ allow $2 irc_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 irc_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($2, irssi_exec_t, irssi_t)
|
|
+
|
|
+ allow $2 irssi_t:process signal_perms;
|
|
+ ps_process_pattern($2, irssi_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 irssi_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:file { manage_file_perms relabel_file_perms };
|
|
+ allow $2 { irc_home_t irc_log_home_t irc_tmp_t irssi_home_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
+
|
|
+ irc_filetrans_home_content($2)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Transition to alsa named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`irc_filetrans_home_content',`
|
|
+ gen_require(`
|
|
+ type irc_home_t;
|
|
+ type irssi_home_t;
|
|
+ ')
|
|
+ userdom_user_home_dir_filetrans($1, irc_home_t, file, ".ircmotd")
|
|
+ userdom_user_home_dir_filetrans($1, irc_home_t, dir, ".irssi")
|
|
+ userdom_user_home_dir_filetrans($1, irssi_home_t, dir, "irclogs")
|
|
')
|
|
diff --git a/irc.te b/irc.te
|
|
index 2636503..7e29d1d 100644
|
|
--- a/irc.te
|
|
+++ b/irc.te
|
|
@@ -31,13 +31,35 @@ typealias irc_home_t alias { user_irc_home_t staff_irc_home_t sysadm_irc_home_t
|
|
typealias irc_home_t alias { auditadm_irc_home_t secadm_irc_home_t };
|
|
userdom_user_home_content(irc_home_t)
|
|
|
|
-type irc_log_home_t;
|
|
-userdom_user_home_content(irc_log_home_t)
|
|
-
|
|
type irc_tmp_t;
|
|
typealias irc_tmp_t alias { user_irc_tmp_t staff_irc_tmp_t sysadm_irc_tmp_t };
|
|
typealias irc_tmp_t alias { auditadm_irc_tmp_t secadm_irc_tmp_t };
|
|
-userdom_user_tmp_file(irc_tmp_t)
|
|
+userdom_user_home_content(irc_tmp_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Irssi personal declarations.
|
|
+#
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow the Irssi IRC Client to connect to any port,
|
|
+## and to bind to any unreserved port.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(irssi_use_full_network, false)
|
|
+
|
|
+type irssi_t;
|
|
+type irssi_exec_t;
|
|
+application_domain(irssi_t, irssi_exec_t)
|
|
+ubac_constrained(irssi_t)
|
|
+role irc_roles types irssi_t;
|
|
+
|
|
+type irssi_etc_t;
|
|
+files_config_file(irssi_etc_t)
|
|
+
|
|
+type irssi_home_t alias irc_log_home_t;
|
|
+userdom_user_home_content(irssi_home_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -53,13 +75,7 @@ allow irc_t irc_conf_t:file read_file_perms;
|
|
manage_dirs_pattern(irc_t, irc_home_t, irc_home_t)
|
|
manage_files_pattern(irc_t, irc_home_t, irc_home_t)
|
|
manage_lnk_files_pattern(irc_t, irc_home_t, irc_home_t)
|
|
-userdom_user_home_dir_filetrans(irc_t, irc_home_t, dir, ".irssi")
|
|
-userdom_user_home_dir_filetrans(irc_t, irc_home_t, file, ".ircmotd")
|
|
-
|
|
-manage_dirs_pattern(irc_t, irc_log_home_t, irc_log_home_t)
|
|
-create_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
|
|
-append_files_pattern(irc_t, irc_log_home_t, irc_log_home_t)
|
|
-userdom_user_home_dir_filetrans(irc_t, irc_log_home_t, dir, "irclogs")
|
|
+irc_filetrans_home_content(irc_t)
|
|
|
|
manage_dirs_pattern(irc_t, irc_tmp_t, irc_tmp_t)
|
|
manage_files_pattern(irc_t, irc_tmp_t, irc_tmp_t)
|
|
@@ -70,7 +86,6 @@ files_tmp_filetrans(irc_t, irc_tmp_t, { file dir lnk_file sock_file fifo_file })
|
|
|
|
kernel_read_system_state(irc_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(irc_t)
|
|
corenet_all_recvfrom_netlabel(irc_t)
|
|
corenet_tcp_sendrecv_generic_if(irc_t)
|
|
corenet_tcp_sendrecv_generic_node(irc_t)
|
|
@@ -93,7 +108,6 @@ dev_read_rand(irc_t)
|
|
|
|
domain_use_interactive_fds(irc_t)
|
|
|
|
-files_read_usr_files(irc_t)
|
|
|
|
fs_getattr_all_fs(irc_t)
|
|
fs_search_auto_mountpoints(irc_t)
|
|
@@ -106,14 +120,16 @@ auth_use_nsswitch(irc_t)
|
|
init_read_utmp(irc_t)
|
|
init_dontaudit_lock_utmp(irc_t)
|
|
|
|
-miscfiles_read_generic_certs(irc_t)
|
|
-miscfiles_read_localization(irc_t)
|
|
-
|
|
-userdom_use_user_terminals(irc_t)
|
|
+userdom_use_inherited_user_terminals(irc_t)
|
|
|
|
userdom_manage_user_home_content_dirs(irc_t)
|
|
userdom_manage_user_home_content_files(irc_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
|
|
+userdom_filetrans_home_content(irc_t)
|
|
+
|
|
+# Write to the user domain tty.
|
|
+userdom_use_inherited_user_terminals(irc_t)
|
|
+
|
|
+userdom_home_manager(irc_t)
|
|
|
|
tunable_policy(`irc_use_any_tcp_ports',`
|
|
allow irc_t self:tcp_socket { accept listen };
|
|
@@ -124,18 +140,69 @@ tunable_policy(`irc_use_any_tcp_ports',`
|
|
corenet_tcp_sendrecv_all_ports(irc_t)
|
|
')
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(irc_t)
|
|
- fs_manage_nfs_files(irc_t)
|
|
- fs_manage_nfs_symlinks(irc_t)
|
|
+optional_policy(`
|
|
+ nis_use_ypbind(irc_t)
|
|
')
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(irc_t)
|
|
- fs_manage_cifs_files(irc_t)
|
|
- fs_manage_cifs_symlinks(irc_t)
|
|
+########################################
|
|
+#
|
|
+# Irssi personal declarations.
|
|
+#
|
|
+
|
|
+allow irssi_t self:process { signal sigkill };
|
|
+allow irssi_t self:fifo_file rw_fifo_file_perms;
|
|
+allow irssi_t self:tcp_socket create_stream_socket_perms;
|
|
+
|
|
+read_files_pattern(irssi_t, irssi_etc_t, irssi_etc_t)
|
|
+
|
|
+manage_dirs_pattern(irssi_t, irssi_home_t, irssi_home_t)
|
|
+manage_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
|
|
+manage_lnk_files_pattern(irssi_t, irssi_home_t, irssi_home_t)
|
|
+irc_filetrans_home_content(irssi_t)
|
|
+userdom_search_user_home_dirs(irssi_t)
|
|
+
|
|
+kernel_read_system_state(irssi_t)
|
|
+
|
|
+corecmd_search_bin(irssi_t)
|
|
+corecmd_read_bin_symlinks(irssi_t)
|
|
+
|
|
+corenet_tcp_connect_ircd_port(irssi_t)
|
|
+corenet_tcp_sendrecv_ircd_port(irssi_t)
|
|
+corenet_sendrecv_ircd_client_packets(irssi_t)
|
|
+
|
|
+# tcp:7000 is often used for SSL irc
|
|
+corenet_tcp_connect_gatekeeper_port(irssi_t)
|
|
+corenet_tcp_sendrecv_gatekeeper_port(irssi_t)
|
|
+corenet_sendrecv_gatekeeper_client_packets(irssi_t)
|
|
+
|
|
+# Privoxy
|
|
+corenet_tcp_connect_http_cache_port(irssi_t)
|
|
+corenet_tcp_sendrecv_http_cache_port(irssi_t)
|
|
+corenet_sendrecv_http_cache_client_packets(irssi_t)
|
|
+
|
|
+corenet_tcp_bind_generic_node(irssi_t)
|
|
+
|
|
+dev_read_urand(irssi_t)
|
|
+# irssi-otr genkey.
|
|
+dev_read_rand(irssi_t)
|
|
+
|
|
+
|
|
+fs_search_auto_mountpoints(irssi_t)
|
|
+
|
|
+auth_use_nsswitch(irssi_t)
|
|
+
|
|
+
|
|
+userdom_use_inherited_user_terminals(irssi_t)
|
|
+
|
|
+tunable_policy(`irssi_use_full_network', `
|
|
+ corenet_tcp_bind_all_unreserved_ports(irssi_t)
|
|
+ corenet_tcp_connect_all_ports(irssi_t)
|
|
+ corenet_sendrecv_generic_server_packets(irssi_t)
|
|
+ corenet_sendrecv_all_client_packets(irssi_t)
|
|
')
|
|
|
|
+userdom_home_manager(irssi_t)
|
|
+
|
|
optional_policy(`
|
|
seutil_use_newrole_fds(irc_t)
|
|
')
|
|
diff --git a/ircd.if b/ircd.if
|
|
index ade9803..3620c9a 100644
|
|
--- a/ircd.if
|
|
+++ b/ircd.if
|
|
@@ -33,8 +33,8 @@ interface(`ircd_admin',`
|
|
|
|
files_search_etc($1)
|
|
admin_pattern($1, ircd_etc_t)
|
|
-
|
|
- logging_search_log($1)
|
|
+
|
|
+ logging_search_logs($1)
|
|
admin_pattern($1, ircd_log_t)
|
|
|
|
files_search_var_lib($1)
|
|
diff --git a/ircd.te b/ircd.te
|
|
index efaf4b1..bd1a132 100644
|
|
--- a/ircd.te
|
|
+++ b/ircd.te
|
|
@@ -52,7 +52,6 @@ kernel_read_kernel_sysctls(ircd_t)
|
|
|
|
corecmd_exec_bin(ircd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ircd_t)
|
|
corenet_all_recvfrom_netlabel(ircd_t)
|
|
corenet_tcp_sendrecv_generic_if(ircd_t)
|
|
corenet_tcp_sendrecv_generic_node(ircd_t)
|
|
@@ -75,8 +74,6 @@ auth_use_nsswitch(ircd_t)
|
|
|
|
logging_send_syslog_msg(ircd_t)
|
|
|
|
-miscfiles_read_localization(ircd_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(ircd_t)
|
|
userdom_dontaudit_search_user_home_dirs(ircd_t)
|
|
|
|
diff --git a/irqbalance.te b/irqbalance.te
|
|
index e1f302d..1e5418a 100644
|
|
--- a/irqbalance.te
|
|
+++ b/irqbalance.te
|
|
@@ -35,7 +35,6 @@ kernel_rw_irq_sysctls(irqbalance_t)
|
|
|
|
dev_read_sysfs(irqbalance_t)
|
|
|
|
-files_read_etc_files(irqbalance_t)
|
|
files_read_etc_runtime_files(irqbalance_t)
|
|
|
|
fs_getattr_all_fs(irqbalance_t)
|
|
@@ -45,8 +44,6 @@ domain_use_interactive_fds(irqbalance_t)
|
|
|
|
logging_send_syslog_msg(irqbalance_t)
|
|
|
|
-miscfiles_read_localization(irqbalance_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
|
|
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
|
|
|
|
diff --git a/iscsi.fc b/iscsi.fc
|
|
index 08b7560..417e630 100644
|
|
--- a/iscsi.fc
|
|
+++ b/iscsi.fc
|
|
@@ -1,19 +1,18 @@
|
|
-/etc/rc\.d/init\.d/((iscsi)|(iscsid)) -- gen_context(system_u:object_r:iscsi_initrc_exec_t,s0)
|
|
-
|
|
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
|
-/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
|
/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
|
|
|
/usr/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
|
-/usr/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
|
/usr/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
|
+/usr/sbin/iscsiadm -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
|
|
|
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
|
|
|
|
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
|
|
|
|
-/var/log/brcm-iscsi\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
|
|
/var/log/iscsiuio\.log.* -- gen_context(system_u:object_r:iscsi_log_t,s0)
|
|
|
|
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
|
|
/var/run/iscsiuio\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/((iscsi)|(iscsid)|(iscsiuio))\.service -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/((iscsid)|(iscsiuio))\.socket -- gen_context(system_u:object_r:iscsi_unit_file_t,s0)
|
|
diff --git a/iscsi.if b/iscsi.if
|
|
index 1a35420..4b9b978 100644
|
|
--- a/iscsi.if
|
|
+++ b/iscsi.if
|
|
@@ -80,17 +80,31 @@ interface(`iscsi_read_lib_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an iscsi environment.
|
|
+## Transition to iscsi named content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`iscsi_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type iscsi_lock_t;
|
|
+ ')
|
|
+
|
|
+ files_lock_filetrans($1, iscsi_lock_t, dir, "iscsi")
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to
|
|
+## administrate an iscsi environment.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -99,16 +113,15 @@ interface(`iscsi_admin',`
|
|
gen_require(`
|
|
type iscsid_t, iscsi_lock_t, iscsi_log_t;
|
|
type iscsi_var_lib_t, iscsi_var_run_t, iscsi_tmp_t;
|
|
- type iscsi_initrc_exec_t;
|
|
+ type iscsi_unit_file_t;
|
|
')
|
|
|
|
allow $1 iscsid_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, iscsid_t)
|
|
|
|
- init_labeled_script_domtrans($1, iscsi_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 iscsi_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 iscsi_unit_file_t:file manage_file_perms;
|
|
+ allow $1 iscsi_unit_file_t:service manage_service_perms;
|
|
|
|
logging_search_logs($1)
|
|
admin_pattern($1, iscsi_log_t)
|
|
diff --git a/iscsi.te b/iscsi.te
|
|
index ca020fa..775dd9f 100644
|
|
--- a/iscsi.te
|
|
+++ b/iscsi.te
|
|
@@ -9,8 +9,8 @@ type iscsid_t;
|
|
type iscsid_exec_t;
|
|
init_daemon_domain(iscsid_t, iscsid_exec_t)
|
|
|
|
-type iscsi_initrc_exec_t;
|
|
-init_script_file(iscsi_initrc_exec_t)
|
|
+type iscsi_unit_file_t;
|
|
+systemd_unit_file(iscsi_unit_file_t)
|
|
|
|
type iscsi_lock_t;
|
|
files_lock_file(iscsi_lock_t)
|
|
@@ -32,8 +32,7 @@ files_pid_file(iscsi_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
|
|
-dontaudit iscsid_t self:capability sys_ptrace;
|
|
+allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_module sys_resource };
|
|
allow iscsid_t self:process { setrlimit setsched signal };
|
|
allow iscsid_t self:fifo_file rw_fifo_file_perms;
|
|
allow iscsid_t self:unix_stream_socket { accept connectto listen };
|
|
@@ -64,11 +63,12 @@ files_pid_filetrans(iscsid_t, iscsi_var_run_t, file)
|
|
|
|
can_exec(iscsid_t, iscsid_exec_t)
|
|
|
|
+kernel_request_load_module(iscsid_t)
|
|
kernel_read_network_state(iscsid_t)
|
|
kernel_read_system_state(iscsid_t)
|
|
kernel_setsched(iscsid_t)
|
|
+kernel_request_load_module(iscsid_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(iscsid_t)
|
|
corenet_all_recvfrom_netlabel(iscsid_t)
|
|
corenet_tcp_sendrecv_generic_if(iscsid_t)
|
|
corenet_tcp_sendrecv_generic_node(iscsid_t)
|
|
@@ -85,21 +85,26 @@ corenet_sendrecv_isns_client_packets(iscsid_t)
|
|
corenet_tcp_connect_isns_port(iscsid_t)
|
|
corenet_tcp_sendrecv_isns_port(iscsid_t)
|
|
|
|
-dev_read_raw_memory(iscsid_t)
|
|
+corenet_sendrecv_winshadow_client_packets(iscsid_t)
|
|
+corenet_tcp_connect_winshadow_port(iscsid_t)
|
|
+corenet_tcp_sendrecv_winshadow_port(iscsid_t)
|
|
+
|
|
+dev_read_urand(iscsid_t)
|
|
dev_rw_sysfs(iscsid_t)
|
|
dev_rw_userio_dev(iscsid_t)
|
|
-dev_write_raw_memory(iscsid_t)
|
|
|
|
domain_use_interactive_fds(iscsid_t)
|
|
domain_dontaudit_read_all_domains_state(iscsid_t)
|
|
|
|
+files_read_kernel_modules(iscsid_t)
|
|
+
|
|
auth_use_nsswitch(iscsid_t)
|
|
|
|
init_stream_connect_script(iscsid_t)
|
|
|
|
logging_send_syslog_msg(iscsid_t)
|
|
|
|
-miscfiles_read_localization(iscsid_t)
|
|
+modutils_read_module_config(iscsid_t)
|
|
|
|
optional_policy(`
|
|
tgtd_manage_semaphores(iscsid_t)
|
|
diff --git a/isns.te b/isns.te
|
|
index bc11034..107ed2f 100644
|
|
--- a/isns.te
|
|
+++ b/isns.te
|
|
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
|
|
allow isnsd_t self:capability kill;
|
|
allow isnsd_t self:process signal;
|
|
allow isnsd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow isnsd_t self:tcp_socket { listen };
|
|
allow isnsd_t self:udp_socket { accept listen };
|
|
allow isnsd_t self:unix_stream_socket { accept listen };
|
|
|
|
@@ -46,8 +47,6 @@ corenet_tcp_bind_generic_node(isnsd_t)
|
|
corenet_sendrecv_isns_server_packets(isnsd_t)
|
|
corenet_tcp_bind_isns_port(isnsd_t)
|
|
|
|
-files_read_etc_files(isnsd_t)
|
|
-
|
|
logging_send_syslog_msg(isnsd_t)
|
|
|
|
miscfiles_read_localization(isnsd_t)
|
|
diff --git a/jabber.fc b/jabber.fc
|
|
index 59ad3b3..bd02cc8 100644
|
|
--- a/jabber.fc
|
|
+++ b/jabber.fc
|
|
@@ -1,25 +1,18 @@
|
|
-/etc/rc\.d/init\.d/((jabber)|(ejabberd)|(jabberd)) -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/jabberd -- gen_context(system_u:object_r:jabberd_initrc_exec_t,s0)
|
|
|
|
-/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
|
|
-/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
|
|
-/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
|
-/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
|
+/usr/bin/router -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
|
|
+/usr/bin/c2s -- gen_context(system_u:object_r:jabberd_router_exec_t,s0)
|
|
+/usr/bin/s2s -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
|
+/usr/bin/sm -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
|
|
|
-/usr/sbin/ejabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
|
-/usr/sbin/ejabberdctl -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
|
-/usr/sbin/jabberd -- gen_context(system_u:object_r:jabberd_exec_t,s0)
|
|
+/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
|
|
|
|
-/var/lock/ejabberdctl(/.*) gen_context(system_u:object_r:jabberd_lock_t,s0)
|
|
+# pyicq-t
|
|
|
|
-/var/log/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
|
|
-/var/log/jabber(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
|
|
+/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
|
|
|
|
-/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
|
|
-/var/lib/ejabberd/spool(/.*)? gen_context(system_u:object_r:jabberd_spool_t,s0)
|
|
-/var/lib/jabber(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
|
|
-/var/lib/jabberd(/.*)? gen_context(system_u:object_r:jabberd_var_lib_t,s0)
|
|
-/var/lib/jabberd/log(/.*)? gen_context(system_u:object_r:jabberd_log_t,s0)
|
|
-/var/lib/jabberd/pid(/.*)? gen_context(system_u:object_r:jabberd_var_run_t,s0)
|
|
+/var/log/pyicq-t\.log.* gen_context(system_u:object_r:pyicqt_log_t,s0)
|
|
|
|
-/var/run/ejabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
|
|
-/var/run/jabber\.pid -- gen_context(system_u:object_r:jabberd_var_run_t,s0)
|
|
+/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
|
|
+
|
|
+/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_spool_t,s0)
|
|
diff --git a/jabber.if b/jabber.if
|
|
index 7eb3811..b52a6ae 100644
|
|
--- a/jabber.if
|
|
+++ b/jabber.if
|
|
@@ -1,29 +1,76 @@
|
|
-## <summary>Jabber instant messaging servers.</summary>
|
|
+## <summary>Jabber instant messaging server</summary>
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## jabber init daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`jabber_domain_template',`
|
|
+ gen_require(`
|
|
+ attribute jabberd_domain;
|
|
+ ')
|
|
+
|
|
+ ##############################
|
|
+ #
|
|
+ # $1_t declarations
|
|
+ #
|
|
+
|
|
+ type $1_t, jabberd_domain;
|
|
+ type $1_exec_t;
|
|
+ init_daemon_domain($1_t, $1_exec_t)
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+
|
|
+ corenet_all_recvfrom_netlabel($1_t)
|
|
+
|
|
+ logging_send_syslog_msg($1_t)
|
|
+')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## The template to define a jabber domain.
|
|
+## Execute a domain transition to run jabberd services
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-template(`jabber_domain_template',`
|
|
+interface(`jabber_domtrans_jabberd',`
|
|
gen_require(`
|
|
- attribute jabberd_domain;
|
|
+ type jabberd_t, jabberd_exec_t;
|
|
')
|
|
|
|
- type $1_t, jabberd_domain;
|
|
- type $1_exec_t;
|
|
- init_daemon_domain($1_t, $1_exec_t)
|
|
+ domtrans_pattern($1, jabberd_exec_t, jabberd_t)
|
|
')
|
|
|
|
-########################################
|
|
+######################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## jabber lib files.
|
|
+## Execute a domain transition to run jabberd router service
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jabber_domtrans_jabberd_router',`
|
|
+ gen_require(`
|
|
+ type jabberd_router_t, jabberd_router_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, jabberd_router_exec_t, jabberd_router_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read jabberd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -31,18 +78,37 @@ template(`jabber_domain_template',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`jabber_manage_lib_files',`
|
|
+interface(`jabberd_read_lib_files',`
|
|
gen_require(`
|
|
type jabberd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
- manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
|
|
+ read_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
+## <summary>
|
|
+## Dontaudit inherited read jabberd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jabberd_dontaudit_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type jabberd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 jabberd_var_lib_t:file read_inherited_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
## <summary>
|
|
-## Connect to jabber over a TCP socket (Deprecated)
|
|
+## Create, read, write, and delete
|
|
+## jabberd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -50,14 +116,19 @@ interface(`jabber_manage_lib_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`jabber_tcp_connect',`
|
|
- refpolicywarn(`$0($*) has been deprecated.')
|
|
+interface(`jabberd_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type jabberd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, jabberd_var_lib_t, jabberd_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an jabber environment.
|
|
+## All of the rules required to administrate
|
|
+## an jabber environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -66,20 +137,26 @@ interface(`jabber_tcp_connect',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the jabber domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`jabber_admin',`
|
|
gen_require(`
|
|
- attribute jabberd_domain;
|
|
- type jabberd_lock_t, jabberd_log_t, jabberd_spool_t;
|
|
- type jabberd_var_lib_t, jabberd_var_run_t, jabberd_initrc_exec_t;
|
|
+ type jabberd_t, jabberd_var_lib_t;
|
|
+ type jabberd_initrc_exec_t, jabberd_router_t;
|
|
')
|
|
|
|
- allow $1 jabberd_domain:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, jabberd_domain)
|
|
+ allow $1 jabberd_t:process signal_perms;
|
|
+ ps_process_pattern($1, jabberd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 jabberd_t:process ptrace;
|
|
+ allow $1 jabberd_router_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 jabberd_router_t:process signal_perms;
|
|
+ ps_process_pattern($1, jabberd_router_t)
|
|
|
|
init_labeled_script_domtrans($1, jabberd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -97,7 +174,4 @@ interface(`jabber_admin',`
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, jabberd_var_lib_t)
|
|
-
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, jabberd_var_run_t)
|
|
')
|
|
diff --git a/jabber.te b/jabber.te
|
|
index af67c36..aa88a0a 100644
|
|
--- a/jabber.te
|
|
+++ b/jabber.te
|
|
@@ -9,129 +9,133 @@ attribute jabberd_domain;
|
|
|
|
jabber_domain_template(jabberd)
|
|
jabber_domain_template(jabberd_router)
|
|
+jabber_domain_template(pyicqt)
|
|
|
|
type jabberd_initrc_exec_t;
|
|
init_script_file(jabberd_initrc_exec_t)
|
|
|
|
-type jabberd_lock_t;
|
|
-files_lock_file(jabberd_lock_t)
|
|
-
|
|
-type jabberd_log_t;
|
|
-logging_log_file(jabberd_log_t)
|
|
-
|
|
-type jabberd_spool_t;
|
|
-files_type(jabberd_spool_t)
|
|
-
|
|
+# type which includes log/pid files pro jabberd components
|
|
type jabberd_var_lib_t;
|
|
files_type(jabberd_var_lib_t)
|
|
|
|
-type jabberd_var_run_t;
|
|
-files_pid_file(jabberd_var_run_t)
|
|
+# pyicq-t types
|
|
+type pyicqt_log_t;
|
|
+logging_log_file(pyicqt_log_t);
|
|
|
|
-########################################
|
|
-#
|
|
-# Common local policy
|
|
-#
|
|
+type pyicqt_var_spool_t;
|
|
+files_spool_file(pyicqt_var_spool_t)
|
|
|
|
-allow jabberd_domain self:process signal_perms;
|
|
-allow jabberd_domain self:fifo_file rw_fifo_file_perms;
|
|
-allow jabberd_domain self:tcp_socket { accept listen };
|
|
+type pyicqt_var_run_t;
|
|
+files_pid_file(pyicqt_var_run_t)
|
|
|
|
-manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
|
|
+######################################
|
|
+#
|
|
+# Local policy for jabberd-router and c2s components
|
|
+#
|
|
|
|
-kernel_read_system_state(jabberd_domain)
|
|
+allow jabberd_router_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
-corenet_all_recvfrom_unlabeled(jabberd_domain)
|
|
-corenet_all_recvfrom_netlabel(jabberd_domain)
|
|
-corenet_tcp_sendrecv_generic_if(jabberd_domain)
|
|
-corenet_tcp_sendrecv_generic_node(jabberd_domain)
|
|
-corenet_tcp_bind_generic_node(jabberd_domain)
|
|
+manage_files_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
|
|
+manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
|
|
|
|
-dev_read_urand(jabberd_domain)
|
|
-dev_read_sysfs(jabberd_domain)
|
|
+kernel_read_network_state(jabberd_router_t)
|
|
|
|
-fs_getattr_all_fs(jabberd_domain)
|
|
+corenet_tcp_bind_jabber_client_port(jabberd_router_t)
|
|
+corenet_tcp_bind_jabber_router_port(jabberd_router_t)
|
|
+corenet_tcp_connect_jabber_router_port(jabberd_router_t)
|
|
+corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
|
|
+corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
|
|
|
|
-logging_send_syslog_msg(jabberd_domain)
|
|
+fs_getattr_all_fs(jabberd_router_t)
|
|
|
|
-miscfiles_read_localization(jabberd_domain)
|
|
+miscfiles_read_generic_certs(jabberd_router_t)
|
|
|
|
optional_policy(`
|
|
- nis_use_ypbind(jabberd_domain)
|
|
+ kerberos_use(jabberd_router_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- seutil_sigchld_newrole(jabberd_domain)
|
|
+ nis_use_ypbind(jabberd_router_t)
|
|
')
|
|
|
|
-########################################
|
|
+#####################################
|
|
#
|
|
-# Local policy
|
|
+# Local policy for other jabberd components
|
|
#
|
|
|
|
-allow jabberd_t self:capability dac_override;
|
|
-dontaudit jabberd_t self:capability sys_tty_config;
|
|
-allow jabberd_t self:tcp_socket create_socket_perms;
|
|
-allow jabberd_t self:udp_socket create_socket_perms;
|
|
+manage_files_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
|
|
+manage_dirs_pattern(jabberd_t, jabberd_var_lib_t, jabberd_var_lib_t)
|
|
|
|
-manage_files_pattern(jabberd_t, jabberd_lock_t, jabberd_lock_t)
|
|
+corenet_tcp_bind_jabber_interserver_port(jabberd_t)
|
|
+corenet_tcp_connect_jabber_interserver_port(jabberd_t)
|
|
+corenet_tcp_connect_jabber_router_port(jabberd_t)
|
|
|
|
-allow jabberd_t jabberd_log_t:dir setattr_dir_perms;
|
|
-append_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
|
|
-create_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
|
|
-setattr_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
|
|
-logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
|
|
+userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
|
|
+userdom_dontaudit_search_user_home_dirs(jabberd_t)
|
|
|
|
-manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
|
|
+miscfiles_read_certs(jabberd_t)
|
|
|
|
-manage_files_pattern(jabberd_t, jabberd_var_run_t, jabberd_var_run_t)
|
|
-files_pid_filetrans(jabberd_t, jabberd_var_run_t, file)
|
|
+optional_policy(`
|
|
+ seutil_sigchld_newrole(jabberd_t)
|
|
+')
|
|
|
|
-kernel_read_kernel_sysctls(jabberd_t)
|
|
+optional_policy(`
|
|
+ udev_read_db(jabberd_t)
|
|
+')
|
|
|
|
-corenet_sendrecv_jabber_client_server_packets(jabberd_t)
|
|
-corenet_tcp_bind_jabber_client_port(jabberd_t)
|
|
-corenet_tcp_sendrecv_jabber_client_port(jabberd_t)
|
|
+######################################
|
|
+#
|
|
+# Local policy for pyicq-t
|
|
+#
|
|
|
|
-corenet_sendrecv_jabber_interserver_server_packets(jabberd_t)
|
|
-corenet_tcp_bind_jabber_interserver_port(jabberd_t)
|
|
-corenet_tcp_sendrecv_jabber_interserver_port(jabberd_t)
|
|
+# need for /var/log/pyicq-t.log
|
|
+manage_files_pattern(pyicqt_t, pyicqt_log_t, pyicqt_log_t)
|
|
+logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
|
|
|
|
-dev_read_rand(jabberd_t)
|
|
+manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t);
|
|
|
|
-domain_use_interactive_fds(jabberd_t)
|
|
+files_search_spool(pyicqt_t)
|
|
+manage_files_pattern(pyicqt_t, pyicqt_var_spool_t, pyicqt_var_spool_t);
|
|
|
|
-files_read_etc_files(jabberd_t)
|
|
-files_read_etc_runtime_files(jabberd_t)
|
|
+corenet_tcp_bind_jabber_router_port(pyicqt_t)
|
|
+corenet_tcp_connect_jabber_router_port(pyicqt_t)
|
|
|
|
-fs_search_auto_mountpoints(jabberd_t)
|
|
+corecmd_exec_bin(pyicqt_t)
|
|
|
|
-sysnet_read_config(jabberd_t)
|
|
+dev_read_urand(pyicqt_t)
|
|
|
|
-userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
|
|
-userdom_dontaudit_search_user_home_dirs(jabberd_t)
|
|
+auth_use_nsswitch(pyicqt_t)
|
|
|
|
+# needed for pyicq-t-mysql
|
|
optional_policy(`
|
|
- udev_read_db(jabberd_t)
|
|
+ corenet_tcp_connect_mysqld_port(pyicqt_t)
|
|
')
|
|
|
|
-########################################
|
|
+optional_policy(`
|
|
+ sysnet_use_ldap(pyicqt_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
#
|
|
-# Router local policy
|
|
+# Local policy for jabberd domains
|
|
#
|
|
|
|
-manage_dirs_pattern(jabberd_router_t, jabberd_var_lib_t, jabberd_var_lib_t)
|
|
+allow jabberd_domain self:process signal_perms;
|
|
+allow jabberd_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow jabberd_domain self:tcp_socket create_stream_socket_perms;
|
|
+allow jabberd_domain self:udp_socket create_socket_perms;
|
|
|
|
-kernel_read_network_state(jabberd_router_t)
|
|
+corenet_tcp_sendrecv_generic_if(jabberd_domain)
|
|
+corenet_udp_sendrecv_generic_if(jabberd_domain)
|
|
+corenet_tcp_sendrecv_generic_node(jabberd_domain)
|
|
+corenet_udp_sendrecv_generic_node(jabberd_domain)
|
|
+corenet_tcp_sendrecv_all_ports(jabberd_domain)
|
|
+corenet_udp_sendrecv_all_ports(jabberd_domain)
|
|
+corenet_tcp_bind_generic_node(jabberd_domain)
|
|
|
|
-corenet_sendrecv_jabber_client_server_packets(jabberd_router_t)
|
|
-corenet_tcp_bind_jabber_client_port(jabberd_router_t)
|
|
-corenet_tcp_sendrecv_jabber_client_port(jabberd_router_t)
|
|
+dev_read_sysfs(jabberd_domain)
|
|
+dev_read_urand(jabberd_domain)
|
|
|
|
-# corenet_sendrecv_jabber_router_server_packets(jabberd_router_t)
|
|
-# corenet_tcp_bind_jabber_router_port(jabberd_router_t)
|
|
-# corenet_sendrecv_jabber_router_client_packets(jabberd_router_t)
|
|
-# corenet_tcp_connect_jabber_router_port(jabberd_router_t)
|
|
-# corenet_tcp_sendrecv_jabber_router_port(jabberd_router_t)
|
|
+files_read_etc_runtime_files(jabberd_domain)
|
|
|
|
-auth_use_nsswitch(jabberd_router_t)
|
|
+sysnet_read_config(jabberd_domain)
|
|
diff --git a/java.te b/java.te
|
|
index a7ae153..6341e31 100644
|
|
--- a/java.te
|
|
+++ b/java.te
|
|
@@ -11,7 +11,7 @@ policy_module(java, 2.7.0)
|
|
## its stack executable.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_java_execstack, false)
|
|
+gen_tunable(java_execstack, false)
|
|
|
|
attribute java_domain;
|
|
|
|
@@ -90,7 +90,6 @@ dev_read_urand(java_domain)
|
|
dev_read_rand(java_domain)
|
|
dev_dontaudit_append_rand(java_domain)
|
|
|
|
-files_read_usr_files(java_domain)
|
|
files_read_etc_runtime_files(java_domain)
|
|
|
|
fs_getattr_all_fs(java_domain)
|
|
@@ -108,11 +107,11 @@ userdom_manage_user_home_content_files(java_domain)
|
|
userdom_manage_user_home_content_symlinks(java_domain)
|
|
userdom_manage_user_home_content_pipes(java_domain)
|
|
userdom_manage_user_home_content_sockets(java_domain)
|
|
-userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file })
|
|
+userdom_filetrans_home_content(java_domain_t)
|
|
|
|
userdom_write_user_tmp_sockets(java_domain)
|
|
|
|
-tunable_policy(`allow_java_execstack',`
|
|
+tunable_policy(`java_execstack',`
|
|
allow java_domain self:process { execmem execstack };
|
|
|
|
libs_legacy_use_shared_libs(java_domain)
|
|
diff --git a/jetty.fc b/jetty.fc
|
|
new file mode 100644
|
|
index 0000000..1725b7e
|
|
--- /dev/null
|
|
+++ b/jetty.fc
|
|
@@ -0,0 +1,9 @@
|
|
+
|
|
+/var/cache/jetty(/.*)? gen_context(system_u:object_r:jetty_cache_t,s0)
|
|
+
|
|
+/var/lib/jetty(/.*)? gen_context(system_u:object_r:jetty_var_lib_t,s0)
|
|
+
|
|
+/var/log/jetty(/.*)? gen_context(system_u:object_r:jetty_log_t,s0)
|
|
+
|
|
+/var/run/jetty(/.*)? gen_context(system_u:object_r:jetty_var_run_t,s0)
|
|
+
|
|
diff --git a/jetty.if b/jetty.if
|
|
new file mode 100644
|
|
index 0000000..2abc285
|
|
--- /dev/null
|
|
+++ b/jetty.if
|
|
@@ -0,0 +1,268 @@
|
|
+
|
|
+## <summary>policy for jetty</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search jetty cache directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jetty_search_cache',`
|
|
+ gen_require(`
|
|
+ type jetty_cache_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 jetty_cache_t:dir search_dir_perms;
|
|
+ files_search_var($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read jetty cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jetty_read_cache_files',`
|
|
+ gen_require(`
|
|
+ type jetty_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ read_files_pattern($1, jetty_cache_t, jetty_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## jetty cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jetty_manage_cache_files',`
|
|
+ gen_require(`
|
|
+ type jetty_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_files_pattern($1, jetty_cache_t, jetty_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage jetty cache dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jetty_manage_cache_dirs',`
|
|
+ gen_require(`
|
|
+ type jetty_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_dirs_pattern($1, jetty_cache_t, jetty_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read jetty's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`jetty_read_log',`
|
|
+ gen_require(`
|
|
+ type jetty_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, jetty_log_t, jetty_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to jetty log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jetty_append_log',`
|
|
+ gen_require(`
|
|
+ type jetty_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, jetty_log_t, jetty_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage jetty log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jetty_manage_log',`
|
|
+ gen_require(`
|
|
+ type jetty_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, jetty_log_t, jetty_log_t)
|
|
+ manage_files_pattern($1, jetty_log_t, jetty_log_t)
|
|
+ manage_lnk_files_pattern($1, jetty_log_t, jetty_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search jetty lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jetty_search_lib',`
|
|
+ gen_require(`
|
|
+ type jetty_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 jetty_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read jetty lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jetty_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type jetty_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage jetty lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jetty_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type jetty_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage jetty lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jetty_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type jetty_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, jetty_var_lib_t, jetty_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read jetty PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jetty_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type jetty_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 jetty_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an jetty environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`jetty_admin',`
|
|
+ gen_require(`
|
|
+ type jetty_cache_t;
|
|
+ type jetty_log_t;
|
|
+ type jetty_var_lib_t;
|
|
+ type jetty_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ admin_pattern($1, jetty_cache_t)
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, jetty_log_t)
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ admin_pattern($1, jetty_var_lib_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, jetty_var_run_t)
|
|
+')
|
|
diff --git a/jetty.te b/jetty.te
|
|
new file mode 100644
|
|
index 0000000..af510ea
|
|
--- /dev/null
|
|
+++ b/jetty.te
|
|
@@ -0,0 +1,25 @@
|
|
+policy_module(jetty, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type jetty_cache_t;
|
|
+files_type(jetty_cache_t)
|
|
+
|
|
+type jetty_log_t;
|
|
+logging_log_file(jetty_log_t)
|
|
+
|
|
+type jetty_var_lib_t;
|
|
+files_type(jetty_var_lib_t)
|
|
+
|
|
+type jetty_var_run_t;
|
|
+files_pid_file(jetty_var_run_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# jetty local policy
|
|
+#
|
|
+
|
|
+# No local policy. This module just contains type definitions
|
|
diff --git a/jockey.if b/jockey.if
|
|
index 2fb7a20..c6ba007 100644
|
|
--- a/jockey.if
|
|
+++ b/jockey.if
|
|
@@ -1 +1,131 @@
|
|
-## <summary>Jockey driver manager.</summary>
|
|
+
|
|
+## <summary>policy for jockey</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to jockey.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jockey_domtrans',`
|
|
+ gen_require(`
|
|
+ type jockey_t, jockey_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, jockey_exec_t, jockey_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search jockey cache directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jockey_search_cache',`
|
|
+ gen_require(`
|
|
+ type jockey_cache_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 jockey_cache_t:dir search_dir_perms;
|
|
+ files_search_var($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read jockey cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jockey_read_cache_files',`
|
|
+ gen_require(`
|
|
+ type jockey_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ read_files_pattern($1, jockey_cache_t, jockey_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## jockey cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jockey_manage_cache_files',`
|
|
+ gen_require(`
|
|
+ type jockey_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_files_pattern($1, jockey_cache_t, jockey_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage jockey cache dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jockey_manage_cache_dirs',`
|
|
+ gen_require(`
|
|
+ type jockey_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_dirs_pattern($1, jockey_cache_t, jockey_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an jockey environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`jockey_admin',`
|
|
+ gen_require(`
|
|
+ type jockey_t;
|
|
+ type jockey_cache_t;
|
|
+ type jockey_var_log_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 jockey_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, jockey_t)
|
|
+
|
|
+ files_search_var($1)
|
|
+ admin_pattern($1, jockey_cache_t)
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, jockey_var_log_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/jockey.te b/jockey.te
|
|
index d59ec10..dec1b3b 100644
|
|
--- a/jockey.te
|
|
+++ b/jockey.te
|
|
@@ -44,16 +44,19 @@ dev_read_urand(jockey_t)
|
|
|
|
domain_use_interactive_fds(jockey_t)
|
|
|
|
-files_read_etc_files(jockey_t)
|
|
-files_read_usr_files(jockey_t)
|
|
|
|
-miscfiles_read_localization(jockey_t)
|
|
+auth_read_passwd(jockey_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_domain(jockey_t, jockey_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_dontaudit_search_config(jockey_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
modutils_domtrans_insmod(jockey_t)
|
|
modutils_read_module_config(jockey_t)
|
|
+ modutils_list_module_config(jockey_t)
|
|
')
|
|
diff --git a/journalctl.fc b/journalctl.fc
|
|
new file mode 100644
|
|
index 0000000..f270652
|
|
--- /dev/null
|
|
+++ b/journalctl.fc
|
|
@@ -0,0 +1 @@
|
|
+/usr/bin/journalctl -- gen_context(system_u:object_r:journalctl_exec_t,s0)
|
|
diff --git a/journalctl.if b/journalctl.if
|
|
new file mode 100644
|
|
index 0000000..9d32f23
|
|
--- /dev/null
|
|
+++ b/journalctl.if
|
|
@@ -0,0 +1,76 @@
|
|
+
|
|
+## <summary>policy for journalctl</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the journalctl domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`journalctl_domtrans',`
|
|
+ gen_require(`
|
|
+ type journalctl_t, journalctl_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, journalctl_exec_t, journalctl_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute journalctl in the journalctl domain, and
|
|
+## allow the specified role the journalctl domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the journalctl domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`journalctl_run',`
|
|
+ gen_require(`
|
|
+ type journalctl_t;
|
|
+ attribute_role journalctl_roles;
|
|
+ ')
|
|
+
|
|
+ journalctl_domtrans($1)
|
|
+ roleattribute $2 journalctl_roles;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Role access for journalctl
|
|
+## </summary>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## User domain for the role
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`journalctl_role',`
|
|
+ gen_require(`
|
|
+ type journalctl_t;
|
|
+ attribute_role journalctl_roles;
|
|
+ ')
|
|
+
|
|
+ roleattribute $1 journalctl_roles;
|
|
+
|
|
+ journalctl_domtrans($2)
|
|
+
|
|
+ ps_process_pattern($2, journalctl_t)
|
|
+ allow $2 journalctl_t:process { signull signal sigkill };
|
|
+')
|
|
diff --git a/journalctl.te b/journalctl.te
|
|
new file mode 100644
|
|
index 0000000..5de3229
|
|
--- /dev/null
|
|
+++ b/journalctl.te
|
|
@@ -0,0 +1,44 @@
|
|
+policy_module(journalctl, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+attribute_role journalctl_roles;
|
|
+roleattribute system_r journalctl_roles;
|
|
+
|
|
+type journalctl_t;
|
|
+type journalctl_exec_t;
|
|
+application_domain(journalctl_t, journalctl_exec_t)
|
|
+
|
|
+role journalctl_roles types journalctl_t;
|
|
+
|
|
+########################################
|
|
+#
|
|
+# journalctl local policy
|
|
+#
|
|
+allow journalctl_t self:process { fork signal_perms };
|
|
+
|
|
+allow journalctl_t self:fifo_file manage_fifo_file_perms;
|
|
+allow journalctl_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+kernel_read_system_state(journalctl_t)
|
|
+
|
|
+corecmd_exec_bin(journalctl_t)
|
|
+
|
|
+domain_use_interactive_fds(journalctl_t)
|
|
+
|
|
+files_read_etc_files(journalctl_t)
|
|
+
|
|
+fs_getattr_all_fs(journalctl_t)
|
|
+
|
|
+userdom_list_user_home_dirs(journalctl_t)
|
|
+userdom_read_user_home_content_files(journalctl_t)
|
|
+userdom_use_inherited_user_ptys(journalctl_t)
|
|
+userdom_write_inherited_user_tmp_files(journalctl_t)
|
|
+userdom_rw_inherited_user_tmpfs_files(journalctl_t)
|
|
+userdom_rw_inherited_user_home_content_files(journalctl_t)
|
|
+
|
|
+miscfiles_read_localization(journalctl_t)
|
|
+logging_read_generic_logs(journalctl_t)
|
|
diff --git a/kde.fc b/kde.fc
|
|
new file mode 100644
|
|
index 0000000..25e4b68
|
|
--- /dev/null
|
|
+++ b/kde.fc
|
|
@@ -0,0 +1 @@
|
|
+#/usr/libexec/kde(3|4)/backlighthelper -- gen_context(system_u:object_r:kdebacklighthelper_exec_t,s0)
|
|
diff --git a/kde.if b/kde.if
|
|
new file mode 100644
|
|
index 0000000..cf65577
|
|
--- /dev/null
|
|
+++ b/kde.if
|
|
@@ -0,0 +1,22 @@
|
|
+## <summary> Policy for KDE components </summary>
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Send and receive messages from
|
|
+## firewallgui over dbus.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`kde_dbus_chat_backlighthelper',`
|
|
+ gen_require(`
|
|
+ type kdebacklighthelper_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ allow $1 kdebacklighthelper_t:dbus send_msg;
|
|
+ allow kdebacklighthelper_t $1:dbus send_msg;
|
|
+')
|
|
diff --git a/kde.te b/kde.te
|
|
new file mode 100644
|
|
index 0000000..dbe3f03
|
|
--- /dev/null
|
|
+++ b/kde.te
|
|
@@ -0,0 +1,41 @@
|
|
+policy_module(kde,1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type kdebacklighthelper_t;
|
|
+type kdebacklighthelper_exec_t;
|
|
+init_daemon_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# backlighthelper local policy
|
|
+#
|
|
+
|
|
+allow kdebacklighthelper_t self:fifo_file rw_fifo_file_perms;
|
|
+
|
|
+kernel_read_system_state(kdebacklighthelper_t)
|
|
+
|
|
+# r/w brightness values
|
|
+dev_rw_sysfs(kdebacklighthelper_t)
|
|
+
|
|
+files_read_etc_runtime_files(kdebacklighthelper_t)
|
|
+
|
|
+fs_getattr_all_fs(kdebacklighthelper_t)
|
|
+
|
|
+logging_send_syslog_msg(kdebacklighthelper_t)
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_domain(kdebacklighthelper_t, kdebacklighthelper_exec_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ consolekit_dbus_chat(kdebacklighthelper_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ policykit_dbus_chat(kdebacklighthelper_t)
|
|
+')
|
|
+
|
|
diff --git a/kdump.fc b/kdump.fc
|
|
index a49ae4e..0c0e987 100644
|
|
--- a/kdump.fc
|
|
+++ b/kdump.fc
|
|
@@ -1,13 +1,16 @@
|
|
/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
|
|
+/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
|
|
+/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
|
|
+/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
|
|
|
|
-/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
|
|
|
|
-/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
|
|
+/usr/lib/systemd/system/kdump\.service -- gen_context(system_u:object_r:kdump_unit_file_t,s0)
|
|
|
|
-/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
|
|
-/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
|
|
+/usr/bin/kdumpctl -- gen_context(system_u:object_r:kdumpctl_exec_t,s0)
|
|
+/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
|
|
+/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
|
|
|
|
-/usr/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
|
|
-/usr/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)
|
|
+/var/crash(/.*)? gen_context(system_u:object_r:kdump_crash_t,s0)
|
|
+
|
|
+/var/lock/kdump(/.*)? gen_context(system_u:object_r:kdump_lock_t,s0)
|
|
diff --git a/kdump.if b/kdump.if
|
|
index 3a00b3a..21efcc4 100644
|
|
--- a/kdump.if
|
|
+++ b/kdump.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Kernel crash dumping mechanism.</summary>
|
|
+## <summary>Kernel crash dumping mechanism</summary>
|
|
|
|
######################################
|
|
## <summary>
|
|
@@ -19,6 +19,26 @@ interface(`kdump_domtrans',`
|
|
domtrans_pattern($1, kdump_exec_t, kdump_t)
|
|
')
|
|
|
|
+######################################
|
|
+## <summary>
|
|
+## Execute kdumpctl in the kdumpctl domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`kdumpctl_domtrans',`
|
|
+ gen_require(`
|
|
+ type kdumpctl_t, kdumpctl_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, kdumpctl_exec_t, kdumpctl_t)
|
|
+')
|
|
+
|
|
+
|
|
#######################################
|
|
## <summary>
|
|
## Execute kdump in the kdump domain.
|
|
@@ -37,9 +57,33 @@ interface(`kdump_initrc_domtrans',`
|
|
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
|
|
')
|
|
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute kdump server in the kdump domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`kdump_systemctl',`
|
|
+ gen_require(`
|
|
+ type kdump_unit_file_t;
|
|
+ type kdump_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_search_unit_dirs($1)
|
|
+ allow $1 kdump_unit_file_t:file read_file_perms;
|
|
+ allow $1 kdump_unit_file_t:service all_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, kdump_t)
|
|
+')
|
|
+
|
|
#####################################
|
|
## <summary>
|
|
-## Read kdump configuration files.
|
|
+## Read kdump configuration file.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -56,10 +100,67 @@ interface(`kdump_read_config',`
|
|
allow $1 kdump_etc_t:file read_file_perms;
|
|
')
|
|
|
|
+#####################################
|
|
+## <summary>
|
|
+## Read kdump crash files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`kdump_read_crash',`
|
|
+ gen_require(`
|
|
+ type kdump_crash_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ read_files_pattern($1, kdump_crash_t, kdump_crash_t)
|
|
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Read kdump crash files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`kdump_manage_crash',`
|
|
+ gen_require(`
|
|
+ type kdump_crash_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_files_pattern($1, kdump_crash_t, kdump_crash_t)
|
|
+ list_dirs_pattern($1, kdump_crash_t, kdump_crash_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Dontaudit read kdump configuration file.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`kdump_dontaudit_read_config',`
|
|
+ gen_require(`
|
|
+ type kdump_etc_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 kdump_etc_t:file read_inherited_file_perms;
|
|
+')
|
|
+
|
|
####################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## kdmup configuration files.
|
|
+## Manage kdump configuration file.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -76,10 +177,69 @@ interface(`kdump_manage_config',`
|
|
allow $1 kdump_etc_t:file manage_file_perms;
|
|
')
|
|
|
|
+#####################################
|
|
+## <summary>
|
|
+## Read and write kdump lock files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`kdump_rw_lock',`
|
|
+ gen_require(`
|
|
+ type kdump_lock_t;
|
|
+ ')
|
|
+
|
|
+ files_search_locks($1)
|
|
+ rw_files_pattern($1, kdump_lock_t, kdump_lock_t)
|
|
+')
|
|
+
|
|
+###################################
|
|
+## <summary>
|
|
+## Manage kdump /var/tmp files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`kdump_manage_kdumpctl_tmp_files',`
|
|
+ gen_require(`
|
|
+ type kdumpctl_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_tmp($1)
|
|
+ manage_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
|
+ manage_dirs_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
|
+ manage_fifo_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
|
+ manage_lnk_files_pattern($1, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Transition content labels to kdump named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`kdump_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type kdump_lock_t;
|
|
+ ')
|
|
+
|
|
+ files_lock_filetrans($1, kdump_lock_t, file, "kdump")
|
|
+')
|
|
+
|
|
######################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an kdump environment.
|
|
+## All of the rules required to administrate
|
|
+## an kdump environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -88,19 +248,24 @@ interface(`kdump_manage_config',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the kdump domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`kdump_admin',`
|
|
gen_require(`
|
|
- type kdump_t, kdump_etc_t, kdumpctl_tmp_t;
|
|
- type kdump_initrc_exec_t, kdumpctl_t;
|
|
+ type kdump_t, kdump_etc_t;
|
|
+ type kdump_initrc_exec_t;
|
|
+ type kdump_unit_file_t;
|
|
+ type kdump_crash_t;
|
|
')
|
|
|
|
- allow $1 { kdump_t kdumpctl_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { kdump_t kdumpctl_t })
|
|
+ allow $1 kdump_t:process signal_perms;
|
|
+ ps_process_pattern($1, kdump_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 kdump_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -110,6 +275,10 @@ interface(`kdump_admin',`
|
|
files_search_etc($1)
|
|
admin_pattern($1, kdump_etc_t)
|
|
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, kdumpctl_tmp_t)
|
|
+ files_search_var($1)
|
|
+ admin_pattern($1, kdump_crash_t)
|
|
+
|
|
+ kdump_systemctl($1)
|
|
+ admin_pattern($1, kdump_unit_file_t)
|
|
+ allow $1 kdump_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/kdump.te b/kdump.te
|
|
index 715fc21..f6a381c 100644
|
|
--- a/kdump.te
|
|
+++ b/kdump.te
|
|
@@ -12,35 +12,55 @@ init_system_domain(kdump_t, kdump_exec_t)
|
|
type kdump_etc_t;
|
|
files_config_file(kdump_etc_t)
|
|
|
|
+type kdump_crash_t;
|
|
+files_type(kdump_crash_t)
|
|
+
|
|
type kdump_initrc_exec_t;
|
|
init_script_file(kdump_initrc_exec_t)
|
|
|
|
+type kdump_unit_file_t alias kdumpctl_unit_file_t;
|
|
+systemd_unit_file(kdump_unit_file_t)
|
|
+
|
|
+type kdump_lock_t;
|
|
+files_lock_file(kdump_lock_t)
|
|
+
|
|
type kdumpctl_t;
|
|
type kdumpctl_exec_t;
|
|
init_daemon_domain(kdumpctl_t, kdumpctl_exec_t)
|
|
-application_executable_file(kdumpctl_exec_t)
|
|
+init_initrc_domain(kdumpctl_t)
|
|
|
|
type kdumpctl_tmp_t;
|
|
files_tmp_file(kdumpctl_tmp_t)
|
|
|
|
#####################################
|
|
#
|
|
-# Local policy
|
|
+# kdump local policy
|
|
#
|
|
|
|
allow kdump_t self:capability { sys_boot dac_override };
|
|
+allow kdump_t self:capability2 compromise_kernel;
|
|
+
|
|
+manage_dirs_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
|
|
+manage_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
|
|
+manage_lnk_files_pattern(kdump_t, kdump_crash_t, kdump_crash_t)
|
|
+files_var_filetrans(kdump_t, kdump_crash_t, dir, "crash")
|
|
+
|
|
+read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
|
|
|
|
-allow kdump_t kdump_etc_t:file read_file_perms;
|
|
+manage_dirs_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
|
|
+manage_files_pattern(kdump_t, kdump_lock_t, kdump_lock_t)
|
|
+files_lock_filetrans(kdump_t, kdump_lock_t, { dir file })
|
|
|
|
-files_read_etc_files(kdump_t)
|
|
files_read_etc_runtime_files(kdump_t)
|
|
files_read_kernel_img(kdump_t)
|
|
|
|
+kernel_read_system_state(kdump_t)
|
|
kernel_read_core_if(kdump_t)
|
|
kernel_read_debugfs(kdump_t)
|
|
-kernel_read_system_state(kdump_t)
|
|
kernel_request_load_module(kdump_t)
|
|
|
|
+mls_file_read_all_levels(kdump_t)
|
|
+
|
|
dev_read_framebuffer(kdump_t)
|
|
dev_read_sysfs(kdump_t)
|
|
|
|
@@ -48,22 +68,32 @@ term_use_console(kdump_t)
|
|
|
|
#######################################
|
|
#
|
|
-# Ctl local policy
|
|
+# kdumpctl local policy
|
|
#
|
|
|
|
+#cjp:almost all rules are needed by dracut
|
|
+
|
|
+kdump_domtrans(kdumpctl_t)
|
|
+
|
|
allow kdumpctl_t self:capability { dac_override sys_chroot };
|
|
allow kdumpctl_t self:process setfscreate;
|
|
-allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
|
|
-allow kdumpctl_t self:unix_stream_socket { accept listen };
|
|
|
|
-allow kdumpctl_t kdump_etc_t:file read_file_perms;
|
|
+allow kdumpctl_t self:fifo_file rw_fifo_file_perms;
|
|
+allow kdumpctl_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
manage_dirs_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
|
+manage_chr_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
|
manage_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
|
manage_lnk_files_pattern(kdumpctl_t, kdumpctl_tmp_t, kdumpctl_tmp_t)
|
|
files_tmp_filetrans(kdumpctl_t, kdumpctl_tmp_t, { file dir lnk_file })
|
|
+can_exec(kdumpctl_t, kdumpctl_tmp_t)
|
|
+
|
|
+manage_dirs_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
|
|
+manage_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
|
|
+manage_lnk_files_pattern(kdumpctl_t, kdump_crash_t, kdump_crash_t)
|
|
+files_var_filetrans(kdumpctl_t, kdump_crash_t, dir, "crash")
|
|
|
|
-domtrans_pattern(kdumpctl_t, kdump_exec_t, kdump_t)
|
|
+read_files_pattern(kdumpctl_t, kdump_etc_t, kdump_etc_t)
|
|
|
|
kernel_read_system_state(kdumpctl_t)
|
|
|
|
@@ -71,46 +101,56 @@ corecmd_exec_bin(kdumpctl_t)
|
|
corecmd_exec_shell(kdumpctl_t)
|
|
|
|
dev_read_sysfs(kdumpctl_t)
|
|
+# dracut
|
|
dev_manage_all_dev_nodes(kdumpctl_t)
|
|
|
|
domain_use_interactive_fds(kdumpctl_t)
|
|
|
|
files_create_kernel_img(kdumpctl_t)
|
|
-files_read_etc_files(kdumpctl_t)
|
|
files_read_etc_runtime_files(kdumpctl_t)
|
|
-files_read_usr_files(kdumpctl_t)
|
|
files_read_kernel_modules(kdumpctl_t)
|
|
files_getattr_all_dirs(kdumpctl_t)
|
|
+files_delete_kernel(kdumpctl_t)
|
|
|
|
fs_getattr_all_fs(kdumpctl_t)
|
|
fs_search_all(kdumpctl_t)
|
|
|
|
-init_domtrans_script(kdumpctl_t)
|
|
+application_executable_ioctl(kdumpctl_t)
|
|
+
|
|
+auth_read_passwd(kdumpctl_t)
|
|
+
|
|
init_exec(kdumpctl_t)
|
|
+systemd_exec_systemctl(kdumpctl_t)
|
|
+systemd_read_unit_files(kdumpctl_t)
|
|
|
|
libs_exec_ld_so(kdumpctl_t)
|
|
|
|
logging_send_syslog_msg(kdumpctl_t)
|
|
+# Need log file from /var/log/dracut.log
|
|
+logging_write_generic_logs(kdumpctl_t)
|
|
|
|
-miscfiles_read_localization(kdumpctl_t)
|
|
+optional_policy(`
|
|
+ gpg_exec(kdumpctl_t)
|
|
+')
|
|
|
|
optional_policy(`
|
|
- gpg_exec(kdumpctl_t)
|
|
+ lvm_read_config(kdumpctl_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- lvm_read_config(kdumpctl_t)
|
|
+ modutils_domtrans_insmod(kdumpctl_t)
|
|
+ modutils_list_module_config(kdumpctl_t)
|
|
+ modutils_read_module_config(kdumpctl_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- modutils_domtrans_insmod(kdumpctl_t)
|
|
- modutils_read_module_config(kdumpctl_t)
|
|
+ plymouthd_domtrans_plymouth(kdumpctl_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- plymouthd_domtrans_plymouth(kdumpctl_t)
|
|
+ ssh_exec(kdumpctl_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- ssh_exec(kdumpctl_t)
|
|
+ unconfined_domain(kdumpctl_t)
|
|
')
|
|
diff --git a/kdumpgui.if b/kdumpgui.if
|
|
index 182ab8b..8b1d9c2 100644
|
|
--- a/kdumpgui.if
|
|
+++ b/kdumpgui.if
|
|
@@ -1 +1,23 @@
|
|
-## <summary>System-config-kdump GUI.</summary>
|
|
+## <summary>system-config-kdump GUI</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send and receive messages from
|
|
+## kdumpgui over dbus.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`kdumpgui_dbus_chat',`
|
|
+ gen_require(`
|
|
+ type kdumpgui_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ allow $1 kdumpgui_t:dbus send_msg;
|
|
+ allow kdumpgui_t $1:dbus send_msg;
|
|
+')
|
|
+
|
|
diff --git a/kdumpgui.te b/kdumpgui.te
|
|
index 2990962..c153d15 100644
|
|
--- a/kdumpgui.te
|
|
+++ b/kdumpgui.te
|
|
@@ -5,79 +5,88 @@ policy_module(kdumpgui, 1.2.0)
|
|
# Declarations
|
|
#
|
|
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow s-c-kdump to run bootloader in bootloader_t.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(kdumpgui_run_bootloader, false)
|
|
+
|
|
type kdumpgui_t;
|
|
type kdumpgui_exec_t;
|
|
-init_system_domain(kdumpgui_t, kdumpgui_exec_t)
|
|
+init_daemon_domain(kdumpgui_t, kdumpgui_exec_t)
|
|
|
|
type kdumpgui_tmp_t;
|
|
files_tmp_file(kdumpgui_tmp_t)
|
|
|
|
######################################
|
|
#
|
|
-# Local policy
|
|
+# system-config-kdump local policy
|
|
#
|
|
|
|
allow kdumpgui_t self:capability { net_admin sys_admin sys_nice sys_rawio };
|
|
-allow kdumpgui_t self:process { setsched sigkill };
|
|
allow kdumpgui_t self:fifo_file rw_fifo_file_perms;
|
|
allow kdumpgui_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
+allow kdumpgui_t self:process { setsched sigkill };
|
|
|
|
manage_dirs_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
|
|
manage_files_pattern(kdumpgui_t, kdumpgui_tmp_t, kdumpgui_tmp_t)
|
|
files_tmp_filetrans(kdumpgui_t, kdumpgui_tmp_t, { dir file })
|
|
|
|
-kernel_getattr_core_if(kdumpgui_t)
|
|
kernel_read_system_state(kdumpgui_t)
|
|
kernel_read_network_state(kdumpgui_t)
|
|
+kernel_getattr_core_if(kdumpgui_t)
|
|
|
|
corecmd_exec_bin(kdumpgui_t)
|
|
corecmd_exec_shell(kdumpgui_t)
|
|
|
|
-dev_getattr_all_blk_files(kdumpgui_t)
|
|
dev_dontaudit_getattr_all_chr_files(kdumpgui_t)
|
|
dev_read_sysfs(kdumpgui_t)
|
|
+dev_read_urand(kdumpgui_t)
|
|
+dev_getattr_all_blk_files(kdumpgui_t)
|
|
|
|
files_manage_boot_files(kdumpgui_t)
|
|
files_manage_boot_symlinks(kdumpgui_t)
|
|
+# Needed for running chkconfig
|
|
files_manage_etc_symlinks(kdumpgui_t)
|
|
+# for blkid.tab
|
|
files_manage_etc_runtime_files(kdumpgui_t)
|
|
files_etc_filetrans_etc_runtime(kdumpgui_t, file)
|
|
-files_read_usr_files(kdumpgui_t)
|
|
|
|
+fs_manage_dos_files(kdumpgui_t)
|
|
fs_getattr_all_fs(kdumpgui_t)
|
|
fs_list_hugetlbfs(kdumpgui_t)
|
|
-fs_read_dos_files(kdumpgui_t)
|
|
|
|
storage_raw_read_fixed_disk(kdumpgui_t)
|
|
storage_raw_write_fixed_disk(kdumpgui_t)
|
|
+storage_getattr_removable_dev(kdumpgui_t)
|
|
|
|
auth_use_nsswitch(kdumpgui_t)
|
|
|
|
+logging_send_syslog_msg(kdumpgui_t)
|
|
logging_list_logs(kdumpgui_t)
|
|
logging_read_generic_logs(kdumpgui_t)
|
|
-logging_send_syslog_msg(kdumpgui_t)
|
|
-
|
|
-miscfiles_read_localization(kdumpgui_t)
|
|
|
|
mount_exec(kdumpgui_t)
|
|
|
|
init_dontaudit_read_all_script_files(kdumpgui_t)
|
|
+init_access_check(kdumpgui_t)
|
|
|
|
-optional_policy(`
|
|
- bootloader_exec(kdumpgui_t)
|
|
- bootloader_rw_config(kdumpgui_t)
|
|
-')
|
|
+userdom_dontaudit_search_admin_dir(kdumpgui_t)
|
|
|
|
optional_policy(`
|
|
- consoletype_exec(kdumpgui_t)
|
|
+ tunable_policy(`kdumpgui_run_bootloader',`
|
|
+ bootloader_domtrans(kdumpgui_t)
|
|
+ #if s-c-kdump is involved
|
|
+ bootloader_manage_config(kdumpgui_t)
|
|
+ ',`
|
|
+ bootloader_exec(kdumpgui_t)
|
|
+ bootloader_manage_config(kdumpgui_t)
|
|
+ ')
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_domain(kdumpgui_t, kdumpgui_exec_t)
|
|
-
|
|
- optional_policy(`
|
|
- policykit_dbus_chat(kdumpgui_t)
|
|
- ')
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -87,4 +96,10 @@ optional_policy(`
|
|
optional_policy(`
|
|
kdump_manage_config(kdumpgui_t)
|
|
kdump_initrc_domtrans(kdumpgui_t)
|
|
+ kdump_systemctl(kdumpgui_t)
|
|
+ kdumpctl_domtrans(kdumpgui_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ policykit_dbus_chat(kdumpgui_t)
|
|
')
|
|
diff --git a/kerberos.fc b/kerberos.fc
|
|
index 4fe75fd..8c702c9 100644
|
|
--- a/kerberos.fc
|
|
+++ b/kerberos.fc
|
|
@@ -1,52 +1,44 @@
|
|
-HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
|
-/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
|
+HOME_DIR/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
|
+/root/\.k5login -- gen_context(system_u:object_r:krb5_home_t,s0)
|
|
|
|
-/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
|
|
-/etc/krb5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
|
+/etc/krb5\.conf -- gen_context(system_u:object_r:krb5_conf_t,s0)
|
|
+/etc/krb5\.keytab gen_context(system_u:object_r:krb5_keytab_t,s0)
|
|
|
|
-/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
|
-/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
|
-/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
|
+/etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
|
+/etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
|
+/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
|
|
|
/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
|
|
/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
|
|
/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
|
|
/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
|
|
|
|
-/usr/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
|
|
-/usr/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
|
-/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
|
+/usr/(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
|
|
+/usr/(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
|
+/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
|
/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
|
|
+/usr/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0)
|
|
|
|
-/usr/local/kerberos/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
|
|
-/usr/local/kerberos/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
|
-
|
|
-/usr/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
|
|
-/usr/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
|
|
-
|
|
-/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
|
-/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
|
-
|
|
-/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
|
+/usr/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
|
/usr/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
|
|
|
-/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
-
|
|
-/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
|
+/var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
|
|
/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
|
-/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
|
+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
|
|
/var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
|
|
-/var/kerberos/krb5kdc/principal.*\.ok -- gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
|
-
|
|
-/var/log/krb5kdc\.log.* -- gen_context(system_u:object_r:krb5kdc_log_t,s0)
|
|
-/var/log/kadmin\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
|
|
-/var/log/kadmind\.log.* -- gen_context(system_u:object_r:kadmind_log_t,s0)
|
|
-
|
|
-/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
-/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
-/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
-/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
-/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
-/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
-/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
-/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
+/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
|
|
+
|
|
+/var/log/krb5kdc\.log.* gen_context(system_u:object_r:krb5kdc_log_t,s0)
|
|
+/var/log/kadmin(d)?\.log.* gen_context(system_u:object_r:kadmind_log_t,s0)
|
|
+
|
|
+/var/cache/krb5rcache(/.*)? gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
+
|
|
+/var/tmp/DNS_25 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
+/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
+/var/tmp/HTTP_48 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
+/var/tmp/imap_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
+/var/tmp/nfs_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
+/var/tmp/ldapmap1_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
+/var/tmp/ldap_487 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
+/var/tmp/ldap_55 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
|
|
diff --git a/kerberos.if b/kerberos.if
|
|
index f6c00d8..c0946cf 100644
|
|
--- a/kerberos.if
|
|
+++ b/kerberos.if
|
|
@@ -1,27 +1,29 @@
|
|
-## <summary>MIT Kerberos admin and KDC.</summary>
|
|
+## <summary>MIT Kerberos admin and KDC</summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## This policy supports:
|
|
+## </p>
|
|
+## <p>
|
|
+## Servers:
|
|
+## <ul>
|
|
+## <li>kadmind</li>
|
|
+## <li>krb5kdc</li>
|
|
+## </ul>
|
|
+## </p>
|
|
+## <p>
|
|
+## Clients:
|
|
+## <ul>
|
|
+## <li>kinit</li>
|
|
+## <li>kdestroy</li>
|
|
+## <li>klist</li>
|
|
+## <li>ksu (incomplete)</li>
|
|
+## </ul>
|
|
+## </p>
|
|
+## </desc>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for kerberos.
|
|
-## </summary>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## User domain for the role.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-template(`kerberos_role',`
|
|
- refpolicywarn(`$0($*) has been deprecated')
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Execute kadmind in the caller domain.
|
|
+## Execute kadmind in the current domain
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -34,7 +36,6 @@ interface(`kerberos_exec_kadmind',`
|
|
type kadmind_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, kadmind_exec_t)
|
|
')
|
|
|
|
@@ -53,13 +54,12 @@ interface(`kerberos_domtrans_kpropd',`
|
|
type kpropd_t, kpropd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, kpropd_exec_t, kpropd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Support kerberos services.
|
|
+## Use kerberos services
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -69,45 +69,44 @@ interface(`kerberos_domtrans_kpropd',`
|
|
#
|
|
interface(`kerberos_use',`
|
|
gen_require(`
|
|
- type krb5kdc_conf_t, krb5_host_rcache_t;
|
|
+ type krb5_conf_t, krb5kdc_conf_t;
|
|
+ type krb5_host_rcache_t;
|
|
')
|
|
|
|
- kerberos_read_config($1)
|
|
-
|
|
- dontaudit $1 krb5_conf_t:file write_file_perms;
|
|
+ files_search_etc($1)
|
|
+ read_files_pattern($1, krb5_conf_t, krb5_conf_t)
|
|
+ dontaudit $1 krb5_conf_t:file write;
|
|
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
|
|
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
|
|
|
|
+ #kerberos libraries are attempting to set the correct file context
|
|
dontaudit $1 self:process setfscreate;
|
|
-
|
|
selinux_dontaudit_validate_context($1)
|
|
- seutil_dontaudit_read_file_contexts($1)
|
|
+ seutil_read_file_contexts($1)
|
|
|
|
- tunable_policy(`allow_kerberos',`
|
|
+ tunable_policy(`kerberos_enabled',`
|
|
allow $1 self:tcp_socket create_socket_perms;
|
|
allow $1 self:udp_socket create_socket_perms;
|
|
|
|
- corenet_all_recvfrom_unlabeled($1)
|
|
- corenet_all_recvfrom_netlabel($1)
|
|
corenet_tcp_sendrecv_generic_if($1)
|
|
corenet_udp_sendrecv_generic_if($1)
|
|
corenet_tcp_sendrecv_generic_node($1)
|
|
corenet_udp_sendrecv_generic_node($1)
|
|
-
|
|
- corenet_sendrecv_kerberos_client_packets($1)
|
|
- corenet_tcp_connect_kerberos_port($1)
|
|
corenet_tcp_sendrecv_kerberos_port($1)
|
|
corenet_udp_sendrecv_kerberos_port($1)
|
|
-
|
|
- corenet_sendrecv_ocsp_client_packets($1)
|
|
+ corenet_tcp_bind_generic_node($1)
|
|
+ corenet_udp_bind_generic_node($1)
|
|
+ corenet_tcp_connect_kerberos_port($1)
|
|
corenet_tcp_connect_ocsp_port($1)
|
|
- corenet_tcp_sendrecv_ocsp_port($1)
|
|
+ corenet_sendrecv_kerberos_client_packets($1)
|
|
+ corenet_sendrecv_ocsp_client_packets($1)
|
|
|
|
+ allow $1 krb5_host_rcache_t:dir search_dir_perms;
|
|
allow $1 krb5_host_rcache_t:file getattr_file_perms;
|
|
')
|
|
|
|
optional_policy(`
|
|
- tunable_policy(`allow_kerberos',`
|
|
+ tunable_policy(`kerberos_enabled',`
|
|
pcscd_stream_connect($1)
|
|
')
|
|
')
|
|
@@ -119,7 +118,7 @@ interface(`kerberos_use',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read kerberos configuration files.
|
|
+## Read the kerberos configuration file (/etc/krb5.conf).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -135,15 +134,13 @@ interface(`kerberos_read_config',`
|
|
|
|
files_search_etc($1)
|
|
allow $1 krb5_conf_t:file read_file_perms;
|
|
-
|
|
- userdom_search_user_home_dirs($1)
|
|
allow $1 krb5_home_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to write
|
|
-## kerberos configuration files.
|
|
+## Do not audit attempts to write the kerberos
|
|
+## configuration file (/etc/krb5.conf).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -156,13 +153,12 @@ interface(`kerberos_dontaudit_write_config',`
|
|
type krb5_conf_t;
|
|
')
|
|
|
|
- dontaudit $1 krb5_conf_t:file write_file_perms;
|
|
+ dontaudit $1 krb5_conf_t:file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write kerberos
|
|
-## configuration files.
|
|
+## Read and write the kerberos configuration file (/etc/krb5.conf).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -182,75 +178,7 @@ interface(`kerberos_rw_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## kerberos home files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`kerberos_manage_krb5_home_files',`
|
|
- gen_require(`
|
|
- type krb5_home_t;
|
|
- ')
|
|
-
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 krb5_home_t:file manage_file_perms;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Relabel kerberos home files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`kerberos_relabel_krb5_home_files',`
|
|
- gen_require(`
|
|
- type krb5_home_t;
|
|
- ')
|
|
-
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 krb5_home_t:file relabel_file_perms;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Create objects in user home
|
|
-## directories with the krb5 home type.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`kerberos_home_filetrans_krb5_home',`
|
|
- gen_require(`
|
|
- type krb5_home_t;
|
|
- ')
|
|
-
|
|
- userdom_user_home_dir_filetrans($1, krb5_home_t, $2, $3)
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Read kerberos key table files.
|
|
+## Read the kerberos key table.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -270,7 +198,7 @@ interface(`kerberos_read_keytab',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write kerberos key table files.
|
|
+## Read/Write the kerberos key table.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -289,40 +217,13 @@ interface(`kerberos_rw_keytab',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## kerberos key table files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`kerberos_manage_keytab_files',`
|
|
- gen_require(`
|
|
- type krb5_keytab_t;
|
|
- ')
|
|
-
|
|
- files_search_etc($1)
|
|
- allow $1 krb5_keytab_t:file manage_file_perms;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Create specified objects in generic
|
|
-## etc directories with the kerberos
|
|
-## keytab file type.
|
|
+## Create keytab file in /etc
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
## <param name="name" optional="true">
|
|
## <summary>
|
|
## The name of the object being created.
|
|
@@ -334,13 +235,13 @@ interface(`kerberos_etc_filetrans_keytab',`
|
|
type krb5_keytab_t;
|
|
')
|
|
|
|
- files_etc_filetrans($1, krb5_keytab_t, $2, $3)
|
|
+ allow $1 krb5_keytab_t:file manage_file_perms;
|
|
+ files_etc_filetrans($1, krb5_keytab_t, file, $2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create a derived type for kerberos
|
|
-## keytab files.
|
|
+## Create a derived type for kerberos keytab
|
|
## </summary>
|
|
## <param name="prefix">
|
|
## <summary>
|
|
@@ -361,7 +262,7 @@ template(`kerberos_keytab_template',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read kerberos kdc configuration files.
|
|
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -381,8 +282,7 @@ interface(`kerberos_read_kdc_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## kerberos host rcache files.
|
|
+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -396,34 +296,99 @@ interface(`kerberos_manage_host_rcache',`
|
|
type krb5_host_rcache_t;
|
|
')
|
|
|
|
+ # creates files as system_u no matter what the selinux user
|
|
+ # cjp: should be in the below tunable but typeattribute
|
|
+ # does not work in conditionals
|
|
domain_obj_id_change_exemption($1)
|
|
|
|
- tunable_policy(`allow_kerberos',`
|
|
+ tunable_policy(`kerberos_enabled',`
|
|
allow $1 self:process setfscreate;
|
|
|
|
selinux_validate_context($1)
|
|
|
|
seutil_read_file_contexts($1)
|
|
|
|
+ files_rw_generic_tmp_dir($1)
|
|
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
|
|
files_search_tmp($1)
|
|
- allow $1 krb5_host_rcache_t:file manage_file_perms;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create objects in generic temporary
|
|
-## directories with the kerberos host
|
|
-## rcache type.
|
|
+## All of the rules required to administrate
|
|
+## an kerberos environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed to manage the kerberos domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`kerberos_admin',`
|
|
+ gen_require(`
|
|
+ type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
|
|
+ type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
|
|
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
|
+ type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
|
|
+ type krb5kdc_var_run_t, krb5_host_rcache_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 kadmind_t:process signal_perms;
|
|
+ ps_process_pattern($1, kadmind_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 kadmind_t:process ptrace;
|
|
+ allow $1 krb5kdc_t:process ptrace;
|
|
+ allow $1 kpropd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 krb5kdc_t:process signal_perms;
|
|
+ ps_process_pattern($1, krb5kdc_t)
|
|
+
|
|
+ allow $1 kpropd_t:process signal_perms;
|
|
+ ps_process_pattern($1, kpropd_t)
|
|
+
|
|
+ init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 kerberos_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
+
|
|
+ logging_list_logs($1)
|
|
+ admin_pattern($1, kadmind_log_t)
|
|
+
|
|
+ files_list_tmp($1)
|
|
+ admin_pattern($1, kadmind_tmp_t)
|
|
+
|
|
+ files_list_pids($1)
|
|
+ admin_pattern($1, kadmind_var_run_t)
|
|
+
|
|
+ admin_pattern($1, krb5_conf_t)
|
|
+
|
|
+ admin_pattern($1, krb5_host_rcache_t)
|
|
+
|
|
+ admin_pattern($1, krb5_keytab_t)
|
|
+
|
|
+ admin_pattern($1, krb5kdc_principal_t)
|
|
+
|
|
+ admin_pattern($1, krb5kdc_tmp_t)
|
|
+
|
|
+ admin_pattern($1, krb5kdc_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Type transition files created in /tmp
|
|
+## to the krb5_host_rcache type.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Class of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="name" optional="true">
|
|
@@ -437,12 +402,13 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
|
|
type krb5_host_rcache_t;
|
|
')
|
|
|
|
- files_tmp_filetrans($1, krb5_host_rcache_t, $2, $3)
|
|
+ manage_files_pattern($1, krb5_host_rcache_t, krb5_host_rcache_t)
|
|
+ files_tmp_filetrans($1, krb5_host_rcache_t, file, $2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to krb524 service.
|
|
+## read kerberos homedir content (.k5login)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -450,82 +416,85 @@ interface(`kerberos_tmp_filetrans_host_rcache',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`kerberos_connect_524',`
|
|
- tunable_policy(`allow_kerberos',`
|
|
- allow $1 self:udp_socket create_socket_perms;
|
|
-
|
|
- corenet_all_recvfrom_unlabeled($1)
|
|
- corenet_all_recvfrom_netlabel($1)
|
|
- corenet_udp_sendrecv_generic_if($1)
|
|
- corenet_udp_sendrecv_generic_node($1)
|
|
-
|
|
- corenet_sendrecv_kerberos_master_client_packets($1)
|
|
- corenet_udp_sendrecv_kerberos_master_port($1)
|
|
+interface(`kerberos_read_home_content',`
|
|
+ gen_require(`
|
|
+ type krb5_home_t;
|
|
')
|
|
+
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ read_files_pattern($1, krb5_home_t, krb5_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an kerberos environment.
|
|
+## create kerberos content in the in the /root directory
|
|
+## with an correct label.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`kerberos_filetrans_admin_home_content',`
|
|
+ gen_require(`
|
|
+ type krb5_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_admin_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to kerberos named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`kerberos_admin',`
|
|
+interface(`kerberos_filetrans_home_content',`
|
|
gen_require(`
|
|
- type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
|
|
- type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
|
|
- type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
|
- type krb5kdc_principal_t, krb5kdc_tmp_t, kpropd_t;
|
|
- type krb5kdc_var_run_t, krb5_host_rcache_t;
|
|
+ type krb5_home_t;
|
|
')
|
|
|
|
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
|
|
-
|
|
- init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 kerberos_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- logging_list_logs($1)
|
|
- admin_pattern($1, kadmind_log_t)
|
|
-
|
|
- files_list_tmp($1)
|
|
- admin_pattern($1, { kadmind_tmp_t krb5_host_rcache_t krb5kdc_tmp_t })
|
|
-
|
|
- kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
|
|
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
|
|
- kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
|
|
- kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
|
|
- kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
|
|
- kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
|
|
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
|
|
- kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
|
|
-
|
|
- files_list_pids($1)
|
|
- admin_pattern($1, { kadmind_var_run_t krb5kdc_var_run_t })
|
|
+ userdom_user_home_dir_filetrans($1, krb5_home_t, file, ".k5login")
|
|
+')
|
|
|
|
- files_list_etc($1)
|
|
- admin_pattern($1, krb5_conf_t)
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to kerberos named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`kerberos_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
|
|
+ type krb5kdc_principal_t;
|
|
+ ')
|
|
|
|
files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
|
|
-
|
|
- admin_pattern($1, { krb5_keytab_t krb5kdc_principal_t })
|
|
-
|
|
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
|
|
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
|
|
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
|
|
filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
|
|
-
|
|
- kerberos_etc_filetrans_keytab($1, file, "kadm5.keytab")
|
|
+ #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
|
|
+
|
|
+ kerberos_etc_filetrans_keytab($1, "krb5.keytab")
|
|
+ kerberos_filetrans_admin_home_content($1)
|
|
+
|
|
+ kerberos_tmp_filetrans_host_rcache($1, "DNS_25")
|
|
+ kerberos_tmp_filetrans_host_rcache($1, "host_0")
|
|
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_23")
|
|
+ kerberos_tmp_filetrans_host_rcache($1, "HTTP_48")
|
|
+ kerberos_tmp_filetrans_host_rcache($1, "imap_0")
|
|
+ kerberos_tmp_filetrans_host_rcache($1, "nfs_0")
|
|
+ kerberos_tmp_filetrans_host_rcache($1, "ldapmap1_0")
|
|
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_487")
|
|
+ kerberos_tmp_filetrans_host_rcache($1, "ldap_55")
|
|
')
|
|
diff --git a/kerberos.te b/kerberos.te
|
|
index 8833d59..2242f4d 100644
|
|
--- a/kerberos.te
|
|
+++ b/kerberos.te
|
|
@@ -6,11 +6,11 @@ policy_module(kerberos, 1.12.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether kerberos is supported.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow confined applications to run with kerberos.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_kerberos, false)
|
|
+gen_tunable(kerberos_enabled, false)
|
|
|
|
type kadmind_t;
|
|
type kadmind_exec_t;
|
|
@@ -35,23 +35,27 @@ init_daemon_domain(kpropd_t, kpropd_exec_t)
|
|
domain_obj_id_change_exemption(kpropd_t)
|
|
|
|
type krb5_conf_t;
|
|
-files_type(krb5_conf_t)
|
|
+files_config_file(krb5_conf_t)
|
|
|
|
type krb5_home_t;
|
|
userdom_user_home_content(krb5_home_t)
|
|
|
|
-type krb5_host_rcache_t;
|
|
+type krb5_host_rcache_t alias saslauthd_tmp_t;
|
|
files_tmp_file(krb5_host_rcache_t)
|
|
|
|
+# types for general configuration files in /etc
|
|
type krb5_keytab_t;
|
|
files_security_file(krb5_keytab_t)
|
|
|
|
+# types for KDC configs and principal file(s)
|
|
type krb5kdc_conf_t;
|
|
-files_type(krb5kdc_conf_t)
|
|
+files_config_file(krb5kdc_conf_t)
|
|
|
|
type krb5kdc_lock_t;
|
|
-files_type(krb5kdc_lock_t)
|
|
+files_lock_file(krb5kdc_lock_t)
|
|
|
|
+
|
|
+# types for KDC principal file(s)
|
|
type krb5kdc_principal_t;
|
|
files_type(krb5kdc_principal_t)
|
|
|
|
@@ -74,28 +78,31 @@ files_pid_file(krb5kdc_var_run_t)
|
|
# kadmind local policy
|
|
#
|
|
|
|
+# Use capabilities. Surplus capabilities may be allowed.
|
|
allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
|
|
-dontaudit kadmind_t self:capability sys_tty_config;
|
|
allow kadmind_t self:capability2 block_suspend;
|
|
+dontaudit kadmind_t self:capability sys_tty_config;
|
|
allow kadmind_t self:process { setfscreate setsched getsched signal_perms };
|
|
allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
|
|
-allow kadmind_t self:tcp_socket { accept listen };
|
|
+allow kadmind_t self:unix_dgram_socket { connect create write };
|
|
+allow kadmind_t self:tcp_socket connected_stream_socket_perms;
|
|
allow kadmind_t self:udp_socket create_socket_perms;
|
|
|
|
-allow kadmind_t kadmind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+allow kadmind_t kadmind_log_t:file manage_file_perms;
|
|
logging_log_filetrans(kadmind_t, kadmind_log_t, file)
|
|
|
|
allow kadmind_t krb5_conf_t:file read_file_perms;
|
|
-dontaudit kadmind_t krb5_conf_t:file write_file_perms;
|
|
+dontaudit kadmind_t krb5_conf_t:file write;
|
|
|
|
-read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
|
|
-dontaudit kadmind_t krb5kdc_conf_t:file { write_file_perms setattr_file_perms };
|
|
+manage_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
|
|
|
|
allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
|
|
|
|
allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
|
|
filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
|
|
|
|
+can_exec(kadmind_t, kadmind_exec_t)
|
|
+
|
|
manage_dirs_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
|
|
manage_files_pattern(kadmind_t, kadmind_tmp_t, kadmind_tmp_t)
|
|
files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
|
|
@@ -103,13 +110,15 @@ files_tmp_filetrans(kadmind_t, kadmind_tmp_t, { file dir })
|
|
manage_files_pattern(kadmind_t, kadmind_var_run_t, kadmind_var_run_t)
|
|
files_pid_filetrans(kadmind_t, kadmind_var_run_t, file)
|
|
|
|
-can_exec(kadmind_t, kadmind_exec_t)
|
|
-
|
|
kernel_read_kernel_sysctls(kadmind_t)
|
|
+kernel_list_proc(kadmind_t)
|
|
kernel_read_network_state(kadmind_t)
|
|
+kernel_read_proc_symlinks(kadmind_t)
|
|
kernel_read_system_state(kadmind_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(kadmind_t)
|
|
+corecmd_exec_bin(kadmind_t)
|
|
+corecmd_exec_shell(kadmind_t)
|
|
+
|
|
corenet_all_recvfrom_netlabel(kadmind_t)
|
|
corenet_tcp_sendrecv_generic_if(kadmind_t)
|
|
corenet_udp_sendrecv_generic_if(kadmind_t)
|
|
@@ -119,31 +128,41 @@ corenet_tcp_sendrecv_all_ports(kadmind_t)
|
|
corenet_udp_sendrecv_all_ports(kadmind_t)
|
|
corenet_tcp_bind_generic_node(kadmind_t)
|
|
corenet_udp_bind_generic_node(kadmind_t)
|
|
-
|
|
-corenet_sendrecv_all_server_packets(kadmind_t)
|
|
corenet_tcp_bind_kerberos_admin_port(kadmind_t)
|
|
+corenet_tcp_bind_kerberos_password_port(kadmind_t)
|
|
corenet_udp_bind_kerberos_admin_port(kadmind_t)
|
|
+corenet_udp_bind_kerberos_password_port(kadmind_t)
|
|
corenet_tcp_bind_reserved_port(kadmind_t)
|
|
+corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t)
|
|
+corenet_sendrecv_kerberos_admin_server_packets(kadmind_t)
|
|
+corenet_sendrecv_kerberos_password_server_packets(kadmind_t)
|
|
+corenet_tcp_connect_kprop_port(kadmind_t)
|
|
|
|
dev_read_sysfs(kadmind_t)
|
|
+dev_read_rand(kadmind_t)
|
|
+dev_read_urand(kadmind_t)
|
|
|
|
fs_getattr_all_fs(kadmind_t)
|
|
fs_search_auto_mountpoints(kadmind_t)
|
|
+fs_rw_anon_inodefs_files(kadmind_t)
|
|
|
|
domain_use_interactive_fds(kadmind_t)
|
|
|
|
-files_read_etc_files(kadmind_t)
|
|
-files_read_usr_files(kadmind_t)
|
|
+files_read_usr_symlinks(kadmind_t)
|
|
files_read_var_files(kadmind_t)
|
|
|
|
selinux_validate_context(kadmind_t)
|
|
|
|
+auth_read_passwd(kadmind_t)
|
|
+
|
|
logging_send_syslog_msg(kadmind_t)
|
|
|
|
-miscfiles_read_localization(kadmind_t)
|
|
+miscfiles_read_generic_certs(kadmind_t)
|
|
|
|
+seutil_read_config(kadmind_t)
|
|
seutil_read_file_contexts(kadmind_t)
|
|
|
|
+sysnet_read_config(kadmind_t)
|
|
sysnet_use_ldap(kadmind_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
|
|
@@ -154,6 +173,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ dirsrv_stream_connect(kadmind_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
nis_use_ypbind(kadmind_t)
|
|
')
|
|
|
|
@@ -174,24 +197,27 @@ optional_policy(`
|
|
# Krb5kdc local policy
|
|
#
|
|
|
|
+# Use capabilities. Surplus capabilities may be allowed.
|
|
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
|
|
-dontaudit krb5kdc_t self:capability sys_tty_config;
|
|
allow krb5kdc_t self:capability2 block_suspend;
|
|
+dontaudit krb5kdc_t self:capability sys_tty_config;
|
|
allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
|
|
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
|
|
-allow krb5kdc_t self:tcp_socket { accept listen };
|
|
+allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
|
|
allow krb5kdc_t self:udp_socket create_socket_perms;
|
|
allow krb5kdc_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow krb5kdc_t krb5_conf_t:file read_file_perms;
|
|
dontaudit krb5kdc_t krb5_conf_t:file write;
|
|
|
|
+can_exec(krb5kdc_t, krb5kdc_exec_t)
|
|
+
|
|
read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
|
|
-dontaudit krb5kdc_t krb5kdc_conf_t:file write_file_perms;
|
|
+dontaudit krb5kdc_t krb5kdc_conf_t:file write;
|
|
|
|
allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr_file_perms };
|
|
|
|
-allow krb5kdc_t krb5kdc_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
|
|
logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
|
|
|
|
allow krb5kdc_t krb5kdc_principal_t:file rw_file_perms;
|
|
@@ -203,54 +229,53 @@ files_tmp_filetrans(krb5kdc_t, krb5kdc_tmp_t, { file dir })
|
|
manage_files_pattern(krb5kdc_t, krb5kdc_var_run_t, krb5kdc_var_run_t)
|
|
files_pid_filetrans(krb5kdc_t, krb5kdc_var_run_t, file)
|
|
|
|
-can_exec(krb5kdc_t, krb5kdc_exec_t)
|
|
-
|
|
kernel_read_system_state(krb5kdc_t)
|
|
kernel_read_kernel_sysctls(krb5kdc_t)
|
|
+kernel_list_proc(krb5kdc_t)
|
|
+kernel_read_proc_symlinks(krb5kdc_t)
|
|
kernel_read_network_state(krb5kdc_t)
|
|
kernel_search_network_sysctl(krb5kdc_t)
|
|
|
|
corecmd_exec_bin(krb5kdc_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(krb5kdc_t)
|
|
corenet_all_recvfrom_netlabel(krb5kdc_t)
|
|
corenet_tcp_sendrecv_generic_if(krb5kdc_t)
|
|
corenet_udp_sendrecv_generic_if(krb5kdc_t)
|
|
corenet_tcp_sendrecv_generic_node(krb5kdc_t)
|
|
corenet_udp_sendrecv_generic_node(krb5kdc_t)
|
|
+corenet_tcp_sendrecv_all_ports(krb5kdc_t)
|
|
+corenet_udp_sendrecv_all_ports(krb5kdc_t)
|
|
corenet_tcp_bind_generic_node(krb5kdc_t)
|
|
corenet_udp_bind_generic_node(krb5kdc_t)
|
|
-
|
|
-corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
|
|
corenet_tcp_bind_kerberos_port(krb5kdc_t)
|
|
corenet_udp_bind_kerberos_port(krb5kdc_t)
|
|
-corenet_tcp_sendrecv_kerberos_port(krb5kdc_t)
|
|
-corenet_udp_sendrecv_kerberos_port(krb5kdc_t)
|
|
-
|
|
-corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
|
|
corenet_tcp_connect_ocsp_port(krb5kdc_t)
|
|
-corenet_tcp_sendrecv_ocsp_port(krb5kdc_t)
|
|
+corenet_sendrecv_kerberos_server_packets(krb5kdc_t)
|
|
+corenet_sendrecv_ocsp_client_packets(krb5kdc_t)
|
|
|
|
dev_read_sysfs(krb5kdc_t)
|
|
+dev_read_urand(krb5kdc_t)
|
|
|
|
fs_getattr_all_fs(krb5kdc_t)
|
|
fs_search_auto_mountpoints(krb5kdc_t)
|
|
+fs_rw_anon_inodefs_files(krb5kdc_t)
|
|
|
|
domain_use_interactive_fds(krb5kdc_t)
|
|
|
|
-files_read_etc_files(krb5kdc_t)
|
|
files_read_usr_symlinks(krb5kdc_t)
|
|
files_read_var_files(krb5kdc_t)
|
|
|
|
selinux_validate_context(krb5kdc_t)
|
|
|
|
+auth_read_passwd(krb5kdc_t)
|
|
+
|
|
logging_send_syslog_msg(krb5kdc_t)
|
|
|
|
miscfiles_read_generic_certs(krb5kdc_t)
|
|
-miscfiles_read_localization(krb5kdc_t)
|
|
|
|
seutil_read_file_contexts(krb5kdc_t)
|
|
|
|
+sysnet_read_config(krb5kdc_t)
|
|
sysnet_use_ldap(krb5kdc_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
|
|
@@ -261,11 +286,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- nis_use_ypbind(krb5kdc_t)
|
|
+ dirsrv_stream_connect(krb5kdc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- sssd_read_public_files(krb5kdc_t)
|
|
+ nis_use_ypbind(krb5kdc_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -273,6 +298,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ sssd_read_public_files(krb5kdc_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
udev_read_db(krb5kdc_t)
|
|
')
|
|
|
|
@@ -281,10 +310,12 @@ optional_policy(`
|
|
# kpropd local policy
|
|
#
|
|
|
|
+allow kpropd_t self:capability net_bind_service;
|
|
allow kpropd_t self:process setfscreate;
|
|
-allow kpropd_t self:fifo_file rw_fifo_file_perms;
|
|
-allow kpropd_t self:unix_stream_socket { accept listen };
|
|
-allow kpropd_t self:tcp_socket { accept listen };
|
|
+
|
|
+allow kpropd_t self:fifo_file rw_file_perms;
|
|
+allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow kpropd_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow kpropd_t krb5_host_rcache_t:file manage_file_perms;
|
|
|
|
@@ -303,26 +334,20 @@ files_tmp_filetrans(kpropd_t, krb5kdc_tmp_t, { file dir })
|
|
|
|
corecmd_exec_bin(kpropd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(kpropd_t)
|
|
corenet_tcp_sendrecv_generic_if(kpropd_t)
|
|
corenet_tcp_sendrecv_generic_node(kpropd_t)
|
|
+corenet_tcp_sendrecv_all_ports(kpropd_t)
|
|
corenet_tcp_bind_generic_node(kpropd_t)
|
|
-
|
|
-corenet_sendrecv_kprop_server_packets(kpropd_t)
|
|
corenet_tcp_bind_kprop_port(kpropd_t)
|
|
-corenet_tcp_sendrecv_kprop_port(kpropd_t)
|
|
|
|
dev_read_urand(kpropd_t)
|
|
|
|
-files_read_etc_files(kpropd_t)
|
|
files_search_tmp(kpropd_t)
|
|
|
|
selinux_validate_context(kpropd_t)
|
|
|
|
logging_send_syslog_msg(kpropd_t)
|
|
|
|
-miscfiles_read_localization(kpropd_t)
|
|
-
|
|
seutil_read_file_contexts(kpropd_t)
|
|
|
|
sysnet_dns_name_resolve(kpropd_t)
|
|
diff --git a/kerneloops.if b/kerneloops.if
|
|
index 714448f..fa0c994 100644
|
|
--- a/kerneloops.if
|
|
+++ b/kerneloops.if
|
|
@@ -101,13 +101,16 @@ interface(`kerneloops_manage_tmp_files',`
|
|
#
|
|
interface(`kerneloops_admin',`
|
|
gen_require(`
|
|
- type kerneloops_t, kerneloops_initrc_exec_t;
|
|
- type kerneloops_tmp_t;
|
|
+ type kerneloops_t, kerneloops_initrc_exec_t, kerneloops_tmp_t;
|
|
')
|
|
|
|
- allow $1 kerneloops_t:process { ptrace signal_perms };
|
|
+ allow $1 kerneloops_t:process signal_perms;
|
|
ps_process_pattern($1, kerneloops_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 kerneloops_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, kerneloops_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 kerneloops_initrc_exec_t system_r;
|
|
diff --git a/kerneloops.te b/kerneloops.te
|
|
index bcdb295..f6e3736 100644
|
|
--- a/kerneloops.te
|
|
+++ b/kerneloops.te
|
|
@@ -31,7 +31,6 @@ kernel_read_ring_buffer(kerneloops_t)
|
|
|
|
domain_use_interactive_fds(kerneloops_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(kerneloops_t)
|
|
corenet_all_recvfrom_netlabel(kerneloops_t)
|
|
corenet_tcp_sendrecv_generic_if(kerneloops_t)
|
|
corenet_tcp_sendrecv_generic_node(kerneloops_t)
|
|
@@ -45,8 +44,6 @@ auth_use_nsswitch(kerneloops_t)
|
|
logging_send_syslog_msg(kerneloops_t)
|
|
logging_read_generic_logs(kerneloops_t)
|
|
|
|
-miscfiles_read_localization(kerneloops_t)
|
|
-
|
|
optional_policy(`
|
|
dbus_system_domain(kerneloops_t, kerneloops_exec_t)
|
|
')
|
|
diff --git a/keyboardd.if b/keyboardd.if
|
|
index 8982b91..6134ef2 100644
|
|
--- a/keyboardd.if
|
|
+++ b/keyboardd.if
|
|
@@ -1,19 +1,39 @@
|
|
-## <summary>Xorg.conf keyboard layout callout.</summary>
|
|
|
|
-######################################
|
|
+## <summary>policy for system-setup-keyboard daemon</summary>
|
|
+
|
|
+########################################
|
|
## <summary>
|
|
-## Read keyboardd unnamed pipes.
|
|
+## Execute a domain transition to run keyboard setup daemon.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`keyboardd_read_pipes',`
|
|
+interface(`keyboardd_domtrans',`
|
|
gen_require(`
|
|
- type keyboardd_t;
|
|
+ type keyboardd_t, keyboardd_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, keyboardd_exec_t, keyboardd_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow attempts to read to
|
|
+## keyboardd unnamed pipes.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`keyboardd_read_pipes',`
|
|
+ gen_require(`
|
|
+ type keyboardd_t;
|
|
')
|
|
|
|
- allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
|
|
+ allow $1 keyboardd_t:fifo_file read_fifo_file_perms;
|
|
')
|
|
diff --git a/keyboardd.te b/keyboardd.te
|
|
index 628b78b..fe65617 100644
|
|
--- a/keyboardd.te
|
|
+++ b/keyboardd.te
|
|
@@ -19,6 +19,3 @@ allow keyboardd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
files_manage_etc_runtime_files(keyboardd_t)
|
|
files_etc_filetrans_etc_runtime(keyboardd_t, file)
|
|
-files_read_etc_files(keyboardd_t)
|
|
-
|
|
-miscfiles_read_localization(keyboardd_t)
|
|
diff --git a/keystone.fc b/keystone.fc
|
|
index b273d80..186cd86 100644
|
|
--- a/keystone.fc
|
|
+++ b/keystone.fc
|
|
@@ -1,3 +1,5 @@
|
|
+/usr/lib/systemd/system/openstack-keystone.* -- gen_context(system_u:object_r:keystone_unit_file_t,s0)
|
|
+
|
|
/etc/rc\.d/init\.d/openstack-keystone -- gen_context(system_u:object_r:keystone_initrc_exec_t,s0)
|
|
|
|
/usr/bin/keystone-all -- gen_context(system_u:object_r:keystone_exec_t,s0)
|
|
diff --git a/keystone.if b/keystone.if
|
|
index e88fb16..f20248c 100644
|
|
--- a/keystone.if
|
|
+++ b/keystone.if
|
|
@@ -1,42 +1,218 @@
|
|
-## <summary>Python implementation of the OpenStack identity service API.</summary>
|
|
+
|
|
+## <summary>policy for keystone</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an keystone environment.
|
|
+## Transition to keystone.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`keystone_domtrans',`
|
|
+ gen_require(`
|
|
+ type keystone_t, keystone_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, keystone_exec_t, keystone_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Read keystone's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`keystone_read_log',`
|
|
+ gen_require(`
|
|
+ type keystone_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, keystone_log_t, keystone_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to keystone log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`keystone_append_log',`
|
|
+ gen_require(`
|
|
+ type keystone_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, keystone_log_t, keystone_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage keystone log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`keystone_manage_log',`
|
|
+ gen_require(`
|
|
+ type keystone_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, keystone_log_t, keystone_log_t)
|
|
+ manage_files_pattern($1, keystone_log_t, keystone_log_t)
|
|
+ manage_lnk_files_pattern($1, keystone_log_t, keystone_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search keystone lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`keystone_search_lib',`
|
|
+ gen_require(`
|
|
+ type keystone_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 keystone_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read keystone lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`keystone_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type keystone_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage keystone lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`keystone_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type keystone_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage keystone lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`keystone_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type keystone_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, keystone_var_lib_t, keystone_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute keystone server in the keystone domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`keystone_systemctl',`
|
|
+ gen_require(`
|
|
+ type keystone_t;
|
|
+ type keystone_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 keystone_unit_file_t:file read_file_perms;
|
|
+ allow $1 keystone_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, keystone_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an keystone environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`keystone_admin',`
|
|
gen_require(`
|
|
- type keystone_t, keystone_initrc_exec_t, keystone_log_t;
|
|
- type keystone_var_lib_t, keystone_tmp_t;
|
|
+ type keystone_t;
|
|
+ type keystone_log_t;
|
|
+ type keystone_var_lib_t;
|
|
+ type keystone_unit_file_t;
|
|
')
|
|
|
|
allow $1 keystone_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, keystone_t)
|
|
|
|
- init_labeled_script_domtrans($1, keystone_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 keystone_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
logging_search_logs($1)
|
|
admin_pattern($1, keystone_log_t)
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, keystone_var_lib_t)
|
|
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, keystone_tmp_t)
|
|
+ keystone_systemctl($1)
|
|
+ admin_pattern($1, keystone_unit_file_t)
|
|
+ allow $1 keystone_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/keystone.te b/keystone.te
|
|
index 9929647..b7873e1 100644
|
|
--- a/keystone.te
|
|
+++ b/keystone.te
|
|
@@ -21,10 +21,14 @@ files_type(keystone_var_lib_t)
|
|
type keystone_tmp_t;
|
|
files_tmp_file(keystone_tmp_t)
|
|
|
|
+type keystone_unit_file_t;
|
|
+systemd_unit_file(keystone_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
+allow keystone_t self:process { getsched setsched };
|
|
|
|
allow keystone_t self:fifo_file rw_fifo_file_perms;
|
|
allow keystone_t self:unix_stream_socket { accept listen };
|
|
@@ -57,20 +61,29 @@ corenet_all_recvfrom_netlabel(keystone_t)
|
|
corenet_tcp_sendrecv_generic_if(keystone_t)
|
|
corenet_tcp_sendrecv_generic_node(keystone_t)
|
|
corenet_tcp_bind_generic_node(keystone_t)
|
|
+corenet_tcp_connect_mysqld_port(keystone_t)
|
|
+
|
|
+corenet_tcp_connect_mysqld_port(keystone_t)
|
|
|
|
corenet_sendrecv_commplex_main_server_packets(keystone_t)
|
|
corenet_tcp_bind_commplex_main_port(keystone_t)
|
|
corenet_tcp_sendrecv_commplex_main_port(keystone_t)
|
|
|
|
-files_read_usr_files(keystone_t)
|
|
+corenet_tcp_bind_keystone_port(keystone_t)
|
|
|
|
auth_use_pam(keystone_t)
|
|
|
|
libs_exec_ldconfig(keystone_t)
|
|
|
|
-miscfiles_read_localization(keystone_t)
|
|
-
|
|
optional_policy(`
|
|
mysql_stream_connect(keystone_t)
|
|
mysql_tcp_connect(keystone_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ postgresql_stream_connect(keystone_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rpm_exec(keystone_t)
|
|
+')
|
|
diff --git a/kismet.if b/kismet.if
|
|
index aa2a337..7ff229f 100644
|
|
--- a/kismet.if
|
|
+++ b/kismet.if
|
|
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
|
|
interface(`kismet_admin',`
|
|
gen_require(`
|
|
type kismet_t, kismet_var_lib_t, kismet_var_run_t;
|
|
- type kismet_log_t, kismet_tmp_t;
|
|
+ type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
|
|
')
|
|
|
|
init_labeled_script_domtrans($1, kismet_initrc_exec_t)
|
|
@@ -292,7 +292,11 @@ interface(`kismet_admin',`
|
|
allow $2 system_r;
|
|
|
|
ps_process_pattern($1, kismet_t)
|
|
- allow $1 kismet_t:process { ptrace signal_perms };
|
|
+ allow $1 kismet_t:process signal_perms;
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 kismet_t:process ptrace;
|
|
+ ')
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, kismet_var_lib_t)
|
|
diff --git a/kismet.te b/kismet.te
|
|
index 8ad0d4d..c070420 100644
|
|
--- a/kismet.te
|
|
+++ b/kismet.te
|
|
@@ -81,25 +81,22 @@ kernel_read_network_state(kismet_t)
|
|
|
|
corecmd_exec_bin(kismet_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(kismet_t)
|
|
corenet_all_recvfrom_netlabel(kismet_t)
|
|
corenet_tcp_sendrecv_generic_if(kismet_t)
|
|
corenet_tcp_sendrecv_generic_node(kismet_t)
|
|
corenet_tcp_bind_generic_node(kismet_t)
|
|
|
|
-corenet_sendrecv_kismet_server_packets(kismet_t)
|
|
-corenet_tcp_bind_kismet_port(kismet_t)
|
|
-corenet_sendrecv_kismet_client_packets(kismet_t)
|
|
-corenet_tcp_connect_kismet_port(kismet_t)
|
|
-corenet_tcp_sendrecv_kismet_port(kismet_t)
|
|
+corenet_tcp_connect_pulseaudio_port(kismet_t)
|
|
|
|
-auth_use_nsswitch(kismet_t)
|
|
-
|
|
-files_read_usr_files(kismet_t)
|
|
+corenet_sendrecv_rtsclient_server_packets(kismet_t)
|
|
+corenet_tcp_bind_rtsclient_port(kismet_t)
|
|
+corenet_sendrecv_rtsclient_client_packets(kismet_t)
|
|
+corenet_tcp_connect_rtsclient_port(kismet_t)
|
|
|
|
-miscfiles_read_localization(kismet_t)
|
|
+auth_use_nsswitch(kismet_t)
|
|
|
|
-userdom_use_user_terminals(kismet_t)
|
|
+userdom_use_inherited_user_terminals(kismet_t)
|
|
+userdom_read_user_tmpfs_files(kismet_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(kismet_t)
|
|
diff --git a/ksmtuned.fc b/ksmtuned.fc
|
|
index e736c45..4b1e1e4 100644
|
|
--- a/ksmtuned.fc
|
|
+++ b/ksmtuned.fc
|
|
@@ -1,5 +1,7 @@
|
|
/etc/rc\.d/init\.d/ksmtuned -- gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/ksmtuned.* -- gen_context(system_u:object_r:ksmtuned_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/ksmtuned -- gen_context(system_u:object_r:ksmtuned_exec_t,s0)
|
|
|
|
/var/log/ksmtuned.* gen_context(system_u:object_r:ksmtuned_log_t,s0)
|
|
diff --git a/ksmtuned.if b/ksmtuned.if
|
|
index 93a64bc..3ac0b8b 100644
|
|
--- a/ksmtuned.if
|
|
+++ b/ksmtuned.if
|
|
@@ -38,6 +38,29 @@ interface(`ksmtuned_initrc_domtrans',`
|
|
init_labeled_script_domtrans($1, ksmtuned_initrc_exec_t)
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute ksmtuned server in the ksmtunedd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ksmtuned_systemctl',`
|
|
+ gen_require(`
|
|
+ type ksmtuned_unit_file_t;
|
|
+ type ksmtuned_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 ksmtuned_unit_file_t:file read_file_perms;
|
|
+ allow $1 ksmtuned_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, ksmtuned_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
@@ -48,30 +71,28 @@ interface(`ksmtuned_initrc_domtrans',`
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`ksmtuned_admin',`
|
|
gen_require(`
|
|
- type ksmtuned_t, ksmtuned_var_run_t;
|
|
- type ksmtuned_initrc_exec_t, ksmtuned_log_t;
|
|
+ type ksmtuned_t, ksmtuned_var_run_t, ksmtuned_initrc_exec_t, ksmtuned_unit_file_t;
|
|
+ type ksmtuned_log_t;
|
|
')
|
|
|
|
- ksmtuned_initrc_domtrans($1)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 ksmtuned_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- allow $1 ksmtuned_t:process { ptrace signal_perms };
|
|
+ allow $1 ksmtuned_t:process signal_perms;
|
|
ps_process_pattern($1, ksmtuned_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ksmtuned_t:process ptrace;
|
|
+ ')
|
|
+
|
|
files_list_pids($1)
|
|
admin_pattern($1, ksmtuned_var_run_t)
|
|
|
|
logging_search_logs($1)
|
|
admin_pattern($1, ksmtuned_log_t)
|
|
+
|
|
+ ksmtuned_systemctl($1)
|
|
+ admin_pattern($1, ksmtuned_unit_file_t)
|
|
+ allow $1 ksmtuned_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/ksmtuned.te b/ksmtuned.te
|
|
index 8eef134..a2ca1a0 100644
|
|
--- a/ksmtuned.te
|
|
+++ b/ksmtuned.te
|
|
@@ -5,10 +5,27 @@ policy_module(ksmtuned, 1.1.1)
|
|
# Declarations
|
|
#
|
|
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow ksmtuned to use nfs file systems
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(ksmtuned_use_nfs, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow ksmtuned to use cifs/Samba file systems
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(ksmtuned_use_cifs, false)
|
|
+
|
|
type ksmtuned_t;
|
|
type ksmtuned_exec_t;
|
|
init_daemon_domain(ksmtuned_t, ksmtuned_exec_t)
|
|
|
|
+type ksmtuned_unit_file_t;
|
|
+systemd_unit_file(ksmtuned_unit_file_t)
|
|
+
|
|
type ksmtuned_initrc_exec_t;
|
|
init_script_file(ksmtuned_initrc_exec_t)
|
|
|
|
@@ -43,6 +60,7 @@ corecmd_exec_shell(ksmtuned_t)
|
|
dev_rw_sysfs(ksmtuned_t)
|
|
|
|
domain_read_all_domains_state(ksmtuned_t)
|
|
+domain_dontaudit_read_all_domains_state(ksmtuned_t)
|
|
|
|
mls_file_read_to_clearance(ksmtuned_t)
|
|
|
|
@@ -52,4 +70,11 @@ auth_use_nsswitch(ksmtuned_t)
|
|
|
|
logging_send_syslog_msg(ksmtuned_t)
|
|
|
|
-miscfiles_read_localization(ksmtuned_t)
|
|
+tunable_policy(`ksmtuned_use_nfs',`
|
|
+ fs_read_nfs_files(ksmtuned_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`ksmtuned_use_cifs',`
|
|
+ fs_read_cifs_files(ksmtuned_t)
|
|
+ samba_read_share_files(ksmtuned_t)
|
|
+')
|
|
diff --git a/ktalk.fc b/ktalk.fc
|
|
index 38ecb07..451067e 100644
|
|
--- a/ktalk.fc
|
|
+++ b/ktalk.fc
|
|
@@ -1,3 +1,5 @@
|
|
+/usr/lib/systemd/system/ntalk.* -- gen_context(system_u:object_r:ktalkd_unit_file_t,s0)
|
|
+
|
|
/usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
|
|
|
|
/usr/sbin/in\.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
|
|
diff --git a/ktalk.if b/ktalk.if
|
|
index 19777b8..55d1556 100644
|
|
--- a/ktalk.if
|
|
+++ b/ktalk.if
|
|
@@ -1 +1,76 @@
|
|
-## <summary>KDE Talk daemon.</summary>
|
|
+
|
|
+## <summary>talk-server - daemon programs for the Internet talk </summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the ktalkd domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ktalk_domtrans',`
|
|
+ gen_require(`
|
|
+ type ktalkd_t, ktalkd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, ktalkd_exec_t, ktalkd_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute ktalkd server in the ktalkd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ktalk_systemctl',`
|
|
+ gen_require(`
|
|
+ type ktalkd_t;
|
|
+ type ktalkd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 ktalkd_unit_file_t:file read_file_perms;
|
|
+ allow $1 ktalkd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, ktalkd_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an ktalkd environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`ktalk_admin',`
|
|
+ gen_require(`
|
|
+ type ktalkd_t;
|
|
+ type ktalkd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 ktalkd_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, ktalkd_t)
|
|
+
|
|
+ ktalk_systemctl($1)
|
|
+ admin_pattern($1, ktalkd_unit_file_t)
|
|
+ allow $1 ktalkd_unit_file_t:service all_service_perms;
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/ktalk.te b/ktalk.te
|
|
index c5548c5..bb979b1 100644
|
|
--- a/ktalk.te
|
|
+++ b/ktalk.te
|
|
@@ -13,6 +13,9 @@ inetd_udp_service_domain(ktalkd_t, ktalkd_exec_t)
|
|
type ktalkd_log_t;
|
|
logging_log_file(ktalkd_log_t)
|
|
|
|
+type ktalkd_unit_file_t;
|
|
+systemd_unit_file(ktalkd_unit_file_t)
|
|
+
|
|
type ktalkd_tmp_t;
|
|
files_tmp_file(ktalkd_tmp_t)
|
|
|
|
@@ -50,12 +53,11 @@ dev_read_urand(ktalkd_t)
|
|
|
|
fs_getattr_xattr_fs(ktalkd_t)
|
|
|
|
-term_use_all_terms(ktalkd_t)
|
|
+term_search_ptys(ktalkd_t)
|
|
+term_use_all_inherited_terms(ktalkd_t)
|
|
|
|
auth_use_nsswitch(ktalkd_t)
|
|
|
|
init_read_utmp(ktalkd_t)
|
|
|
|
logging_send_syslog_msg(ktalkd_t)
|
|
-
|
|
-miscfiles_read_localization(ktalkd_t)
|
|
diff --git a/kudzu.if b/kudzu.if
|
|
index 5297064..6ba8108 100644
|
|
--- a/kudzu.if
|
|
+++ b/kudzu.if
|
|
@@ -86,9 +86,13 @@ interface(`kudzu_admin',`
|
|
type kudzu_tmp_t;
|
|
')
|
|
|
|
- allow $1 kudzu_t:process { ptrace signal_perms };
|
|
+ allow $1 kudzu_t:process { signal_perms };
|
|
ps_process_pattern($1, kudzu_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 kudzu_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, kudzu_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 kudzu_initrc_exec_t system_r;
|
|
diff --git a/kudzu.te b/kudzu.te
|
|
index 1664036..214a4fb 100644
|
|
--- a/kudzu.te
|
|
+++ b/kudzu.te
|
|
@@ -63,7 +63,6 @@ dev_rwx_zero(kudzu_t)
|
|
domain_use_interactive_fds(kudzu_t)
|
|
|
|
files_read_kernel_modules(kudzu_t)
|
|
-files_read_usr_files(kudzu_t)
|
|
files_search_locks(kudzu_t)
|
|
files_manage_etc_files(kudzu_t)
|
|
files_manage_etc_runtime_files(kudzu_t)
|
|
@@ -101,11 +100,10 @@ libs_read_lib_files(kudzu_t)
|
|
logging_send_syslog_msg(kudzu_t)
|
|
|
|
miscfiles_read_hwdata(kudzu_t)
|
|
-miscfiles_read_localization(kudzu_t)
|
|
|
|
sysnet_read_config(kudzu_t)
|
|
|
|
-userdom_use_user_terminals(kudzu_t)
|
|
+userdom_use_inherited_user_terminals(kudzu_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
|
|
userdom_search_user_home_dirs(kudzu_t)
|
|
|
|
@@ -122,10 +120,6 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- nscd_use(kudzu_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
seutil_sigchld_newrole(kudzu_t)
|
|
')
|
|
|
|
diff --git a/l2tp.fc b/l2tp.fc
|
|
index d5d1572..82267a7 100644
|
|
--- a/l2tp.fc
|
|
+++ b/l2tp.fc
|
|
@@ -5,6 +5,7 @@
|
|
/etc/sysconfig/.*l2tpd -- gen_context(system_u:object_r:l2tp_conf_t,s0)
|
|
|
|
/usr/sbin/.*l2tpd -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
|
|
+/usr/libexec/nm-l2tp-service -- gen_context(system_u:object_r:l2tpd_exec_t,s0)
|
|
|
|
/var/run/.*l2tpd(/.*)? gen_context(system_u:object_r:l2tpd_var_run_t,s0)
|
|
/var/run/prol2tpd\.ctl -s gen_context(system_u:object_r:l2tpd_var_run_t,s0)
|
|
diff --git a/l2tp.if b/l2tp.if
|
|
index 73e2803..2fc7570 100644
|
|
--- a/l2tp.if
|
|
+++ b/l2tp.if
|
|
@@ -1,9 +1,45 @@
|
|
-## <summary>Layer 2 Tunneling Protocol.</summary>
|
|
+## <summary>Layer 2 Tunneling Protocol daemons.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send to l2tpd with a unix
|
|
-## domain dgram socket.
|
|
+## Transition to l2tpd.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`l2tpd_domtrans',`
|
|
+ gen_require(`
|
|
+ type l2tpd_t, l2tpd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, l2tpd_exec_t, l2tpd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute l2tpd server in the l2tpd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`l2tpd_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type l2tpd_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send to l2tpd via a unix dgram socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -16,7 +52,6 @@ interface(`l2tpd_dgram_send',`
|
|
type l2tpd_t, l2tpd_tmp_t, l2tpd_var_run_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
files_search_tmp($1)
|
|
dgram_send_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
|
|
')
|
|
@@ -39,10 +74,29 @@ interface(`l2tpd_rw_socket',`
|
|
allow $1 l2tpd_t:socket rw_socket_perms;
|
|
')
|
|
|
|
+########################################
|
|
+## <summary>
|
|
+## Read l2tpd PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`l2tpd_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type l2tpd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 l2tpd_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
#####################################
|
|
## <summary>
|
|
-## Connect to l2tpd with a unix
|
|
-## domain stream socket.
|
|
+## Connect to l2tpd over a unix domain
|
|
+## stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -56,14 +110,107 @@ interface(`l2tpd_stream_connect',`
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- files_search_tmp($1)
|
|
- stream_connect_pattern($1, { l2tpd_tmp_t l2tpd_var_run_t }, { l2tpd_tmp_t l2tpd_var_run_t }, l2tpd_t)
|
|
+ stream_connect_pattern($1, l2tpd_tmp_t, l2tpd_tmp_t, l2tpd_t)
|
|
+ stream_connect_pattern($1, l2tpd_var_run_t, l2tpd_var_run_t, l2tpd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an l2tp environment.
|
|
+## Read and write l2tpd unnamed pipes.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`l2tpd_rw_pipes',`
|
|
+ gen_require(`
|
|
+ type l2tpd_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 l2tpd_t:fifo_file rw_fifo_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow send a signal to l2tpd.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`l2tpd_signal',`
|
|
+ gen_require(`
|
|
+ type l2tpd_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 l2tpd_t:process signal;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow send signull to l2tpd.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`l2tpd_signull',`
|
|
+ gen_require(`
|
|
+ type l2tpd_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 l2tpd_t:process signull;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow send sigkill to l2tpd.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`l2tpd_sigkill',`
|
|
+ gen_require(`
|
|
+ type l2tpd_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 l2tpd_t:process sigkill;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send and receive messages from
|
|
+## l2tpd over dbus.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`l2tpd_dbus_chat',`
|
|
+ gen_require(`
|
|
+ type l2tpd_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ allow $1 l2tpd_t:dbus send_msg;
|
|
+ allow l2tpd_t $1:dbus send_msg;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an l2tpd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -77,22 +224,26 @@ interface(`l2tpd_stream_connect',`
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
-interface(`l2tp_admin',`
|
|
+interface(`l2tpd_admin',`
|
|
gen_require(`
|
|
type l2tpd_t, l2tpd_initrc_exec_t, l2tpd_var_run_t;
|
|
- type l2tp_conf_t, l2tpd_tmp_t;
|
|
+ type l2tp_etc_t, l2tpd_tmp_t;
|
|
')
|
|
|
|
- allow $1 l2tpd_t:process { ptrace signal_perms };
|
|
+ allow $1 l2tpd_t:process signal_perms;
|
|
ps_process_pattern($1, l2tpd_t)
|
|
|
|
- init_labeled_script_domtrans($1, l2tpd_initrc_exec_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 l2tpd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ l2tpd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 l2tpd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
files_search_etc($1)
|
|
- admin_pattern($1, l2tp_conf_t)
|
|
+ admin_pattern($1, l2tp_etc_t)
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, l2tpd_var_run_t)
|
|
diff --git a/l2tp.te b/l2tp.te
|
|
index bb06a7f..5546de2 100644
|
|
--- a/l2tp.te
|
|
+++ b/l2tp.te
|
|
@@ -27,7 +27,7 @@ files_pid_file(l2tpd_var_run_t)
|
|
#
|
|
|
|
allow l2tpd_t self:capability net_admin;
|
|
-allow l2tpd_t self:process signal;
|
|
+allow l2tpd_t self:process signal_perms;
|
|
allow l2tpd_t self:fifo_file rw_fifo_file_perms;
|
|
allow l2tpd_t self:netlink_socket create_socket_perms;
|
|
allow l2tpd_t self:rawip_socket create_socket_perms;
|
|
@@ -42,11 +42,13 @@ manage_dirs_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
|
|
manage_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
|
|
manage_sock_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
|
|
manage_fifo_files_pattern(l2tpd_t, l2tpd_var_run_t, l2tpd_var_run_t)
|
|
-files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file })
|
|
+files_pid_filetrans(l2tpd_t, l2tpd_var_run_t, { dir file sock_file fifo_file })
|
|
|
|
manage_sock_files_pattern(l2tpd_t, l2tpd_tmp_t, l2tpd_tmp_t)
|
|
files_tmp_filetrans(l2tpd_t, l2tpd_tmp_t, sock_file)
|
|
|
|
+can_exec(l2tpd_t, l2tpd_exec_t)
|
|
+
|
|
corenet_all_recvfrom_unlabeled(l2tpd_t)
|
|
corenet_all_recvfrom_netlabel(l2tpd_t)
|
|
corenet_raw_sendrecv_generic_if(l2tpd_t)
|
|
@@ -75,19 +77,37 @@ corecmd_exec_bin(l2tpd_t)
|
|
|
|
dev_read_urand(l2tpd_t)
|
|
|
|
-files_read_etc_files(l2tpd_t)
|
|
-
|
|
term_setattr_generic_ptys(l2tpd_t)
|
|
term_use_generic_ptys(l2tpd_t)
|
|
term_use_ptmx(l2tpd_t)
|
|
|
|
-logging_send_syslog_msg(l2tpd_t)
|
|
+auth_read_passwd(l2tpd_t)
|
|
|
|
-miscfiles_read_localization(l2tpd_t)
|
|
+logging_send_syslog_msg(l2tpd_t)
|
|
|
|
sysnet_dns_name_resolve(l2tpd_t)
|
|
|
|
optional_policy(`
|
|
+ dbus_system_bus_client(l2tpd_t)
|
|
+ dbus_connect_system_bus(l2tpd_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ networkmanager_dbus_chat(l2tpd_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ipsec_domtrans_mgmt(l2tpd_t)
|
|
+ ipsec_mgmt_read_pid(l2tpd_t)
|
|
+ ipsec_filetrans_key_file(l2tpd_t)
|
|
+ ipsec_manage_key_file(l2tpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ networkmanager_read_pid_files(l2tpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
ppp_domtrans(l2tpd_t)
|
|
ppp_signal(l2tpd_t)
|
|
ppp_kill(l2tpd_t)
|
|
diff --git a/ldap.fc b/ldap.fc
|
|
index b7e5679..c93db33 100644
|
|
--- a/ldap.fc
|
|
+++ b/ldap.fc
|
|
@@ -1,8 +1,11 @@
|
|
/etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
|
|
-/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
|
|
+
|
|
+/etc/openldap/certs(/.*)? gen_context(system_u:object_r:slapd_cert_t,s0)
|
|
/etc/openldap/slapd\.d(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/ldap -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/slapd -- gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/slapd.* -- gen_context(system_u:object_r:slapd_unit_file_t,s0)
|
|
|
|
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
|
|
|
|
@@ -22,8 +25,7 @@
|
|
/var/log/ldap.* gen_context(system_u:object_r:slapd_log_t,s0)
|
|
/var/log/slapd.* gen_context(system_u:object_r:slapd_log_t,s0)
|
|
|
|
-/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
|
|
-/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
|
|
-/var/run/slapd.* -s gen_context(system_u:object_r:slapd_var_run_t,s0)
|
|
-/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
|
|
-/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
|
|
+/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
|
|
+/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
|
|
+/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
|
|
+/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
|
|
diff --git a/ldap.if b/ldap.if
|
|
index 3602712..517bfbf 100644
|
|
--- a/ldap.if
|
|
+++ b/ldap.if
|
|
@@ -1,8 +1,68 @@
|
|
-## <summary>OpenLDAP directory server.</summary>
|
|
+## <summary>OpenLDAP directory server</summary>
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute OpenLDAP in the ldap domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ldap_domtrans',`
|
|
+ gen_require(`
|
|
+ type slapd_t, slapd_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, slapd_exec_t, slapd_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute OpenLDAP server in the ldap domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ldap_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type slapd_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, slapd_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute slapd server in the slapd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ldap_systemctl',`
|
|
+ gen_require(`
|
|
+ type slapd_unit_file_t;
|
|
+ type slapd_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 slapd_unit_file_t:file read_file_perms;
|
|
+ allow $1 slapd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, slapd_t)
|
|
+')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## List ldap database directories.
|
|
+## Read the contents of the OpenLDAP
|
|
+## database directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -15,13 +75,31 @@ interface(`ldap_list_db',`
|
|
type slapd_db_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
allow $1 slapd_db_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read ldap configuration files.
|
|
+## Read the contents of the OpenLDAP
|
|
+## database files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ldap_read_db_files',`
|
|
+ gen_require(`
|
|
+ type slapd_db_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, slapd_db_t, slapd_db_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read the OpenLDAP configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -41,22 +119,27 @@ interface(`ldap_read_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Use LDAP over TCP connection. (Deprecated)
|
|
+## Read the OpenLDAP cert files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
-interface(`ldap_use',`
|
|
- refpolicywarn(`$0($*) has been deprecated.')
|
|
+interface(`ldap_read_certs',`
|
|
+ gen_require(`
|
|
+ type slapd_cert_t;
|
|
+ ')
|
|
+
|
|
+ files_search_etc($1)
|
|
+ read_files_pattern($1, slapd_cert_t, slapd_cert_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to slapd over an unix
|
|
-## stream socket.
|
|
+## Use LDAP over TCP connection. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -64,18 +147,13 @@ interface(`ldap_use',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`ldap_stream_connect',`
|
|
- gen_require(`
|
|
- type slapd_t, slapd_var_run_t;
|
|
- ')
|
|
-
|
|
- files_search_pids($1)
|
|
- stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
|
|
+interface(`ldap_use',`
|
|
+ refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to ldap over the network.
|
|
+## Connect to slapd over an unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -83,21 +161,19 @@ interface(`ldap_stream_connect',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`ldap_tcp_connect',`
|
|
+interface(`ldap_stream_connect',`
|
|
gen_require(`
|
|
- type slapd_t;
|
|
+ type slapd_t, slapd_var_run_t;
|
|
')
|
|
|
|
- corenet_sendrecv_ldap_client_packets($1)
|
|
- corenet_tcp_connect_ldap_port($1)
|
|
- corenet_tcp_recvfrom_labeled($1, slapd_t)
|
|
- corenet_tcp_sendrecv_ldap_port($1)
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an ldap environment.
|
|
+## All of the rules required to administrate
|
|
+## an ldap environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -106,7 +182,7 @@ interface(`ldap_tcp_connect',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the ldap domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -117,11 +193,16 @@ interface(`ldap_admin',`
|
|
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
|
|
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
|
|
type slapd_db_t, slapd_keytab_t;
|
|
+ type slapd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 slapd_t:process { ptrace signal_perms };
|
|
+ allow $1 slapd_t:process signal_perms;
|
|
ps_process_pattern($1, slapd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 slapd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, slapd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 slapd_initrc_exec_t system_r;
|
|
@@ -130,13 +211,9 @@ interface(`ldap_admin',`
|
|
files_list_etc($1)
|
|
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
|
|
|
|
- files_list_locks($1)
|
|
admin_pattern($1, slapd_lock_t)
|
|
|
|
- logging_list_logs($1)
|
|
- admin_pattern($1, slapd_log_t)
|
|
-
|
|
- files_search_var_lib($1)
|
|
+ files_list_var_lib($1)
|
|
admin_pattern($1, slapd_replog_t)
|
|
|
|
files_list_tmp($1)
|
|
@@ -144,4 +221,8 @@ interface(`ldap_admin',`
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, slapd_var_run_t)
|
|
+
|
|
+ ldap_systemctl($1)
|
|
+ admin_pattern($1, slapd_unit_file_t)
|
|
+ allow $1 slapd_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/ldap.te b/ldap.te
|
|
index 4c2b111..8915138 100644
|
|
--- a/ldap.te
|
|
+++ b/ldap.te
|
|
@@ -21,6 +21,9 @@ files_config_file(slapd_etc_t)
|
|
type slapd_initrc_exec_t;
|
|
init_script_file(slapd_initrc_exec_t)
|
|
|
|
+type slapd_unit_file_t;
|
|
+systemd_unit_file(slapd_unit_file_t)
|
|
+
|
|
type slapd_keytab_t;
|
|
files_type(slapd_keytab_t)
|
|
|
|
@@ -93,7 +96,6 @@ files_pid_filetrans(slapd_t, slapd_var_run_t, { dir file sock_file })
|
|
kernel_read_system_state(slapd_t)
|
|
kernel_read_kernel_sysctls(slapd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(slapd_t)
|
|
corenet_all_recvfrom_netlabel(slapd_t)
|
|
corenet_tcp_sendrecv_generic_if(slapd_t)
|
|
corenet_tcp_sendrecv_generic_node(slapd_t)
|
|
@@ -115,15 +117,14 @@ fs_getattr_all_fs(slapd_t)
|
|
fs_search_auto_mountpoints(slapd_t)
|
|
|
|
files_read_etc_runtime_files(slapd_t)
|
|
-files_read_usr_files(slapd_t)
|
|
files_list_var_lib(slapd_t)
|
|
|
|
auth_use_nsswitch(slapd_t)
|
|
+auth_rw_cache(slapd_t)
|
|
|
|
logging_send_syslog_msg(slapd_t)
|
|
|
|
miscfiles_read_generic_certs(slapd_t)
|
|
-miscfiles_read_localization(slapd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
|
|
userdom_dontaudit_search_user_home_dirs(slapd_t)
|
|
@@ -131,9 +132,9 @@ userdom_dontaudit_search_user_home_dirs(slapd_t)
|
|
optional_policy(`
|
|
kerberos_manage_host_rcache(slapd_t)
|
|
kerberos_read_keytab(slapd_t)
|
|
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldapmap1_0")
|
|
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_487")
|
|
- kerberos_tmp_filetrans_host_rcache(slapd_t, file, "ldap_55")
|
|
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldapmap1_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_487")
|
|
+ kerberos_tmp_filetrans_host_rcache(slapd_t, "ldap_55")
|
|
kerberos_use(slapd_t)
|
|
')
|
|
|
|
diff --git a/lightsquid.if b/lightsquid.if
|
|
index 33a28b9..33ffe24 100644
|
|
--- a/lightsquid.if
|
|
+++ b/lightsquid.if
|
|
@@ -76,5 +76,7 @@ interface(`lightsquid_admin',`
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, lightsquid_rw_content_t)
|
|
|
|
- apache_list_sys_content($1)
|
|
+ optional_policy(`
|
|
+ apache_list_sys_content($1)
|
|
+ ')
|
|
')
|
|
diff --git a/lightsquid.te b/lightsquid.te
|
|
index 09c4f27..75854ed 100644
|
|
--- a/lightsquid.te
|
|
+++ b/lightsquid.te
|
|
@@ -31,11 +31,6 @@ corecmd_exec_shell(lightsquid_t)
|
|
|
|
dev_read_urand(lightsquid_t)
|
|
|
|
-files_read_etc_files(lightsquid_t)
|
|
-files_read_usr_files(lightsquid_t)
|
|
-
|
|
-miscfiles_read_localization(lightsquid_t)
|
|
-
|
|
squid_read_config(lightsquid_t)
|
|
squid_read_log(lightsquid_t)
|
|
|
|
diff --git a/likewise.if b/likewise.if
|
|
index bd20e8c..3393a01 100644
|
|
--- a/likewise.if
|
|
+++ b/likewise.if
|
|
@@ -1,9 +1,22 @@
|
|
## <summary>Likewise Active Directory support for UNIX.</summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## Likewise Open is a free, open source application that joins Linux, Unix,
|
|
+## and Mac machines to Microsoft Active Directory to securely authenticate
|
|
+## users with their domain credentials.
|
|
+## </p>
|
|
+## </desc>
|
|
|
|
#######################################
|
|
## <summary>
|
|
## The template to define a likewise domain.
|
|
## </summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## This template creates a domain to be used for
|
|
+## a new likewise daemon.
|
|
+## </p>
|
|
+## </desc>
|
|
## <param name="userdomain_prefix">
|
|
## <summary>
|
|
## The type of daemon to be used.
|
|
@@ -11,6 +24,7 @@
|
|
## </param>
|
|
#
|
|
template(`likewise_domain_template',`
|
|
+
|
|
gen_require(`
|
|
attribute likewise_domains;
|
|
type likewise_var_lib_t;
|
|
@@ -24,6 +38,7 @@ template(`likewise_domain_template',`
|
|
type $1_t;
|
|
type $1_exec_t;
|
|
init_daemon_domain($1_t, $1_exec_t)
|
|
+ domain_use_interactive_fds($1_t)
|
|
|
|
typeattribute $1_t likewise_domains;
|
|
|
|
@@ -38,15 +53,18 @@ template(`likewise_domain_template',`
|
|
|
|
####################################
|
|
#
|
|
- # Policy
|
|
+ # Local Policy
|
|
#
|
|
|
|
allow $1_t self:process { signal_perms getsched setsched };
|
|
allow $1_t self:fifo_file rw_fifo_file_perms;
|
|
- allow $1_t self:unix_stream_socket { accept listen };
|
|
+ allow $1_t self:unix_dgram_socket create_socket_perms;
|
|
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow $1_t self:tcp_socket create_stream_socket_perms;
|
|
allow $1_t self:udp_socket create_socket_perms;
|
|
|
|
+ allow $1_t likewise_var_lib_t:dir setattr_dir_perms;
|
|
+
|
|
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
|
files_pid_filetrans($1_t, $1_var_run_t, file)
|
|
|
|
@@ -55,12 +73,15 @@ template(`likewise_domain_template',`
|
|
|
|
manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
|
|
filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+
|
|
+ logging_send_syslog_msg($1_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to lsassd with a unix domain
|
|
-## stream socket.
|
|
+## Connect to lsassd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -76,59 +97,3 @@ interface(`likewise_stream_connect_lsassd',`
|
|
files_search_pids($1)
|
|
stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
|
|
')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an likewise environment.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
-#
|
|
-interface(`likewise_admin',`
|
|
- gen_require(`
|
|
- attribute likewise_domains;
|
|
- type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t;
|
|
- type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t;
|
|
- type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t;
|
|
- type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t;
|
|
- type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t;
|
|
- type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t;
|
|
- type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t;
|
|
- type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t;
|
|
- ')
|
|
-
|
|
- allow $1 likewise_domains:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, likewise_domains)
|
|
-
|
|
- init_labeled_script_domtrans($1, likewise_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 likewise_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- files_list_etc($1)
|
|
- admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
|
|
-
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t })
|
|
- admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t })
|
|
- admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t })
|
|
- admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t })
|
|
- admin_pattern($1, dcerpcd_var_lib_t)
|
|
-
|
|
- files_list_tmp($1)
|
|
- admin_pattern($1, lsassd_tmp_t)
|
|
-
|
|
- files_list_pids($1)
|
|
- admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t })
|
|
- admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
|
|
-')
|
|
diff --git a/likewise.te b/likewise.te
|
|
index d8c2442..ef30d42 100644
|
|
--- a/likewise.te
|
|
+++ b/likewise.te
|
|
@@ -26,7 +26,7 @@ type likewise_var_lib_t;
|
|
files_type(likewise_var_lib_t)
|
|
|
|
type likewise_pstore_lock_t;
|
|
-files_type(likewise_pstore_lock_t)
|
|
+files_lock_file(likewise_pstore_lock_t)
|
|
|
|
type likewise_krb5_ad_t;
|
|
files_type(likewise_krb5_ad_t)
|
|
@@ -41,20 +41,13 @@ files_tmp_file(lsassd_tmp_t)
|
|
|
|
allow likewise_domains likewise_var_lib_t:dir setattr_dir_perms;
|
|
|
|
-kernel_read_system_state(likewise_domains)
|
|
-
|
|
dev_read_rand(likewise_domains)
|
|
dev_read_urand(likewise_domains)
|
|
|
|
domain_use_interactive_fds(likewise_domains)
|
|
|
|
-files_read_etc_files(likewise_domains)
|
|
files_search_var_lib(likewise_domains)
|
|
|
|
-logging_send_syslog_msg(likewise_domains)
|
|
-
|
|
-miscfiles_read_localization(likewise_domains)
|
|
-
|
|
#################################
|
|
#
|
|
# dcerpcd local policy
|
|
@@ -126,7 +119,6 @@ corecmd_exec_bin(lsassd_t)
|
|
corecmd_exec_shell(lsassd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(lsassd_t)
|
|
-corenet_all_recvfrom_unlabeled(lsassd_t)
|
|
corenet_tcp_sendrecv_generic_if(lsassd_t)
|
|
corenet_tcp_sendrecv_generic_node(lsassd_t)
|
|
|
|
@@ -242,7 +234,6 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_
|
|
stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(srvsvcd_t)
|
|
-corenet_all_recvfrom_unlabeled(srvsvcd_t)
|
|
corenet_sendrecv_generic_server_packets(srvsvcd_t)
|
|
corenet_tcp_sendrecv_generic_if(srvsvcd_t)
|
|
corenet_tcp_sendrecv_generic_node(srvsvcd_t)
|
|
diff --git a/lircd.if b/lircd.if
|
|
index dff21a7..b6981c8 100644
|
|
--- a/lircd.if
|
|
+++ b/lircd.if
|
|
@@ -81,8 +81,11 @@ interface(`lircd_admin',`
|
|
type lircd_initrc_exec_t, lircd_etc_t;
|
|
')
|
|
|
|
- allow $1 lircd_t:process { ptrace signal_perms };
|
|
+ allow $1 lircd_t:process signal_perms;
|
|
ps_process_pattern($1, lircd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 lircd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, lircd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/lircd.te b/lircd.te
|
|
index 483c87b..af0698b 100644
|
|
--- a/lircd.te
|
|
+++ b/lircd.te
|
|
@@ -13,7 +13,7 @@ type lircd_initrc_exec_t;
|
|
init_script_file(lircd_initrc_exec_t)
|
|
|
|
type lircd_etc_t;
|
|
-files_type(lircd_etc_t)
|
|
+files_config_file(lircd_etc_t)
|
|
|
|
type lircd_var_run_t alias lircd_sock_t;
|
|
files_pid_file(lircd_var_run_t)
|
|
@@ -27,6 +27,7 @@ allow lircd_t self:capability { chown kill sys_admin };
|
|
allow lircd_t self:process signal;
|
|
allow lircd_t self:fifo_file rw_fifo_file_perms;
|
|
allow lircd_t self:tcp_socket { accept listen };
|
|
+allow lircd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t)
|
|
|
|
@@ -64,9 +65,8 @@ files_manage_generic_locks(lircd_t)
|
|
files_read_all_locks(lircd_t)
|
|
|
|
term_use_ptmx(lircd_t)
|
|
+term_use_usb_ttys(lircd_t)
|
|
|
|
logging_send_syslog_msg(lircd_t)
|
|
|
|
-miscfiles_read_localization(lircd_t)
|
|
-
|
|
sysnet_dns_name_resolve(lircd_t)
|
|
diff --git a/livecd.if b/livecd.if
|
|
index e354181..c6b2383 100644
|
|
--- a/livecd.if
|
|
+++ b/livecd.if
|
|
@@ -38,11 +38,32 @@ interface(`livecd_domtrans',`
|
|
#
|
|
interface(`livecd_run',`
|
|
gen_require(`
|
|
+ type livecd_t;
|
|
+ type livecd_exec_t;
|
|
attribute_role livecd_roles;
|
|
')
|
|
|
|
livecd_domtrans($1)
|
|
roleattribute $2 livecd_roles;
|
|
+ role_transition $2 livecd_exec_t system_r;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Dontaudit read/write to a livecd leaks
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`livecd_dontaudit_leaks',`
|
|
+ gen_require(`
|
|
+ type livecd_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 livecd_t:unix_dgram_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
diff --git a/livecd.te b/livecd.te
|
|
index 2f974bf..54f10e4 100644
|
|
--- a/livecd.te
|
|
+++ b/livecd.te
|
|
@@ -21,9 +21,11 @@ files_tmp_file(livecd_tmp_t)
|
|
# Local policy
|
|
#
|
|
|
|
-dontaudit livecd_t self:capability2 mac_admin;
|
|
+allow livecd_t self:capability2 mac_admin;
|
|
|
|
-domain_ptrace_all_domains(livecd_t)
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ domain_ptrace_all_domains(livecd_t)
|
|
+')
|
|
|
|
manage_dirs_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
|
|
manage_files_pattern(livecd_t, livecd_tmp_t, livecd_tmp_t)
|
|
@@ -35,12 +37,17 @@ sysnet_etc_filetrans_config(livecd_t)
|
|
optional_policy(`
|
|
hal_dbus_chat(livecd_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ mount_run(livecd_t, livecd_roles)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
- mount_run(livecd_t, livecd_roles)
|
|
+ rpm_transition_script(livecd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- rpm_domtrans(livecd_t)
|
|
+ seutil_run_setfiles_mac(livecd_t, livecd_roles)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/lldpad.if b/lldpad.if
|
|
index d18c960..fb5b674 100644
|
|
--- a/lldpad.if
|
|
+++ b/lldpad.if
|
|
@@ -2,6 +2,25 @@
|
|
|
|
#######################################
|
|
## <summary>
|
|
+## Transition to lldpad.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`lldpad_domtrans',`
|
|
+ gen_require(`
|
|
+ type lldpad_t, lldpad_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, lldpad_exec_t, lldpad_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
## Send to lldpad with a unix dgram socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -42,9 +61,13 @@ interface(`lldpad_admin',`
|
|
type lldpad_var_run_t;
|
|
')
|
|
|
|
- allow $1 lldpad_t:process { ptrace signal_perms };
|
|
+ allow $1 lldpad_t:process { signal_perms };
|
|
ps_process_pattern($1, lldpad_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 lldpad_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, lldpad_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 lldpad_initrc_exec_t system_r;
|
|
diff --git a/lldpad.te b/lldpad.te
|
|
index 2a491d9..db979c3 100644
|
|
--- a/lldpad.te
|
|
+++ b/lldpad.te
|
|
@@ -26,7 +26,7 @@ files_pid_file(lldpad_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow lldpad_t self:capability { net_admin net_raw };
|
|
+allow lldpad_t self:capability { net_admin net_raw sys_resource };
|
|
allow lldpad_t self:shm create_shm_perms;
|
|
allow lldpad_t self:fifo_file rw_fifo_file_perms;
|
|
allow lldpad_t self:unix_stream_socket { accept listen };
|
|
@@ -51,11 +51,9 @@ kernel_request_load_module(lldpad_t)
|
|
|
|
dev_read_sysfs(lldpad_t)
|
|
|
|
-files_read_etc_files(lldpad_t)
|
|
-
|
|
logging_send_syslog_msg(lldpad_t)
|
|
|
|
-miscfiles_read_localization(lldpad_t)
|
|
+userdom_dgram_send(lldpad_t)
|
|
|
|
optional_policy(`
|
|
fcoe_dgram_send_fcoemon(lldpad_t)
|
|
diff --git a/loadkeys.te b/loadkeys.te
|
|
index d2f4643..c8e6b37 100644
|
|
--- a/loadkeys.te
|
|
+++ b/loadkeys.te
|
|
@@ -25,20 +25,19 @@ kernel_read_system_state(loadkeys_t)
|
|
corecmd_exec_bin(loadkeys_t)
|
|
corecmd_exec_shell(loadkeys_t)
|
|
|
|
-files_read_etc_files(loadkeys_t)
|
|
files_read_etc_runtime_files(loadkeys_t)
|
|
|
|
term_dontaudit_use_console(loadkeys_t)
|
|
term_use_unallocated_ttys(loadkeys_t)
|
|
|
|
+auth_read_passwd(loadkeys_t)
|
|
+
|
|
init_dontaudit_use_fds(loadkeys_t)
|
|
init_dontaudit_use_script_ptys(loadkeys_t)
|
|
|
|
locallogin_use_fds(loadkeys_t)
|
|
|
|
-miscfiles_read_localization(loadkeys_t)
|
|
-
|
|
-userdom_use_user_ttys(loadkeys_t)
|
|
+userdom_use_inherited_user_ttys(loadkeys_t)
|
|
userdom_list_user_home_content(loadkeys_t)
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
diff --git a/lockdev.if b/lockdev.if
|
|
index 4313b8b..cd1435c 100644
|
|
--- a/lockdev.if
|
|
+++ b/lockdev.if
|
|
@@ -1,5 +1,25 @@
|
|
## <summary>Library for locking devices.</summary>
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## lockdev lock files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`lockdev_manage_files',`
|
|
+ gen_require(`
|
|
+ type lockdev_lock_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, lockdev_lock_t, lockdev_lock_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Role access for lockdev.
|
|
diff --git a/lockdev.te b/lockdev.te
|
|
index 61db5a0..9d5d255 100644
|
|
--- a/lockdev.te
|
|
+++ b/lockdev.te
|
|
@@ -36,4 +36,5 @@ fs_getattr_xattr_fs(lockdev_t)
|
|
|
|
logging_send_syslog_msg(lockdev_t)
|
|
|
|
-userdom_use_user_terminals(lockdev_t)
|
|
+userdom_use_inherited_user_terminals(lockdev_t)
|
|
+
|
|
diff --git a/logrotate.fc b/logrotate.fc
|
|
index a11d5be..36c8de7 100644
|
|
--- a/logrotate.fc
|
|
+++ b/logrotate.fc
|
|
@@ -1,6 +1,9 @@
|
|
-/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
|
|
+/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
|
|
|
|
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
|
|
|
|
+ifdef(`distro_debian', `
|
|
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
|
|
-/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
|
|
+', `
|
|
+/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
|
|
+')
|
|
diff --git a/logrotate.if b/logrotate.if
|
|
index dd8e01a..9cd6b0b 100644
|
|
--- a/logrotate.if
|
|
+++ b/logrotate.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Rotates, compresses, removes and mails system log files.</summary>
|
|
+## <summary>Rotate and archive system logs</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -21,9 +21,8 @@ interface(`logrotate_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute logrotate in the logrotate
|
|
-## domain, and allow the specified
|
|
-## role the logrotate domain.
|
|
+## Execute logrotate in the logrotate domain, and
|
|
+## allow the specified role the logrotate domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -39,11 +38,11 @@ interface(`logrotate_domtrans',`
|
|
#
|
|
interface(`logrotate_run',`
|
|
gen_require(`
|
|
- attribute_role logrotate_roles;
|
|
+ type logrotate_t;
|
|
')
|
|
|
|
logrotate_domtrans($1)
|
|
- roleattribute $2 logrotate_roles;
|
|
+ role $2 types logrotate_t;
|
|
')
|
|
|
|
########################################
|
|
@@ -85,8 +84,7 @@ interface(`logrotate_use_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to inherit
|
|
-## logrotate file descriptors.
|
|
+## Do not audit attempts to inherit logrotate file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -104,7 +102,7 @@ interface(`logrotate_dontaudit_use_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read logrotate temporary files.
|
|
+## Read a logrotate temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
diff --git a/logrotate.te b/logrotate.te
|
|
index be0ab84..4a75f6b 100644
|
|
--- a/logrotate.te
|
|
+++ b/logrotate.te
|
|
@@ -5,16 +5,14 @@ policy_module(logrotate, 1.15.0)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute_role logrotate_roles;
|
|
-roleattribute system_r logrotate_roles;
|
|
-
|
|
type logrotate_t;
|
|
-type logrotate_exec_t;
|
|
domain_type(logrotate_t)
|
|
domain_obj_id_change_exemption(logrotate_t)
|
|
domain_system_change_exemption(logrotate_t)
|
|
+role system_r types logrotate_t;
|
|
+
|
|
+type logrotate_exec_t;
|
|
domain_entry_file(logrotate_t, logrotate_exec_t)
|
|
-role logrotate_roles types logrotate_t;
|
|
|
|
type logrotate_lock_t;
|
|
files_lock_file(logrotate_lock_t)
|
|
@@ -25,21 +23,27 @@ files_tmp_file(logrotate_tmp_t)
|
|
type logrotate_var_lib_t;
|
|
files_type(logrotate_var_lib_t)
|
|
|
|
-mta_base_mail_template(logrotate)
|
|
-role system_r types logrotate_mail_t;
|
|
-
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
-allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice };
|
|
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
|
|
+# Change ownership on log files.
|
|
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner setuid setgid sys_resource sys_nice sys_ptrace };
|
|
+dontaudit logrotate_t self:capability sys_resource;
|
|
+
|
|
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
+
|
|
+# Set a context other than the default one for newly created files.
|
|
+allow logrotate_t self:process setfscreate;
|
|
+
|
|
allow logrotate_t self:fd use;
|
|
allow logrotate_t self:key manage_key_perms;
|
|
allow logrotate_t self:fifo_file rw_fifo_file_perms;
|
|
+allow logrotate_t self:unix_dgram_socket create_socket_perms;
|
|
+allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow logrotate_t self:unix_dgram_socket sendto;
|
|
-allow logrotate_t self:unix_stream_socket { accept connectto listen };
|
|
+allow logrotate_t self:unix_stream_socket connectto;
|
|
allow logrotate_t self:shm create_shm_perms;
|
|
allow logrotate_t self:sem create_sem_perms;
|
|
allow logrotate_t self:msgq create_msgq_perms;
|
|
@@ -48,36 +52,52 @@ allow logrotate_t self:msg { send receive };
|
|
allow logrotate_t logrotate_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
|
|
|
|
+can_exec(logrotate_t, logrotate_tmp_t)
|
|
+
|
|
manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
|
|
manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
|
|
files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
|
|
|
|
+# for /var/lib/logrotate.status and /var/lib/logcheck
|
|
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
|
|
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
|
|
read_lnk_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
|
|
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
|
|
|
|
-can_exec(logrotate_t, logrotate_tmp_t)
|
|
-
|
|
kernel_read_system_state(logrotate_t)
|
|
kernel_read_kernel_sysctls(logrotate_t)
|
|
|
|
+dev_read_urand(logrotate_t)
|
|
+dev_read_sysfs(logrotate_t)
|
|
+
|
|
+fs_search_auto_mountpoints(logrotate_t)
|
|
+fs_getattr_all_fs(logrotate_t)
|
|
+fs_list_inotifyfs(logrotate_t)
|
|
+
|
|
+mls_file_read_all_levels(logrotate_t)
|
|
+mls_file_write_all_levels(logrotate_t)
|
|
+mls_file_upgrade(logrotate_t)
|
|
+mls_process_write_to_clearance(logrotate_t)
|
|
+
|
|
+selinux_get_fs_mount(logrotate_t)
|
|
+selinux_get_enforce_mode(logrotate_t)
|
|
+
|
|
+# Run helper programs.
|
|
corecmd_exec_bin(logrotate_t)
|
|
corecmd_exec_shell(logrotate_t)
|
|
corecmd_getattr_all_executables(logrotate_t)
|
|
|
|
-dev_read_urand(logrotate_t)
|
|
-
|
|
domain_signal_all_domains(logrotate_t)
|
|
domain_use_interactive_fds(logrotate_t)
|
|
domain_getattr_all_entry_files(logrotate_t)
|
|
+# Read /proc/PID directories for all domains.
|
|
domain_read_all_domains_state(logrotate_t)
|
|
|
|
-files_read_usr_files(logrotate_t)
|
|
files_read_etc_runtime_files(logrotate_t)
|
|
files_read_all_pids(logrotate_t)
|
|
files_search_all(logrotate_t)
|
|
files_read_var_lib_files(logrotate_t)
|
|
+# Write to /var/spool/slrnpull - should be moved into its own type.
|
|
files_manage_generic_spool(logrotate_t)
|
|
files_manage_generic_spool_dirs(logrotate_t)
|
|
files_getattr_generic_locks(logrotate_t)
|
|
@@ -103,24 +123,34 @@ init_all_labeled_script_domtrans(logrotate_t)
|
|
logging_manage_all_logs(logrotate_t)
|
|
logging_send_syslog_msg(logrotate_t)
|
|
logging_send_audit_msgs(logrotate_t)
|
|
+# cjp: why is this needed?
|
|
logging_exec_all_logs(logrotate_t)
|
|
|
|
-miscfiles_read_localization(logrotate_t)
|
|
+systemd_exec_systemctl(logrotate_t)
|
|
+systemd_getattr_unit_files(logrotate_t)
|
|
+systemd_start_all_unit_files(logrotate_t)
|
|
+systemd_reload_all_services(logrotate_t)
|
|
+systemd_status_all_unit_files(logrotate_t)
|
|
+init_stream_connect(logrotate_t)
|
|
|
|
-seutil_dontaudit_read_config(logrotate_t)
|
|
+miscfiles_read_hwdata(logrotate_t)
|
|
|
|
-userdom_use_user_terminals(logrotate_t)
|
|
+userdom_use_inherited_user_terminals(logrotate_t)
|
|
userdom_list_user_home_dirs(logrotate_t)
|
|
userdom_use_unpriv_users_fds(logrotate_t)
|
|
+userdom_list_admin_dir(logrotate_t)
|
|
+userdom_dontaudit_getattr_user_home_content(logrotate_t)
|
|
|
|
-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
|
|
-
|
|
-ifdef(`distro_debian',`
|
|
+ifdef(`distro_debian', `
|
|
allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
|
|
+ # for savelog
|
|
can_exec(logrotate_t, logrotate_exec_t)
|
|
|
|
- logging_check_exec_syslog(logrotate_t)
|
|
+ # for syslogd-listfiles
|
|
logging_read_syslog_config(logrotate_t)
|
|
+
|
|
+ # for "test -x /sbin/syslogd"
|
|
+ logging_check_exec_syslog(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -135,16 +165,17 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
apache_read_config(logrotate_t)
|
|
+ apache_read_sys_content_rw_dirs(logrotate_t)
|
|
apache_domtrans(logrotate_t)
|
|
apache_signull(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- asterisk_domtrans(logrotate_t)
|
|
+ awstats_domtrans(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- awstats_domtrans(logrotate_t)
|
|
+ asterisk_domtrans(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -178,7 +209,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- chronyd_read_key_files(logrotate_t)
|
|
+ chronyd_read_keys(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -198,21 +229,26 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mysql_read_home_content(logrotate_t)
|
|
mysql_read_config(logrotate_t)
|
|
+ mysql_search_db(logrotate_t)
|
|
mysql_stream_connect(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- openvswitch_read_pid_files(logrotate_t)
|
|
- openvswitch_domtrans(logrotate_t)
|
|
+ polipo_named_filetrans_log_files(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- polipo_log_filetrans_log(logrotate_t, file, "polipo")
|
|
+ psad_domtrans(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- psad_domtrans(logrotate_t)
|
|
+ rabbitmq_domtrans_beam(logrotate_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ raid_domtrans_mdadm(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -228,10 +264,20 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ openshift_manage_lib_files(logrotate_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ openvswitch_read_pid_files(logrotate_t)
|
|
+ openvswitch_domtrans(logrotate_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
squid_domtrans(logrotate_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ #Red Hat bug 564565
|
|
su_exec(logrotate_t)
|
|
')
|
|
|
|
@@ -241,13 +287,11 @@ optional_policy(`
|
|
|
|
#######################################
|
|
#
|
|
-# Mail local policy
|
|
+# logrotate_mail local policy
|
|
#
|
|
|
|
-allow logrotate_mail_t logrotate_t:fd use;
|
|
-allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms;
|
|
-allow logrotate_mail_t logrotate_t:process sigchld;
|
|
-
|
|
-manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
|
|
-
|
|
+mta_base_mail_template(logrotate)
|
|
+mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
|
|
+role system_r types logrotate_mail_t;
|
|
logging_read_all_logs(logrotate_mail_t)
|
|
+manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
|
|
diff --git a/logwatch.te b/logwatch.te
|
|
index ab65034..ca924b3 100644
|
|
--- a/logwatch.te
|
|
+++ b/logwatch.te
|
|
@@ -6,6 +6,13 @@ policy_module(logwatch, 1.12.2)
|
|
#
|
|
|
|
## <desc>
|
|
+## <p>
|
|
+## Allow epylog to send mail
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(logwatch_can_sendmail, false)
|
|
+
|
|
+## <desc>
|
|
## <p>
|
|
## Determine whether logwatch can connect
|
|
## to mail over the network.
|
|
@@ -15,7 +22,8 @@ gen_tunable(logwatch_can_network_connect_mail, false)
|
|
|
|
type logwatch_t;
|
|
type logwatch_exec_t;
|
|
-init_system_domain(logwatch_t, logwatch_exec_t)
|
|
+init_daemon_domain(logwatch_t, logwatch_exec_t)
|
|
+application_domain(logwatch_t, logwatch_exec_t)
|
|
|
|
type logwatch_cache_t;
|
|
files_type(logwatch_cache_t)
|
|
@@ -45,7 +53,8 @@ allow logwatch_t self:unix_stream_socket { accept listen };
|
|
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
|
|
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
|
|
|
|
-allow logwatch_t logwatch_lock_t:file manage_file_perms;
|
|
+manage_files_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
|
|
+manage_dirs_pattern(logwatch_t, logwatch_lock_t, logwatch_lock_t)
|
|
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
|
|
|
|
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
|
|
@@ -61,6 +70,11 @@ kernel_read_system_state(logwatch_t)
|
|
kernel_read_net_sysctls(logwatch_t)
|
|
kernel_read_network_state(logwatch_t)
|
|
|
|
+corenet_all_recvfrom_unlabeled(logwatch_t)
|
|
+corenet_all_recvfrom_netlabel(logwatch_t)
|
|
+corenet_tcp_sendrecv_generic_if(logwatch_t)
|
|
+corenet_tcp_sendrecv_generic_node(logwatch_t)
|
|
+
|
|
corecmd_exec_bin(logwatch_t)
|
|
corecmd_exec_shell(logwatch_t)
|
|
|
|
@@ -75,10 +89,11 @@ files_list_var(logwatch_t)
|
|
files_search_all(logwatch_t)
|
|
files_read_var_symlinks(logwatch_t)
|
|
files_read_etc_runtime_files(logwatch_t)
|
|
-files_read_usr_files(logwatch_t)
|
|
+files_read_system_conf_files(logwatch_t)
|
|
|
|
fs_getattr_all_dirs(logwatch_t)
|
|
fs_getattr_all_fs(logwatch_t)
|
|
+fs_getattr_all_dirs(logwatch_t)
|
|
fs_dontaudit_list_auto_mountpoints(logwatch_t)
|
|
fs_list_inotifyfs(logwatch_t)
|
|
|
|
@@ -100,23 +115,17 @@ libs_read_lib_files(logwatch_t)
|
|
logging_read_all_logs(logwatch_t)
|
|
logging_send_syslog_msg(logwatch_t)
|
|
|
|
-miscfiles_read_localization(logwatch_t)
|
|
-
|
|
selinux_dontaudit_getattr_dir(logwatch_t)
|
|
|
|
sysnet_exec_ifconfig(logwatch_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(logwatch_t)
|
|
+userdom_dontaudit_list_admin_dir(logwatch_t)
|
|
|
|
mta_sendmail_domtrans(logwatch_t, logwatch_mail_t)
|
|
mta_getattr_spool(logwatch_t)
|
|
|
|
tunable_policy(`logwatch_can_network_connect_mail',`
|
|
- corenet_all_recvfrom_unlabeled(logwatch_t)
|
|
- corenet_all_recvfrom_netlabel(logwatch_t)
|
|
- corenet_tcp_sendrecv_generic_if(logwatch_t)
|
|
- corenet_tcp_sendrecv_generic_node(logwatch_t)
|
|
-
|
|
corenet_sendrecv_smtp_client_packets(logwatch_t)
|
|
corenet_tcp_connect_smtp_port(logwatch_t)
|
|
corenet_tcp_sendrecv_smtp_port(logwatch_t)
|
|
@@ -160,6 +169,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ raid_domtrans_mdadm(logwatch_t)
|
|
+ raid_access_check_mdadm(logwatch_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
rpc_search_nfs_state_data(logwatch_t)
|
|
')
|
|
|
|
@@ -187,6 +201,12 @@ dev_read_sysfs(logwatch_mail_t)
|
|
|
|
logging_read_all_logs(logwatch_mail_t)
|
|
|
|
+mta_read_home(logwatch_mail_t)
|
|
+
|
|
optional_policy(`
|
|
cron_use_system_job_fds(logwatch_mail_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ courier_stream_connect_authdaemon(logwatch_mail_t)
|
|
+')
|
|
diff --git a/lpd.fc b/lpd.fc
|
|
index 2fb9b2e..08974e3 100644
|
|
--- a/lpd.fc
|
|
+++ b/lpd.fc
|
|
@@ -19,6 +19,7 @@
|
|
/usr/sbin/lpinfo -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
|
/usr/sbin/lpmove -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
|
|
|
+/usr/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
|
/usr/local/linuxprinter/bin/l?lpr -- gen_context(system_u:object_r:lpr_exec_t,s0)
|
|
|
|
/usr/share/printconf/.* -- gen_context(system_u:object_r:printconf_t,s0)
|
|
diff --git a/lpd.if b/lpd.if
|
|
index 6256371..7826e38 100644
|
|
--- a/lpd.if
|
|
+++ b/lpd.if
|
|
@@ -1,44 +1,49 @@
|
|
-## <summary>Line printer daemon.</summary>
|
|
+## <summary>Line printer daemon</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for lpd.
|
|
+## Role access for lpd
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
interface(`lpd_role',`
|
|
gen_require(`
|
|
attribute_role lpr_roles;
|
|
- type lpr_t, lpr_exec_t;
|
|
+ type lpr_t, lpr_exec_t, print_spool_t;
|
|
')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
+ ########################################
|
|
+ #
|
|
+ # Declarations
|
|
+ #
|
|
|
|
roleattribute $1 lpr_roles;
|
|
|
|
- ########################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
+ ########################################
|
|
+ #
|
|
+ # Policy
|
|
+ #
|
|
|
|
+ # Transition from the user domain to the derived domain.
|
|
domtrans_pattern($2, lpr_exec_t, lpr_t)
|
|
+ dontaudit lpr_t $2:unix_stream_socket { read write };
|
|
|
|
- allow $2 lpr_t:process { ptrace signal_perms };
|
|
ps_process_pattern($2, lpr_t)
|
|
+ allow $2 lpr_t:process signal_perms;
|
|
|
|
- dontaudit lpr_t $2:unix_stream_socket { read write };
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 lpr_t:process ptrace;
|
|
+ ')
|
|
|
|
optional_policy(`
|
|
cups_read_config($2)
|
|
@@ -60,15 +65,13 @@ interface(`lpd_domtrans_checkpc',`
|
|
type checkpc_t, checkpc_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, checkpc_exec_t, checkpc_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute amrecover in the lpd
|
|
-## domain, and allow the specified
|
|
-## role the lpd domain.
|
|
+## Execute amrecover in the lpd domain, and
|
|
+## allow the specified role the lpd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -84,16 +87,16 @@ interface(`lpd_domtrans_checkpc',`
|
|
#
|
|
interface(`lpd_run_checkpc',`
|
|
gen_require(`
|
|
- attribute_role checkpc_roles;
|
|
+ type checkpc_t;
|
|
')
|
|
|
|
lpd_domtrans_checkpc($1)
|
|
- roleattribute $2 checkpc_roles;
|
|
+ role $2 types checkpc_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## List printer spool directories.
|
|
+## List the contents of the printer spool directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -112,7 +115,7 @@ interface(`lpd_list_spool',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read printer spool files.
|
|
+## Read the printer spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -131,8 +134,7 @@ interface(`lpd_read_spool',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## printer spool content.
|
|
+## Create, read, write, and delete printer spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -153,7 +155,7 @@ interface(`lpd_manage_spool',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Relabel spool files.
|
|
+## Relabel from and to the spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -172,7 +174,7 @@ interface(`lpd_relabel_spool',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read printer configuration files.
|
|
+## List the contents of the printer spool directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -200,12 +202,11 @@ interface(`lpd_read_config',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-template(`lpd_domtrans_lpr',`
|
|
+interface(`lpd_domtrans_lpr',`
|
|
gen_require(`
|
|
type lpr_t, lpr_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, lpr_exec_t, lpr_t)
|
|
')
|
|
|
|
@@ -237,7 +238,8 @@ interface(`lpd_run_lpr',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute lpr in the caller domain.
|
|
+## Allow the specified domain to execute lpr
|
|
+## in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -250,6 +252,5 @@ interface(`lpd_exec_lpr',`
|
|
type lpr_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, lpr_exec_t)
|
|
')
|
|
diff --git a/lpd.te b/lpd.te
|
|
index 39d3164..4b1b70c 100644
|
|
--- a/lpd.te
|
|
+++ b/lpd.te
|
|
@@ -48,7 +48,7 @@ userdom_user_tmp_file(lpr_tmp_t)
|
|
type print_spool_t;
|
|
typealias print_spool_t alias { user_print_spool_t staff_print_spool_t sysadm_print_spool_t };
|
|
typealias print_spool_t alias { auditadm_print_spool_t secadm_print_spool_t };
|
|
-files_type(print_spool_t)
|
|
+files_spool_file(print_spool_t)
|
|
ubac_constrained(print_spool_t)
|
|
|
|
type printer_t;
|
|
@@ -81,7 +81,6 @@ allow checkpc_t printconf_t:dir list_dir_perms;
|
|
|
|
kernel_read_system_state(checkpc_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(checkpc_t)
|
|
corenet_all_recvfrom_netlabel(checkpc_t)
|
|
corenet_tcp_sendrecv_generic_if(checkpc_t)
|
|
corenet_tcp_sendrecv_generic_node(checkpc_t)
|
|
@@ -97,7 +96,6 @@ dev_append_printer(checkpc_t)
|
|
|
|
domain_use_interactive_fds(checkpc_t)
|
|
|
|
-files_read_etc_files(checkpc_t)
|
|
files_read_etc_runtime_files(checkpc_t)
|
|
files_search_pids(checkpc_t)
|
|
files_search_spool(checkpc_t)
|
|
@@ -107,7 +105,7 @@ init_use_fds(checkpc_t)
|
|
|
|
sysnet_read_config(checkpc_t)
|
|
|
|
-userdom_use_user_terminals(checkpc_t)
|
|
+userdom_use_inherited_user_terminals(checkpc_t)
|
|
|
|
optional_policy(`
|
|
cron_system_entry(checkpc_t, checkpc_exec_t)
|
|
@@ -155,7 +153,6 @@ can_exec(lpd_t, printconf_t)
|
|
kernel_read_kernel_sysctls(lpd_t)
|
|
kernel_read_system_state(lpd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(lpd_t)
|
|
corenet_all_recvfrom_netlabel(lpd_t)
|
|
corenet_tcp_sendrecv_generic_if(lpd_t)
|
|
corenet_tcp_sendrecv_generic_node(lpd_t)
|
|
@@ -174,14 +171,12 @@ dev_rw_printer(lpd_t)
|
|
domain_use_interactive_fds(lpd_t)
|
|
|
|
files_read_etc_runtime_files(lpd_t)
|
|
-files_read_usr_files(lpd_t)
|
|
files_list_world_readable(lpd_t)
|
|
files_read_world_readable_files(lpd_t)
|
|
files_read_world_readable_symlinks(lpd_t)
|
|
files_list_var_lib(lpd_t)
|
|
files_read_var_lib_files(lpd_t)
|
|
files_read_var_lib_symlinks(lpd_t)
|
|
-files_read_etc_files(lpd_t)
|
|
files_search_spool(lpd_t)
|
|
|
|
fs_getattr_all_fs(lpd_t)
|
|
@@ -190,7 +185,6 @@ fs_search_auto_mountpoints(lpd_t)
|
|
logging_send_syslog_msg(lpd_t)
|
|
|
|
miscfiles_read_fonts(lpd_t)
|
|
-miscfiles_read_localization(lpd_t)
|
|
|
|
sysnet_read_config(lpd_t)
|
|
|
|
@@ -224,7 +218,6 @@ can_exec(lpr_t, lpr_exec_t)
|
|
kernel_read_crypto_sysctls(lpr_t)
|
|
kernel_read_kernel_sysctls(lpr_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(lpr_t)
|
|
corenet_all_recvfrom_netlabel(lpr_t)
|
|
corenet_tcp_sendrecv_generic_if(lpr_t)
|
|
corenet_tcp_sendrecv_generic_node(lpr_t)
|
|
@@ -239,7 +232,6 @@ dev_read_urand(lpr_t)
|
|
domain_use_interactive_fds(lpr_t)
|
|
|
|
files_search_spool(lpr_t)
|
|
-files_read_usr_files(lpr_t)
|
|
files_list_home(lpr_t)
|
|
|
|
fs_getattr_all_fs(lpr_t)
|
|
@@ -249,23 +241,27 @@ term_use_generic_ptys(lpr_t)
|
|
|
|
auth_use_nsswitch(lpr_t)
|
|
|
|
-logging_send_syslog_msg(lpr_t)
|
|
-
|
|
miscfiles_read_fonts(lpr_t)
|
|
-miscfiles_read_localization(lpr_t)
|
|
|
|
userdom_read_user_tmp_symlinks(lpr_t)
|
|
-userdom_use_user_terminals(lpr_t)
|
|
+# Write to the user domain tty.
|
|
+userdom_use_inherited_user_terminals(lpr_t)
|
|
userdom_read_user_home_content_files(lpr_t)
|
|
userdom_read_user_tmp_files(lpr_t)
|
|
+userdom_write_user_tmp_sockets(lpr_t)
|
|
+userdom_stream_connect(lpr_t)
|
|
|
|
tunable_policy(`use_lpd_server',`
|
|
- allow lpr_t lpd_t:process signal;
|
|
-
|
|
- write_sock_files_pattern(lpr_t, lpd_var_run_t, lpd_var_run_t)
|
|
+ # lpr can run in lightweight mode, without a local print spooler.
|
|
+ allow lpr_t lpd_var_run_t:dir search_dir_perms;
|
|
+ allow lpr_t lpd_var_run_t:sock_file write_sock_file_perms;
|
|
files_read_var_files(lpr_t)
|
|
|
|
+ # Connect to lpd via a Unix domain socket.
|
|
+ allow lpr_t printer_t:sock_file read_sock_file_perms;
|
|
stream_connect_pattern(lpr_t, printer_t, printer_t, lpd_t)
|
|
+ # Send SIGHUP to lpd.
|
|
+ allow lpr_t lpd_t:process signal;
|
|
|
|
manage_dirs_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
|
|
manage_files_pattern(lpr_t, lpr_tmp_t, lpr_tmp_t)
|
|
@@ -279,17 +275,7 @@ tunable_policy(`use_lpd_server',`
|
|
allow lpr_t printconf_t:lnk_file read_lnk_file_perms;
|
|
')
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_list_auto_mountpoints(lpr_t)
|
|
- fs_read_nfs_files(lpr_t)
|
|
- fs_read_nfs_symlinks(lpr_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_list_auto_mountpoints(lpr_t)
|
|
- fs_read_cifs_files(lpr_t)
|
|
- fs_read_cifs_symlinks(lpr_t)
|
|
-')
|
|
+userdom_home_reader(lpr_t)
|
|
|
|
optional_policy(`
|
|
cups_read_config(lpr_t)
|
|
@@ -298,5 +284,13 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- gnome_stream_connect_all_gkeyringd(lpr_t)
|
|
+ gnome_stream_connect_gkeyringd(lpr_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ logging_send_syslog_msg(lpr_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mozilla_plugin_dontaudit_rw_tmp_files(lpr_t)
|
|
')
|
|
diff --git a/lsm.fc b/lsm.fc
|
|
index c455730..4b40274 100644
|
|
--- a/lsm.fc
|
|
+++ b/lsm.fc
|
|
@@ -1,3 +1,5 @@
|
|
/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
|
|
+
|
|
/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
|
|
diff --git a/lsm.if b/lsm.if
|
|
index d314333..da30c5d 100644
|
|
--- a/lsm.if
|
|
+++ b/lsm.if
|
|
@@ -1,25 +1,85 @@
|
|
-## <summary>Storage array management library.</summary>
|
|
+
|
|
+## <summary>libStorageMgmt plug-in daemon </summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to administrate
|
|
-## an lsmd environment.
|
|
+## Execute TEMPLATE in the lsmd domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`lsmd_domtrans',`
|
|
+ gen_require(`
|
|
+ type lsmd_t, lsmd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, lsmd_exec_t, lsmd_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Read lsmd PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`lsmd_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type lsmd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute lsmd server in the lsmd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`lsmd_systemctl',`
|
|
+ gen_require(`
|
|
+ type lsmd_t;
|
|
+ type lsmd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 lsmd_unit_file_t:file read_file_perms;
|
|
+ allow $1 lsmd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, lsmd_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an lsmd environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`lsmd_admin',`
|
|
gen_require(`
|
|
- type lsmd_t, type lsmd_var_run_t;
|
|
+ type lsmd_t;
|
|
+ type lsmd_var_run_t;
|
|
+ type lsmd_unit_file_t;
|
|
')
|
|
|
|
allow $1 lsmd_t:process { ptrace signal_perms };
|
|
@@ -27,4 +87,13 @@ interface(`lsmd_admin',`
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, lsmd_var_run_t)
|
|
+
|
|
+ lsmd_systemctl($1)
|
|
+ admin_pattern($1, lsmd_unit_file_t)
|
|
+ allow $1 lsmd_unit_file_t:service all_service_perms;
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/lsm.te b/lsm.te
|
|
index 4ec0eea..bc7d239 100644
|
|
--- a/lsm.te
|
|
+++ b/lsm.te
|
|
@@ -12,6 +12,9 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
|
|
type lsmd_var_run_t;
|
|
files_pid_file(lsmd_var_run_t)
|
|
|
|
+type lsmd_unit_file_t;
|
|
+systemd_unit_file(lsmd_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -26,4 +29,6 @@ manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
|
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
|
|
files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
|
|
|
|
+corecmd_exec_bin(lsmd_t)
|
|
+
|
|
logging_send_syslog_msg(lsmd_t)
|
|
diff --git a/mailman.fc b/mailman.fc
|
|
index 995d0a5..3d40d59 100644
|
|
--- a/mailman.fc
|
|
+++ b/mailman.fc
|
|
@@ -2,10 +2,12 @@
|
|
|
|
/etc/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
|
|
|
|
+/usr/lib/mailman/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
|
|
/usr/lib/mailman.*/bin/mailmanctl -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
|
|
+/usr/lib/mailman/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
|
|
/usr/lib/mailman.*/bin/mm-handler.* -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
|
|
/usr/lib/mailman.*/cron/.* -- gen_context(system_u:object_r:mailman_queue_exec_t,s0)
|
|
-/var/lib/mailman.* gen_context(system_u:object_r:mailman_data_t,s0)
|
|
+/var/lib/mailman(/.*)? gen_context(system_u:object_r:mailman_data_t,s0)
|
|
/var/lib/mailman.*/archives(/.*)? gen_context(system_u:object_r:mailman_archive_t,s0)
|
|
|
|
/var/lock/mailman.* gen_context(system_u:object_r:mailman_lock_t,s0)
|
|
diff --git a/mailman.if b/mailman.if
|
|
index 108c0f1..a248501 100644
|
|
--- a/mailman.if
|
|
+++ b/mailman.if
|
|
@@ -1,44 +1,70 @@
|
|
-## <summary>Manage electronic mail discussion and e-newsletter lists.</summary>
|
|
+## <summary>Mailman is for managing electronic mail discussion and e-newsletter lists</summary>
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## The template to define a mailman domain.
|
|
+## The template to define a mailmain domain.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <desc>
|
|
+## <p>
|
|
+## This template creates a domain to be used for
|
|
+## a new mailman daemon.
|
|
+## </p>
|
|
+## </desc>
|
|
+## <param name="userdomain_prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## The type of daemon to be used eg, cgi would give mailman_cgi_
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-template(`mailman_domain_template',`
|
|
- gen_require(`
|
|
- attribute mailman_domain;
|
|
- ')
|
|
+template(`mailman_domain_template', `
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
+ ########################################
|
|
+ #
|
|
+ # Declarations
|
|
+ #
|
|
|
|
- type mailman_$1_t;
|
|
- type mailman_$1_exec_t;
|
|
+ gen_require(`
|
|
+ attribute mailman_domain;
|
|
+ ')
|
|
+
|
|
+ type mailman_$1_t, mailman_domain;
|
|
domain_type(mailman_$1_t)
|
|
+ type mailman_$1_exec_t;
|
|
domain_entry_file(mailman_$1_t, mailman_$1_exec_t)
|
|
role system_r types mailman_$1_t;
|
|
|
|
type mailman_$1_tmp_t;
|
|
files_tmp_file(mailman_$1_tmp_t)
|
|
|
|
- ####################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
+ ####################################
|
|
+ #
|
|
+ # Policy
|
|
+ #
|
|
|
|
manage_dirs_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
|
|
manage_files_pattern(mailman_$1_t, mailman_$1_tmp_t, mailman_$1_tmp_t)
|
|
files_tmp_filetrans(mailman_$1_t, mailman_$1_tmp_t, { file dir })
|
|
|
|
+ kernel_read_system_state(mailman_$1_t)
|
|
+
|
|
+ corenet_all_recvfrom_unlabeled(mailman_$1_t)
|
|
+ corenet_all_recvfrom_netlabel(mailman_$1_t)
|
|
+ corenet_tcp_sendrecv_generic_if(mailman_$1_t)
|
|
+ corenet_udp_sendrecv_generic_if(mailman_$1_t)
|
|
+ corenet_raw_sendrecv_generic_if(mailman_$1_t)
|
|
+ corenet_tcp_sendrecv_generic_node(mailman_$1_t)
|
|
+ corenet_udp_sendrecv_generic_node(mailman_$1_t)
|
|
+ corenet_raw_sendrecv_generic_node(mailman_$1_t)
|
|
+ corenet_tcp_sendrecv_all_ports(mailman_$1_t)
|
|
+ corenet_udp_sendrecv_all_ports(mailman_$1_t)
|
|
+ corenet_tcp_bind_generic_node(mailman_$1_t)
|
|
+ corenet_udp_bind_generic_node(mailman_$1_t)
|
|
+ corenet_tcp_connect_smtp_port(mailman_$1_t)
|
|
+ corenet_sendrecv_smtp_client_packets(mailman_$1_t)
|
|
+
|
|
auth_use_nsswitch(mailman_$1_t)
|
|
+
|
|
+ logging_send_syslog_msg(mailman_$1_t)
|
|
')
|
|
|
|
#######################################
|
|
@@ -56,15 +82,12 @@ interface(`mailman_domtrans',`
|
|
type mailman_mail_exec_t, mailman_mail_t;
|
|
')
|
|
|
|
- libs_search_lib($1)
|
|
domtrans_pattern($1, mailman_mail_exec_t, mailman_mail_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the mailman program in the
|
|
-## mailman domain and allow the
|
|
-## specified role the mailman domain.
|
|
+## Execute the mailman program in the mailman domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -73,18 +96,18 @@ interface(`mailman_domtrans',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to allow the mailman domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mailman_run',`
|
|
gen_require(`
|
|
- attribute_role mailman_roles;
|
|
+ type mailman_mail_t;
|
|
')
|
|
|
|
mailman_domtrans($1)
|
|
- roleattribute $2 mailman_roles;
|
|
+ role $2 types mailman_mail_t;
|
|
')
|
|
|
|
#######################################
|
|
@@ -103,7 +126,6 @@ interface(`mailman_domtrans_cgi',`
|
|
type mailman_cgi_exec_t, mailman_cgi_t;
|
|
')
|
|
|
|
- libs_search_lib($1)
|
|
domtrans_pattern($1, mailman_cgi_exec_t, mailman_cgi_t)
|
|
')
|
|
|
|
@@ -122,13 +144,12 @@ interface(`mailman_exec',`
|
|
type mailman_mail_exec_t;
|
|
')
|
|
|
|
- libs_search_lib($1)
|
|
can_exec($1, mailman_mail_exec_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Send generic signals to mailman cgi.
|
|
+## Send generic signals to the mailman cgi domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -146,7 +167,7 @@ interface(`mailman_signal_cgi',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Search mailman data directories.
|
|
+## Allow domain to search data directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -159,13 +180,12 @@ interface(`mailman_search_data',`
|
|
type mailman_data_t;
|
|
')
|
|
|
|
- files_search_spool($1)
|
|
allow $1 mailman_data_t:dir search_dir_perms;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read mailman data content.
|
|
+## Allow domain to to read mailman data files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -178,7 +198,6 @@ interface(`mailman_read_data_files',`
|
|
type mailman_data_t;
|
|
')
|
|
|
|
- files_search_spool($1)
|
|
list_dirs_pattern($1, mailman_data_t, mailman_data_t)
|
|
read_files_pattern($1, mailman_data_t, mailman_data_t)
|
|
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
|
|
@@ -186,8 +205,8 @@ interface(`mailman_read_data_files',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## mailman data files.
|
|
+## Allow domain to to create mailman data files
|
|
+## and write the directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -200,14 +219,13 @@ interface(`mailman_manage_data_files',`
|
|
type mailman_data_t;
|
|
')
|
|
|
|
- files_search_spool($1)
|
|
manage_dirs_pattern($1, mailman_data_t, mailman_data_t)
|
|
manage_files_pattern($1, mailman_data_t, mailman_data_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## List mailman data directories.
|
|
+## List the contents of mailman data directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -220,13 +238,12 @@ interface(`mailman_list_data',`
|
|
type mailman_data_t;
|
|
')
|
|
|
|
- files_search_spool($1)
|
|
allow $1 mailman_data_t:dir list_dir_perms;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read mailman data symbolic links.
|
|
+## Allow read acces to mailman data symbolic links.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -244,7 +261,7 @@ interface(`mailman_read_data_symlinks',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read mailman log files.
|
|
+## Read mailman logs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -257,13 +274,12 @@ interface(`mailman_read_log',`
|
|
type mailman_log_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
read_files_pattern($1, mailman_log_t, mailman_log_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Append mailman log files.
|
|
+## Append to mailman logs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -276,14 +292,13 @@ interface(`mailman_append_log',`
|
|
type mailman_log_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
append_files_pattern($1, mailman_log_t, mailman_log_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
-## mailman log content.
|
|
+## mailman logs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -296,14 +311,13 @@ interface(`mailman_manage_log',`
|
|
type mailman_log_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
manage_files_pattern($1, mailman_log_t, mailman_log_t)
|
|
manage_lnk_files_pattern($1, mailman_log_t, mailman_log_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read mailman archive content.
|
|
+## Allow domain to read mailman archive files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -316,7 +330,6 @@ interface(`mailman_read_archive',`
|
|
type mailman_archive_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
allow $1 mailman_archive_t:dir list_dir_perms;
|
|
read_files_pattern($1, mailman_archive_t, mailman_archive_t)
|
|
read_lnk_files_pattern($1, mailman_archive_t, mailman_archive_t)
|
|
@@ -324,8 +337,7 @@ interface(`mailman_read_archive',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Execute mailman_queue in the
|
|
-## mailman_queue domain.
|
|
+## Execute mailman_queue in the mailman_queue domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -338,6 +350,5 @@ interface(`mailman_domtrans_queue',`
|
|
type mailman_queue_exec_t, mailman_queue_t;
|
|
')
|
|
|
|
- libs_search_lib($1)
|
|
domtrans_pattern($1, mailman_queue_exec_t, mailman_queue_t)
|
|
')
|
|
diff --git a/mailman.te b/mailman.te
|
|
index ac81c7f..7041046 100644
|
|
--- a/mailman.te
|
|
+++ b/mailman.te
|
|
@@ -4,6 +4,12 @@ policy_module(mailman, 1.10.0)
|
|
#
|
|
# Declarations
|
|
#
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow mailman to access FUSE file systems
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(mailman_use_fusefs, false)
|
|
|
|
attribute mailman_domain;
|
|
|
|
@@ -50,16 +56,11 @@ manage_lnk_files_pattern(mailman_domain, mailman_data_t, mailman_data_t)
|
|
manage_files_pattern(mailman_domain, mailman_lock_t, mailman_lock_t)
|
|
files_lock_filetrans(mailman_domain, mailman_lock_t, file)
|
|
|
|
-append_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
|
|
-create_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
|
|
-setattr_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
|
|
+manage_files_pattern(mailman_domain, mailman_log_t, mailman_log_t)
|
|
logging_log_filetrans(mailman_domain, mailman_log_t, file)
|
|
|
|
kernel_read_kernel_sysctls(mailman_domain)
|
|
-kernel_read_system_state(mailman_domain)
|
|
|
|
-corenet_all_recvfrom_unlabeled(mailman_domain)
|
|
-corenet_all_recvfrom_netlabel(mailman_domain)
|
|
corenet_tcp_sendrecv_generic_if(mailman_domain)
|
|
corenet_tcp_sendrecv_generic_node(mailman_domain)
|
|
|
|
@@ -82,10 +83,6 @@ fs_getattr_all_fs(mailman_domain)
|
|
libs_exec_ld_so(mailman_domain)
|
|
libs_exec_lib_files(mailman_domain)
|
|
|
|
-logging_send_syslog_msg(mailman_domain)
|
|
-
|
|
-miscfiles_read_localization(mailman_domain)
|
|
-
|
|
########################################
|
|
#
|
|
# CGI local policy
|
|
@@ -115,20 +112,23 @@ optional_policy(`
|
|
# Mail local policy
|
|
#
|
|
|
|
-allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_tty_config };
|
|
-allow mailman_mail_t self:process { signal signull };
|
|
+allow mailman_mail_t self:capability { kill dac_override setuid setgid sys_nice sys_tty_config };
|
|
+allow mailman_mail_t self:process { setsched signal signull };
|
|
+allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
manage_files_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
|
|
manage_dirs_pattern(mailman_mail_t, mailman_var_run_t, mailman_var_run_t)
|
|
files_pid_filetrans(mailman_mail_t, mailman_var_run_t, { file dir })
|
|
|
|
+can_exec(mailman_mail_t, mailman_mail_exec_t)
|
|
+
|
|
corenet_sendrecv_innd_client_packets(mailman_mail_t)
|
|
corenet_tcp_connect_innd_port(mailman_mail_t)
|
|
corenet_tcp_sendrecv_innd_port(mailman_mail_t)
|
|
|
|
corenet_sendrecv_spamd_client_packets(mailman_mail_t)
|
|
-corenet_tcp_connect_spamd_port(mailman_mail_t)
|
|
corenet_tcp_sendrecv_spamd_port(mailman_mail_t)
|
|
+corenet_tcp_connect_spamd_port(mailman_mail_t)
|
|
|
|
dev_read_urand(mailman_mail_t)
|
|
|
|
@@ -142,6 +142,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_dontaudit_search_config(mailman_mail_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
cron_read_pipes(mailman_mail_t)
|
|
')
|
|
|
|
@@ -182,3 +186,9 @@ optional_policy(`
|
|
optional_policy(`
|
|
su_exec(mailman_queue_t)
|
|
')
|
|
+
|
|
+tunable_policy(`mailman_use_fusefs',`
|
|
+ fs_manage_fusefs_dirs(mailman_domain)
|
|
+ fs_manage_fusefs_files(mailman_domain)
|
|
+ fs_manage_fusefs_symlinks(mailman_domain)
|
|
+')
|
|
diff --git a/mailscanner.if b/mailscanner.if
|
|
index 214cb44..bd1d48e 100644
|
|
--- a/mailscanner.if
|
|
+++ b/mailscanner.if
|
|
@@ -2,29 +2,27 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## mscan spool content.
|
|
+## Execute a domain transition to run
|
|
+## MailScanner.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mscan_manage_spool_content',`
|
|
+interface(`mailscanner_initrc_domtrans',`
|
|
gen_require(`
|
|
- type mscan_spool_t;
|
|
+ type mscan_initrc_exec_t;
|
|
')
|
|
|
|
- files_search_spool($1)
|
|
- manage_dirs_pattern($1, mscan_spool_t, mscan_spool_t)
|
|
- manage_files_pattern($1, mscan_spool_t, mscan_spool_t)
|
|
+ init_labeled_script_domtrans($1, mscan_initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an mscan environment
|
|
+## All of the rules required to administrate
|
|
+## an mailscanner environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -38,26 +36,26 @@ interface(`mscan_manage_spool_content',`
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
-interface(`mscan_admin',`
|
|
+interface(`mailscanner_admin',`
|
|
gen_require(`
|
|
- type mscan_t, mscan_etc_t, mscan_initrc_exec_t;
|
|
- type mscan_var_run_t, mscan_spool_t;
|
|
+ type mscan_t, mscan_var_run_t, mscan_etc_t;
|
|
+ type mscan_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 mscan_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, mscan_t)
|
|
-
|
|
- init_labeled_script_domtrans($1, mscan_initrc_exec_t)
|
|
+ mailscanner_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 mscan_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_etc($1)
|
|
+ allow $1 mscan_t:process signal_perms;
|
|
+ ps_process_pattern($1, mscan_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 mscan_t:process ptrace;
|
|
+ ')
|
|
+
|
|
admin_pattern($1, mscan_etc_t)
|
|
+ files_list_etc($1)
|
|
|
|
- files_search_pids($1)
|
|
admin_pattern($1, mscan_var_run_t)
|
|
-
|
|
- files_search_spool($1)
|
|
- admin_pattern($1, mscan_spool_t)
|
|
+ files_list_pids($1)
|
|
')
|
|
diff --git a/mailscanner.te b/mailscanner.te
|
|
index 6b6e2e1..9889cef 100644
|
|
--- a/mailscanner.te
|
|
+++ b/mailscanner.te
|
|
@@ -34,6 +34,7 @@ allow mscan_t self:process signal;
|
|
allow mscan_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
read_files_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
|
|
+list_dirs_pattern(mscan_t, mscan_etc_t, mscan_etc_t)
|
|
|
|
manage_files_pattern(mscan_t, mscan_var_run_t, mscan_var_run_t)
|
|
files_pid_filetrans(mscan_t, mscan_var_run_t, file)
|
|
@@ -72,7 +73,6 @@ corenet_udp_sendrecv_all_ports(mscan_t)
|
|
|
|
dev_read_urand(mscan_t)
|
|
|
|
-files_read_usr_files(mscan_t)
|
|
|
|
fs_getattr_xattr_fs(mscan_t)
|
|
|
|
@@ -81,10 +81,9 @@ auth_use_nsswitch(mscan_t)
|
|
|
|
logging_send_syslog_msg(mscan_t)
|
|
|
|
-miscfiles_read_localization(mscan_t)
|
|
-
|
|
optional_policy(`
|
|
- clamav_domtrans_clamscan(mscan_t)
|
|
+ antivirus_domtrans(mscan_t)
|
|
+ antivirus_manage_pid(mscan_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -97,5 +96,6 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ spamassassin_read_home_client(mscan_t)
|
|
spamassassin_read_lib_files(mscan_t)
|
|
')
|
|
diff --git a/man2html.if b/man2html.if
|
|
index 54ec04d..fe43dea 100644
|
|
--- a/man2html.if
|
|
+++ b/man2html.if
|
|
@@ -1 +1,127 @@
|
|
## <summary>A Unix manpage-to-HTML converter.</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to httpd_man2html_script.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`httpd_man2html_script_domtrans',`
|
|
+ gen_require(`
|
|
+ type httpd_man2html_script_t, httpd_man2html_script_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, httpd_man2html_script_exec_t, httpd_man2html_script_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search httpd_man2html_script cache directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`httpd_man2html_script_search_cache',`
|
|
+ gen_require(`
|
|
+ type httpd_man2html_script_cache_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 httpd_man2html_script_cache_t:dir search_dir_perms;
|
|
+ files_search_var($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read httpd_man2html_script cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`httpd_man2html_script_read_cache_files',`
|
|
+ gen_require(`
|
|
+ type httpd_man2html_script_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ read_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## httpd_man2html_script cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`httpd_man2html_script_manage_cache_files',`
|
|
+ gen_require(`
|
|
+ type httpd_man2html_script_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_files_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage httpd_man2html_script cache dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`httpd_man2html_script_manage_cache_dirs',`
|
|
+ gen_require(`
|
|
+ type httpd_man2html_script_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_dirs_pattern($1, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an httpd_man2html_script environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`httpd_man2html_script_admin',`
|
|
+ gen_require(`
|
|
+ type httpd_man2html_script_t;
|
|
+ type httpd_man2html_script_cache_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 httpd_man2html_script_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, httpd_man2html_script_t)
|
|
+
|
|
+ files_search_var($1)
|
|
+ admin_pattern($1, httpd_man2html_script_cache_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/man2html.te b/man2html.te
|
|
index e08c55d..9e634bd 100644
|
|
--- a/man2html.te
|
|
+++ b/man2html.te
|
|
@@ -5,22 +5,24 @@ policy_module(man2html, 1.0.0)
|
|
# Declarations
|
|
#
|
|
|
|
-apache_content_template(man2html)
|
|
|
|
type httpd_man2html_script_cache_t;
|
|
files_type(httpd_man2html_script_cache_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# httpd_man2html_script local policy
|
|
#
|
|
|
|
-manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
-manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
-manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
-files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, dir)
|
|
+optional_policy(`
|
|
|
|
-files_read_etc_files(httpd_man2html_script_t)
|
|
+ apache_content_template(man2html)
|
|
|
|
-miscfiles_read_localization(httpd_man2html_script_t)
|
|
-miscfiles_read_man_pages(httpd_man2html_script_t)
|
|
+ allow httpd_man2html_script_t self:process { fork };
|
|
+
|
|
+ manage_dirs_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
+ manage_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
+ manage_lnk_files_pattern(httpd_man2html_script_t, httpd_man2html_script_cache_t, httpd_man2html_script_cache_t)
|
|
+ files_var_filetrans(httpd_man2html_script_t, httpd_man2html_script_cache_t, { dir file })
|
|
+
|
|
+')
|
|
diff --git a/mandb.fc b/mandb.fc
|
|
index 8ae78b5..16e55cd 100644
|
|
--- a/mandb.fc
|
|
+++ b/mandb.fc
|
|
@@ -1 +1,11 @@
|
|
+HOME_DIR/\.manpath -- gen_context(system_u:object_r:mandb_home_t,s0)
|
|
+
|
|
/etc/cron\.(daily|weekly)/man-db.* -- gen_context(system_u:object_r:mandb_exec_t,s0)
|
|
+
|
|
+/usr/bin/mandb -- gen_context(system_u:object_r:mandb_exec_t,s0)
|
|
+
|
|
+/var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
|
|
+/opt/local/share/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0)
|
|
+
|
|
+/var/lock/man-db\.lock -- gen_context(system_u:object_r:mandb_lock_t,s0)
|
|
+
|
|
diff --git a/mandb.if b/mandb.if
|
|
index 327f3f7..4f61561 100644
|
|
--- a/mandb.if
|
|
+++ b/mandb.if
|
|
@@ -1,14 +1,14 @@
|
|
-## <summary>On-line manual database.</summary>
|
|
+
|
|
+## <summary>policy for mandb</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the mandb program in
|
|
-## the mandb domain.
|
|
+## Transition to mandb.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mandb_domtrans',`
|
|
@@ -22,33 +22,45 @@ interface(`mandb_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute mandb in the mandb
|
|
-## domain, and allow the specified
|
|
-## role the mandb domain.
|
|
+## Search mandb cache directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`mandb_search_cache',`
|
|
+ gen_require(`
|
|
+ type mandb_cache_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mandb_cache_t:dir search_dir_perms;
|
|
+ files_search_var($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read mandb cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mandb_run',`
|
|
+interface(`mandb_read_cache_files',`
|
|
gen_require(`
|
|
- attribute_role mandb_roles;
|
|
+ type mandb_cache_t;
|
|
')
|
|
|
|
- lightsquid_domtrans($1)
|
|
- roleattribute $2 mandb_roles;
|
|
+ files_search_var($1)
|
|
+ read_files_pattern($1, mandb_cache_t, mandb_cache_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search mandb cache directories.
|
|
+## Relabel mandb cache files/directories
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -56,13 +68,18 @@ interface(`mandb_run',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mandb_search_cache',`
|
|
- refpolicywarn(`$0($*) has been deprecated')
|
|
+interface(`mandb_relabel_cache',`
|
|
+ gen_require(`
|
|
+ type mandb_cache_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mandb_cache_t:dir relabel_dir_perms;
|
|
+ allow $1 mandb_cache_t:file relabel_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Delete mandb cache content.
|
|
+## Set attributes on mandb cache files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -70,13 +87,18 @@ interface(`mandb_search_cache',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mandb_delete_cache_content',`
|
|
- refpolicywarn(`$0($*) has been deprecated')
|
|
+interface(`mandb_setattr_cache_dirs',`
|
|
+ gen_require(`
|
|
+ type mandb_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ allow $1 mandb_cache_t:dir setattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read mandb cache content.
|
|
+## Delete mandb cache files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -84,8 +106,16 @@ interface(`mandb_delete_cache_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mandb_read_cache_content',`
|
|
- refpolicywarn(`$0($*) has been deprecated')
|
|
+interface(`mandb_delete_cache',`
|
|
+ gen_require(`
|
|
+ type mandb_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ allow $1 mandb_cache_t:dir list_dir_perms;
|
|
+ delete_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
|
|
+ delete_files_pattern($1, mandb_cache_t, mandb_cache_t)
|
|
+ delete_lnk_files_pattern($1, mandb_cache_t, mandb_cache_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -99,37 +129,82 @@ interface(`mandb_read_cache_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mandb_manage_cache_content',`
|
|
- refpolicywarn(`$0($*) has been deprecated')
|
|
+interface(`mandb_manage_cache_files',`
|
|
+ gen_require(`
|
|
+ type mandb_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_files_pattern($1, mandb_cache_t, mandb_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage mandb cache dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mandb_manage_cache_dirs',`
|
|
+ gen_require(`
|
|
+ type mandb_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_dirs_pattern($1, mandb_cache_t, mandb_cache_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an mandb environment.
|
|
+## Create configuration files in user
|
|
+## home directories with a named file
|
|
+## type transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`mandb_filetrans_named_home_content',`
|
|
+ gen_require(`
|
|
+ type mandb_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, mandb_home_t, file, ".manpath")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an mandb environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`mandb_admin',`
|
|
gen_require(`
|
|
- type mandb_t, mandb_cache_t;
|
|
+ type mandb_t;
|
|
+ type mandb_cache_t, mandb_lock_t;
|
|
')
|
|
|
|
allow $1 mandb_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, mandb_t)
|
|
|
|
- mandb_run($1, $2)
|
|
+ files_search_var($1)
|
|
+ admin_pattern($1, mandb_cache_t)
|
|
+
|
|
+ files_search_locks($1)
|
|
+ admin_pattern($1, mandb_lock_t)
|
|
|
|
- # pending
|
|
- # miscfiles_manage_man_cache_content(mandb_t)
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/mandb.te b/mandb.te
|
|
index e6136fd..f5203f5 100644
|
|
--- a/mandb.te
|
|
+++ b/mandb.te
|
|
@@ -10,9 +10,18 @@ roleattribute system_r mandb_roles;
|
|
|
|
type mandb_t;
|
|
type mandb_exec_t;
|
|
-application_domain(mandb_t, mandb_exec_t)
|
|
+init_daemon_domain(mandb_t, mandb_exec_t)
|
|
role mandb_roles types mandb_t;
|
|
|
|
+type mandb_cache_t;
|
|
+files_type(mandb_cache_t)
|
|
+
|
|
+type mandb_home_t;
|
|
+userdom_user_home_content(mandb_home_t)
|
|
+
|
|
+type mandb_lock_t;
|
|
+files_lock_file(mandb_lock_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -23,6 +32,18 @@ allow mandb_t self:process { setsched signal };
|
|
allow mandb_t self:fifo_file rw_fifo_file_perms;
|
|
allow mandb_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
+manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
|
|
+manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
|
|
+manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t)
|
|
+files_var_filetrans(mandb_t, mandb_cache_t, { dir file lnk_file })
|
|
+can_exec(mandb_t, mandb_exec_t)
|
|
+
|
|
+userdom_search_user_home_dirs(mandb_t)
|
|
+allow mandb_t mandb_home_t:file read_file_perms;
|
|
+
|
|
+allow mandb_t mandb_lock_t:file manage_file_perms;
|
|
+files_lock_filetrans(mandb_t, mandb_lock_t, file)
|
|
+
|
|
kernel_read_kernel_sysctls(mandb_t)
|
|
kernel_read_system_state(mandb_t)
|
|
|
|
@@ -33,11 +54,11 @@ dev_search_sysfs(mandb_t)
|
|
|
|
domain_use_interactive_fds(mandb_t)
|
|
|
|
-files_read_etc_files(mandb_t)
|
|
+files_search_locks(mandb_t)
|
|
|
|
miscfiles_manage_man_cache(mandb_t)
|
|
+miscfiles_setattr_man_pages(mandb_t)
|
|
miscfiles_read_man_pages(mandb_t)
|
|
-miscfiles_read_localization(mandb_t)
|
|
|
|
ifdef(`distro_debian',`
|
|
optional_policy(`
|
|
diff --git a/mcelog.te b/mcelog.te
|
|
index 59b3b3d..064c4fd 100644
|
|
--- a/mcelog.te
|
|
+++ b/mcelog.te
|
|
@@ -36,13 +36,6 @@ gen_tunable(mcelog_foreground, false)
|
|
## </desc>
|
|
gen_tunable(mcelog_server, false)
|
|
|
|
-## <desc>
|
|
-## <p>
|
|
-## Determine whether mcelog can use syslog.
|
|
-## </p>
|
|
-## </desc>
|
|
-gen_tunable(mcelog_syslog, false)
|
|
-
|
|
type mcelog_t;
|
|
type mcelog_exec_t;
|
|
init_daemon_domain(mcelog_t, mcelog_exec_t)
|
|
@@ -84,17 +77,20 @@ files_pid_filetrans(mcelog_t, mcelog_var_run_t, { dir file sock_file })
|
|
|
|
kernel_read_system_state(mcelog_t)
|
|
|
|
+corecmd_exec_shell(mcelog_t)
|
|
+corecmd_exec_bin(mcelog_t)
|
|
+
|
|
dev_read_raw_memory(mcelog_t)
|
|
dev_read_kmsg(mcelog_t)
|
|
dev_rw_sysfs(mcelog_t)
|
|
|
|
-files_read_etc_files(mcelog_t)
|
|
-
|
|
mls_file_read_all_levels(mcelog_t)
|
|
|
|
+auth_use_nsswitch(mcelog_t)
|
|
+
|
|
locallogin_use_fds(mcelog_t)
|
|
|
|
-miscfiles_read_localization(mcelog_t)
|
|
+logging_send_syslog_msg(mcelog_t)
|
|
|
|
tunable_policy(`mcelog_client',`
|
|
allow mcelog_t self:unix_stream_socket connectto;
|
|
@@ -114,9 +110,6 @@ tunable_policy(`mcelog_server',`
|
|
allow mcelog_t self:unix_stream_socket { listen accept };
|
|
')
|
|
|
|
-tunable_policy(`mcelog_syslog',`
|
|
- logging_send_syslog_msg(mcelog_t)
|
|
-')
|
|
|
|
optional_policy(`
|
|
cron_system_entry(mcelog_t, mcelog_exec_t)
|
|
diff --git a/mcollective.fc b/mcollective.fc
|
|
new file mode 100644
|
|
index 0000000..821bf88
|
|
--- /dev/null
|
|
+++ b/mcollective.fc
|
|
@@ -0,0 +1,3 @@
|
|
+/etc/mcollective/facts\.yaml -- gen_context(system_u:object_r:mcollective_etc_rw_t,s0)
|
|
+
|
|
+/usr/libexec/mcollective/update_yaml\.rb -- gen_context(system_u:object_r:mcollective_exec_t,s0)
|
|
diff --git a/mcollective.if b/mcollective.if
|
|
new file mode 100644
|
|
index 0000000..3f433f1
|
|
--- /dev/null
|
|
+++ b/mcollective.if
|
|
@@ -0,0 +1,109 @@
|
|
+
|
|
+## <summary>policy for mcollective</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the mcollective domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mcollective_domtrans',`
|
|
+ gen_require(`
|
|
+ type mcollective_t, mcollective_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, mcollective_exec_t, mcollective_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search mcollective conf directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mcollective_search_conf',`
|
|
+ gen_require(`
|
|
+ type mcollective_etc_rw_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mcollective_etc_rw_t:dir search_dir_perms;
|
|
+ files_search_etc($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read mcollective conf files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mcollective_read_conf_files',`
|
|
+ gen_require(`
|
|
+ type mcollective_etc_rw_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mcollective_etc_rw_t:dir list_dir_perms;
|
|
+ read_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
|
|
+ files_search_etc($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage mcollective conf files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mcollective_manage_conf_files',`
|
|
+ gen_require(`
|
|
+ type mcollective_etc_rw_t;
|
|
+ ')
|
|
+
|
|
+ manage_files_pattern($1, mcollective_etc_rw_t, mcollective_etc_rw_t)
|
|
+ files_search_etc($1)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an mcollective environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mcollective_admin',`
|
|
+ gen_require(`
|
|
+ type mcollective_t;
|
|
+ type mcollective_etc_rw_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mcollective_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, mcollective_t)
|
|
+
|
|
+ files_search_etc($1)
|
|
+ admin_pattern($1, mcollective_etc_rw_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/mcollective.te b/mcollective.te
|
|
new file mode 100644
|
|
index 0000000..a04dd6b
|
|
--- /dev/null
|
|
+++ b/mcollective.te
|
|
@@ -0,0 +1,29 @@
|
|
+policy_module(mcollective, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type mcollective_t;
|
|
+type mcollective_exec_t;
|
|
+init_daemon_domain(mcollective_t, mcollective_exec_t)
|
|
+cron_system_entry(mcollective_t, mcollective_exec_t)
|
|
+
|
|
+permissive mcollective_t;
|
|
+
|
|
+type mcollective_etc_rw_t;
|
|
+files_type(mcollective_etc_rw_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# mcollective local policy
|
|
+#
|
|
+allow mcollective_t self:fifo_file rw_fifo_file_perms;
|
|
+allow mcollective_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_files_pattern(mcollective_t, mcollective_etc_rw_t, mcollective_etc_rw_t)
|
|
+files_etc_filetrans(mcollective_t, mcollective_etc_rw_t, file, "facts.yaml")
|
|
+
|
|
+domain_use_interactive_fds(mcollective_t)
|
|
+
|
|
diff --git a/mediawiki.if b/mediawiki.if
|
|
index 9771b4b..1c1d012 100644
|
|
--- a/mediawiki.if
|
|
+++ b/mediawiki.if
|
|
@@ -1 +1,40 @@
|
|
-## <summary>Open source wiki package written in PHP.</summary>
|
|
+## <summary>Mediawiki policy</summary>
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read
|
|
+## mediawiki tmp files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mediawiki_read_tmp_files',`
|
|
+ gen_require(`
|
|
+ type httpd_mediawiki_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_tmp($1)
|
|
+ read_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
|
|
+ read_lnk_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Delete mediawiki tmp files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mediawiki_delete_tmp_files',`
|
|
+ gen_require(`
|
|
+ type httpd_mediawiki_tmp_t;
|
|
+ ')
|
|
+
|
|
+ delete_files_pattern($1, httpd_mediawiki_tmp_t, httpd_mediawiki_tmp_t)
|
|
+')
|
|
diff --git a/mediawiki.te b/mediawiki.te
|
|
index c528b9f..212712c 100644
|
|
--- a/mediawiki.te
|
|
+++ b/mediawiki.te
|
|
@@ -5,13 +5,16 @@ policy_module(mediawiki, 1.0.0)
|
|
# Declarations
|
|
#
|
|
|
|
-apache_content_template(mediawiki)
|
|
+optional_policy(`
|
|
+
|
|
+ apache_content_template(mediawiki)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
-files_search_var_lib(httpd_mediawiki_script_t)
|
|
+ files_search_var_lib(httpd_mediawiki_script_t)
|
|
|
|
-miscfiles_read_tetex_data(httpd_mediawiki_script_t)
|
|
+ miscfiles_read_tetex_data(httpd_mediawiki_script_t)
|
|
+')
|
|
diff --git a/memcached.if b/memcached.if
|
|
index 1d4eb19..650014e 100644
|
|
--- a/memcached.if
|
|
+++ b/memcached.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>High-performance memory object caching system.</summary>
|
|
+## <summary>high-performance memory object caching system</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -12,17 +12,16 @@
|
|
#
|
|
interface(`memcached_domtrans',`
|
|
gen_require(`
|
|
- type memcached_t,memcached_exec_t;
|
|
+ type memcached_t;
|
|
+ type memcached_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, memcached_exec_t, memcached_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## memcached pid files.
|
|
+## Read memcached PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -30,18 +29,18 @@ interface(`memcached_domtrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`memcached_manage_pid_files',`
|
|
+interface(`memcached_read_pid_files',`
|
|
gen_require(`
|
|
type memcached_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
|
|
+ allow $1 memcached_var_run_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read memcached pid files.
|
|
+## Manage memcached PID files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -49,19 +48,18 @@ interface(`memcached_manage_pid_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`memcached_read_pid_files',`
|
|
+interface(`memcached_manage_pid_files',`
|
|
gen_require(`
|
|
type memcached_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- allow $1 memcached_var_run_t:file read_file_perms;
|
|
+ manage_files_pattern($1, memcached_var_run_t, memcached_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to memcached using a unix
|
|
-## domain stream socket.
|
|
+## Connect to memcached over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -80,29 +78,8 @@ interface(`memcached_stream_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to memcache over the network.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`memcached_tcp_connect',`
|
|
- gen_require(`
|
|
- type memcached_t;
|
|
- ')
|
|
-
|
|
- corenet_sendrecv_memcache_client_packets($1)
|
|
- corenet_tcp_connect_memcache_port($1)
|
|
- corenet_tcp_recvfrom_labeled($1, memcached_t)
|
|
- corenet_tcp_sendrecv_memcache_port($1)
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an memcached environment.
|
|
+## All of the rules required to administrate
|
|
+## an memcached environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -111,7 +88,7 @@ interface(`memcached_tcp_connect',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the memcached domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -121,14 +98,17 @@ interface(`memcached_admin',`
|
|
type memcached_t, memcached_initrc_exec_t, memcached_var_run_t;
|
|
')
|
|
|
|
- allow $1 memcached_t:process { ptrace signal_perms };
|
|
+ allow $1 memcached_t:process signal_perms;
|
|
ps_process_pattern($1, memcached_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 memcached_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, memcached_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 memcached_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_pids($1)
|
|
+ files_list_pids($1)
|
|
admin_pattern($1, memcached_var_run_t)
|
|
')
|
|
diff --git a/memcached.te b/memcached.te
|
|
index 29b7521..68ec663 100644
|
|
--- a/memcached.te
|
|
+++ b/memcached.te
|
|
@@ -20,7 +20,7 @@ files_pid_file(memcached_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow memcached_t self:capability { setuid setgid };
|
|
+allow memcached_t self:capability { setuid setgid sys_resource };
|
|
dontaudit memcached_t self:capability sys_tty_config;
|
|
allow memcached_t self:process { setrlimit signal_perms };
|
|
allow memcached_t self:tcp_socket { accept listen };
|
|
@@ -59,4 +59,3 @@ term_dontaudit_use_console(memcached_t)
|
|
|
|
auth_use_nsswitch(memcached_t)
|
|
|
|
-miscfiles_read_localization(memcached_t)
|
|
diff --git a/milter.fc b/milter.fc
|
|
index 89409eb..67e42f6 100644
|
|
--- a/milter.fc
|
|
+++ b/milter.fc
|
|
@@ -1,18 +1,29 @@
|
|
+/etc/mail/dkim-milter/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
|
|
+
|
|
+/usr/sbin/dkim-filter -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
|
|
+/usr/sbin/opendkim -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
|
|
+/usr/sbin/opendmarc -- gen_context(system_u:object_r:dkim_milter_exec_t,s0)
|
|
/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
|
|
-/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
|
|
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
|
+/usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
|
|
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
|
|
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
|
|
|
|
-/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
|
-/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
|
-/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
|
+/var/lib/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
|
|
+/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
|
+/var/lib/sqlgrey(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
|
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
|
|
|
|
-/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
|
+/var/run/dkim-milter(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
|
|
+/var/run/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
|
|
+/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
|
/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
|
-/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
|
-/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
|
-/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
|
+/var/run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
|
+/var/run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
|
|
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
|
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
|
+/var/run/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
|
|
|
|
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
|
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
|
|
/var/spool/postfix/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
|
|
+/var/spool/opendkim(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
|
|
+/var/spool/opendmarc(/.*)? gen_context(system_u:object_r:dkim_milter_data_t,s0)
|
|
diff --git a/milter.if b/milter.if
|
|
index cba62db..562833a 100644
|
|
--- a/milter.if
|
|
+++ b/milter.if
|
|
@@ -1,47 +1,43 @@
|
|
-## <summary>Milter mail filters.</summary>
|
|
+## <summary>Milter mail filters</summary>
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## The template to define a milter domain.
|
|
+## Create a set of derived types for various
|
|
+## mail filter applications using the milter interface.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="milter_name">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## The name to be used for deriving type names.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`milter_template',`
|
|
+ # attributes common to all milters
|
|
gen_require(`
|
|
attribute milter_data_type, milter_domains;
|
|
')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
type $1_milter_t, milter_domains;
|
|
type $1_milter_exec_t;
|
|
init_daemon_domain($1_milter_t, $1_milter_exec_t)
|
|
+ role system_r types $1_milter_t;
|
|
|
|
+ # Type for the milter data (e.g. the socket used to communicate with the MTA)
|
|
type $1_milter_data_t, milter_data_type;
|
|
files_pid_file($1_milter_data_t)
|
|
|
|
- ########################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
+ # Allow communication with MTA over a unix-domain socket
|
|
+ manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
|
|
|
|
+ # Create other data files and directories in the data directory
|
|
manage_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
|
|
- manage_sock_files_pattern($1_milter_t, $1_milter_data_t, $1_milter_data_t)
|
|
|
|
- auth_use_nsswitch($1_milter_t)
|
|
+ logging_send_syslog_msg($1_milter_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## connect to all milter domains using
|
|
-## a unix domain stream socket.
|
|
+## MTA communication with milter sockets
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -55,12 +51,13 @@ interface(`milter_stream_connect_all',`
|
|
')
|
|
|
|
files_search_pids($1)
|
|
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
|
|
stream_connect_pattern($1, milter_data_type, milter_data_type, milter_domains)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Get attributes of all milter sock files.
|
|
+## Allow getattr of milter sockets
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -73,13 +70,31 @@ interface(`milter_getattr_all_sockets',`
|
|
attribute milter_data_type;
|
|
')
|
|
|
|
+ getattr_dirs_pattern($1, milter_data_type, milter_data_type)
|
|
getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## spamassissin milter data content.
|
|
+## Allow setattr of milter dirs
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`milter_setattr_all_dirs',`
|
|
+ gen_require(`
|
|
+ attribute milter_data_type;
|
|
+ ')
|
|
+
|
|
+ setattr_dirs_pattern($1, milter_data_type, milter_data_type)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage spamassassin milter state
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -97,3 +112,22 @@ interface(`milter_manage_spamass_state',`
|
|
manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
|
|
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
|
|
')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Delete dkim-milter PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`milter_delete_dkim_pid_files',`
|
|
+ gen_require(`
|
|
+ type dkim_milter_data_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ delete_files_pattern($1, dkim_milter_data_t, dkim_milter_data_t)
|
|
+')
|
|
diff --git a/milter.te b/milter.te
|
|
index 4dc99f4..4385417 100644
|
|
--- a/milter.te
|
|
+++ b/milter.te
|
|
@@ -5,73 +5,106 @@ policy_module(milter, 1.5.0)
|
|
# Declarations
|
|
#
|
|
|
|
+# attributes common to all milters
|
|
attribute milter_domains;
|
|
attribute milter_data_type;
|
|
|
|
+# support for dkim-milter - domainKeys Identified Mail sender authentication sendmail milter
|
|
+milter_template(dkim)
|
|
+
|
|
+# type for the private key of dkim-milter
|
|
+type dkim_milter_private_key_t;
|
|
+files_type(dkim_milter_private_key_t)
|
|
+
|
|
+# currently-supported milters are milter-greylist, milter-regex and spamass-milter
|
|
milter_template(greylist)
|
|
milter_template(regex)
|
|
milter_template(spamass)
|
|
|
|
+# Type for the spamass-milter home directory, under which spamassassin will
|
|
+# store system-wide preferences, bayes databases etc. if not configured to
|
|
+# use per-user configuration
|
|
type spamass_milter_state_t;
|
|
files_type(spamass_milter_state_t)
|
|
|
|
+
|
|
#######################################
|
|
#
|
|
-# Common local policy
|
|
+# milter domains local policy
|
|
#
|
|
|
|
+# Allow communication with MTA over a unix-domain socket
|
|
+# Note: usage with TCP sockets requires additional policy
|
|
+
|
|
allow milter_domains self:fifo_file rw_fifo_file_perms;
|
|
-allow milter_domains self:tcp_socket { accept listen };
|
|
+
|
|
+# Allow communication with MTA over a TCP socket
|
|
+allow milter_domains self:tcp_socket create_stream_socket_perms;
|
|
|
|
kernel_dontaudit_read_system_state(milter_domains)
|
|
|
|
-corenet_all_recvfrom_unlabeled(milter_domains)
|
|
-corenet_all_recvfrom_netlabel(milter_domains)
|
|
-corenet_tcp_sendrecv_generic_if(milter_domains)
|
|
-corenet_tcp_sendrecv_generic_node(milter_domains)
|
|
corenet_tcp_bind_generic_node(milter_domains)
|
|
-
|
|
corenet_tcp_bind_milter_port(milter_domains)
|
|
-corenet_tcp_sendrecv_all_ports(milter_domains)
|
|
|
|
-miscfiles_read_localization(milter_domains)
|
|
+dev_read_rand(milter_domains)
|
|
+dev_read_urand(milter_domains)
|
|
+
|
|
+mta_read_config(milter_domains)
|
|
+
|
|
+sysnet_read_config(greylist_milter_t)
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# dkim-milter local policy
|
|
+#
|
|
+
|
|
+allow dkim_milter_t self:capability { kill setgid setuid };
|
|
+allow dkim_milter_t self:process signal;
|
|
+allow dkim_milter_t self:tcp_socket create_stream_socket_perms;
|
|
+allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
-logging_send_syslog_msg(milter_domains)
|
|
+read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
|
|
+
|
|
+kernel_read_kernel_sysctls(dkim_milter_t)
|
|
+
|
|
+auth_use_nsswitch(dkim_milter_t)
|
|
+
|
|
+sysnet_dns_name_resolve(dkim_milter_t)
|
|
|
|
########################################
|
|
#
|
|
-# greylist local policy
|
|
+# milter-greylist local policy
|
|
+# ensure smtp clients retry mail like real MTAs and not spamware
|
|
+# http://hcpnet.free.fr/milter-greylist/
|
|
#
|
|
|
|
+# It removes any existing socket (not owned by root) whilst running as root,
|
|
+# fixes permissions, renices itself and then calls setgid() and setuid() to
|
|
+# drop privileges
|
|
allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
|
|
allow greylist_milter_t self:process { setsched getsched };
|
|
|
|
+allow greylist_milter_t self:tcp_socket create_stream_socket_perms;
|
|
+
|
|
+# It creates a pid file /var/run/milter-greylist.pid
|
|
files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
|
|
|
|
kernel_read_kernel_sysctls(greylist_milter_t)
|
|
|
|
-corenet_sendrecv_movaz_ssc_server_packets(greylist_milter_t)
|
|
-corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
|
|
-corenet_sendrecv_movaz_ssc_client_packets(greylist_milter_t)
|
|
-corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
|
|
-corenet_tcp_sendrecv_movaz_ssc_port(greylist_milter_t)
|
|
-
|
|
-corenet_sendrecv_kismet_server_packets(greylist_milter_t)
|
|
-corenet_tcp_bind_kismet_port(greylist_milter_t)
|
|
-corenet_tcp_sendrecv_kismet_port(greylist_milter_t)
|
|
-
|
|
corecmd_exec_bin(greylist_milter_t)
|
|
corecmd_exec_shell(greylist_milter_t)
|
|
|
|
-dev_read_rand(greylist_milter_t)
|
|
-dev_read_urand(greylist_milter_t)
|
|
+corenet_tcp_bind_movaz_ssc_port(greylist_milter_t)
|
|
+corenet_tcp_connect_movaz_ssc_port(greylist_milter_t)
|
|
+corenet_tcp_bind_rtsclient_port(greylist_milter_t)
|
|
|
|
-files_read_usr_files(greylist_milter_t)
|
|
+# perl getgroups() reads a bunch of files in /etc
|
|
+# Allow the milter to read a GeoIP database in /usr/share
|
|
+# The milter runs from /var/lib/milter-greylist and maintains files there
|
|
files_search_var_lib(greylist_milter_t)
|
|
|
|
-mta_read_config(greylist_milter_t)
|
|
-
|
|
-miscfiles_read_localization(greylist_milter_t)
|
|
+# Look up username for dropping privs
|
|
+auth_use_nsswitch(greylist_milter_t)
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(greylist_milter_t)
|
|
@@ -79,30 +112,45 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# regex local policy
|
|
+# milter-regex local policy
|
|
+# filter emails using regular expressions
|
|
+# http://www.benzedrine.cx/milter-regex.html
|
|
#
|
|
|
|
+# It removes any existing socket (not owned by root) whilst running as root
|
|
+# and then calls setgid() and setuid() to drop privileges
|
|
allow regex_milter_t self:capability { setuid setgid dac_override };
|
|
|
|
+# The milter's socket directory lives under /var/spool
|
|
files_search_spool(regex_milter_t)
|
|
|
|
-mta_read_config(regex_milter_t)
|
|
+# Look up username for dropping privs
|
|
+auth_use_nsswitch(regex_milter_t)
|
|
|
|
########################################
|
|
#
|
|
-# spamass local policy
|
|
+# spamass-milter local policy
|
|
+# pipe emails through SpamAssassin
|
|
+# http://savannah.nongnu.org/projects/spamass-milt/
|
|
#
|
|
|
|
+# The milter runs from /var/lib/spamass-milter
|
|
allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
|
|
+files_search_var_lib(spamass_milter_t)
|
|
|
|
kernel_read_system_state(spamass_milter_t)
|
|
|
|
+# When used with -b or -B options, the milter invokes sendmail to send mail
|
|
+# to a spamtrap address, using popen()
|
|
corecmd_exec_shell(spamass_milter_t)
|
|
+corecmd_read_bin_symlinks(spamass_milter_t)
|
|
+corecmd_search_bin(spamass_milter_t)
|
|
|
|
-files_search_var_lib(spamass_milter_t)
|
|
+auth_use_nsswitch(spamass_milter_t)
|
|
|
|
mta_send_mail(spamass_milter_t)
|
|
|
|
+# The main job of the milter is to pipe spam through spamc and act on the result
|
|
optional_policy(`
|
|
spamassassin_domtrans_client(spamass_milter_t)
|
|
')
|
|
diff --git a/minissdpd.if b/minissdpd.if
|
|
index b330161..5450937 100644
|
|
--- a/minissdpd.if
|
|
+++ b/minissdpd.if
|
|
@@ -39,10 +39,10 @@ interface(`minissdpd_read_config',`
|
|
interface(`minissdpd_admin',`
|
|
gen_require(`
|
|
type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
|
|
- type minissdpd_var_run_t
|
|
+ type minissdpd_var_run_t;
|
|
')
|
|
|
|
- allow $1 minissdpd_t:process { ptrace signal_perms };
|
|
+ allow $1 minissdpd_t:process { signal_perms };
|
|
ps_process_pattern($1, minissdpd_t)
|
|
|
|
init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
|
|
diff --git a/mock.fc b/mock.fc
|
|
new file mode 100644
|
|
index 0000000..8d0e473
|
|
--- /dev/null
|
|
+++ b/mock.fc
|
|
@@ -0,0 +1,5 @@
|
|
+
|
|
+/usr/sbin/mock -- gen_context(system_u:object_r:mock_exec_t,s0)
|
|
+
|
|
+/var/lib/mock(/.*)? gen_context(system_u:object_r:mock_var_lib_t,s0)
|
|
+/var/cache/mock(/.*)? gen_context(system_u:object_r:mock_cache_t,s0)
|
|
diff --git a/mock.if b/mock.if
|
|
new file mode 100644
|
|
index 0000000..6568bfe
|
|
--- /dev/null
|
|
+++ b/mock.if
|
|
@@ -0,0 +1,310 @@
|
|
+## <summary>policy for mock</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run mock.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_domtrans',`
|
|
+ gen_require(`
|
|
+ type mock_t, mock_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, mock_exec_t, mock_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search mock lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_search_lib',`
|
|
+ gen_require(`
|
|
+ type mock_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mock_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read mock lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type mock_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Getattr on mock lib file,dir,sock_file ...
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_getattr_lib',`
|
|
+ gen_require(`
|
|
+ type mock_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mock_var_lib_t:dir_file_class_set getattr;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## mock lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type mock_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage mock lib dirs files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type mock_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
|
+')
|
|
+
|
|
+#########################################
|
|
+## <summary>
|
|
+## Manage mock lib symlinks.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_manage_lib_symlinks',`
|
|
+ gen_require(`
|
|
+ type mock_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_lnk_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage mock lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_manage_lib_chr_files',`
|
|
+ gen_require(`
|
|
+ type mock_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_chr_files_pattern($1, mock_var_lib_t, mock_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage mock lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_dontaudit_write_lib_chr_files',`
|
|
+ gen_require(`
|
|
+ type mock_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 mock_var_lib_t:chr_file write;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Dontaudit read and write an leaked file descriptors
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_dontaudit_leaks',`
|
|
+ gen_require(`
|
|
+ type mock_tmp_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 mock_tmp_t:file rw_inherited_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute mock in the mock domain, and
|
|
+## allow the specified role the mock domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the mock domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`mock_run',`
|
|
+ gen_require(`
|
|
+ type mock_t;
|
|
+ type mock_build_t;
|
|
+ ')
|
|
+
|
|
+ mock_domtrans($1)
|
|
+ role $2 types mock_t;
|
|
+ role $2 types mock_build_t;
|
|
+
|
|
+ mount_run(mock_t, $2)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Role access for mock
|
|
+## </summary>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## User domain for the role
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`mock_role',`
|
|
+ gen_require(`
|
|
+ type mock_t;
|
|
+ ')
|
|
+
|
|
+ role $1 types mock_t;
|
|
+
|
|
+ mock_run($2, $1)
|
|
+
|
|
+ ps_process_pattern($2, mock_t)
|
|
+ allow $2 mock_t:process signal_perms;
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 mock_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
+ mock_read_lib_files($2)
|
|
+ ')
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Send a generic signal to mock.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_signal',`
|
|
+ gen_require(`
|
|
+ type mock_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mock_t:process signal;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an mock environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mock_admin',`
|
|
+ gen_require(`
|
|
+ type mock_t, mock_var_lib_t;
|
|
+ type mock_build_t, mock_etc_t, mock_tmp_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mock_t:process signal_perms;
|
|
+ ps_process_pattern($1, mock_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 mock_t:process ptrace;
|
|
+ allow $1 mock_build_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 mock_build_t:process signal_perms;
|
|
+ ps_process_pattern($1, mock_build_t)
|
|
+
|
|
+ files_list_var_lib($1)
|
|
+ admin_pattern($1, mock_var_lib_t)
|
|
+
|
|
+ files_list_tmp($1)
|
|
+ admin_pattern($1, mock_tmp_t)
|
|
+
|
|
+ files_search_etc($1)
|
|
+ admin_pattern($1, mock_etc_t)
|
|
+')
|
|
diff --git a/mock.te b/mock.te
|
|
new file mode 100644
|
|
index 0000000..7245033
|
|
--- /dev/null
|
|
+++ b/mock.te
|
|
@@ -0,0 +1,273 @@
|
|
+policy_module(mock,1.0.0)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow mock to read files in home directories.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(mock_enable_homedirs, false)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type mock_t;
|
|
+type mock_exec_t;
|
|
+application_domain(mock_t, mock_exec_t)
|
|
+domain_role_change_exemption(mock_t)
|
|
+domain_system_change_exemption(mock_t)
|
|
+role system_r types mock_t;
|
|
+
|
|
+type mock_build_t;
|
|
+type mock_build_exec_t;
|
|
+application_domain(mock_build_t, mock_build_exec_t)
|
|
+role system_r types mock_build_t;
|
|
+
|
|
+type mock_cache_t;
|
|
+files_type(mock_cache_t)
|
|
+
|
|
+type mock_tmp_t;
|
|
+files_tmp_file(mock_tmp_t)
|
|
+
|
|
+type mock_var_lib_t;
|
|
+files_type(mock_var_lib_t)
|
|
+
|
|
+type mock_var_run_t;
|
|
+files_pid_file(mock_var_run_t)
|
|
+
|
|
+type mock_etc_t;
|
|
+files_config_file(mock_etc_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# mock local policy
|
|
+#
|
|
+
|
|
+allow mock_t self:capability { sys_admin sys_ptrace setfcap setuid sys_chroot chown audit_write dac_override sys_nice mknod fsetid setgid fowner };
|
|
+allow mock_t self:process { siginh noatsecure signal_perms transition rlimitinh setsched setpgid };
|
|
+# Needed because mock can run java and mono withing build environment
|
|
+allow mock_t self:process { execmem execstack };
|
|
+dontaudit mock_t self:process { siginh noatsecure rlimitinh };
|
|
+allow mock_t self:fifo_file manage_fifo_file_perms;
|
|
+allow mock_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow mock_t self:unix_dgram_socket create_socket_perms;
|
|
+
|
|
+allow mock_t mock_build_t:process { siginh noatsecure rlimitinh };
|
|
+
|
|
+manage_dirs_pattern(mock_t, mock_cache_t, mock_cache_t)
|
|
+manage_files_pattern(mock_t, mock_cache_t, mock_cache_t)
|
|
+manage_lnk_files_pattern(mock_t, mock_cache_t, mock_cache_t)
|
|
+files_var_filetrans(mock_t, mock_cache_t, { dir file } )
|
|
+
|
|
+read_files_pattern(mock_t, mock_etc_t, mock_etc_t)
|
|
+read_lnk_files_pattern(mock_t, mock_etc_t, mock_etc_t)
|
|
+
|
|
+manage_dirs_pattern(mock_t, mock_tmp_t, mock_tmp_t)
|
|
+manage_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
|
|
+manage_lnk_files_pattern(mock_t, mock_tmp_t, mock_tmp_t)
|
|
+files_tmp_filetrans(mock_t, mock_tmp_t, { dir file lnk_file })
|
|
+
|
|
+manage_dirs_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
|
+manage_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
|
+manage_lnk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
|
+manage_blk_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
|
+manage_chr_files_pattern(mock_t, mock_var_lib_t, mock_var_lib_t)
|
|
+files_var_lib_filetrans(mock_t, mock_var_lib_t, { dir file })
|
|
+allow mock_t mock_var_lib_t:dir mounton;
|
|
+allow mock_t mock_var_lib_t:dir relabel_dir_perms;
|
|
+allow mock_t mock_var_lib_t:file relabel_file_perms;
|
|
+
|
|
+manage_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
|
|
+manage_dirs_pattern(mock_t, mock_var_run_t, mock_var_run_t)
|
|
+manage_sock_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
|
|
+manage_lnk_files_pattern(mock_t, mock_var_run_t, mock_var_run_t)
|
|
+files_pid_filetrans(mock_t, mock_var_run_t, { file dir sock_file })
|
|
+
|
|
+kernel_read_irq_sysctls(mock_t)
|
|
+kernel_read_system_state(mock_t)
|
|
+kernel_read_network_state(mock_t)
|
|
+kernel_read_kernel_sysctls(mock_t)
|
|
+kernel_request_load_module(mock_t)
|
|
+kernel_dontaudit_setattr_proc_dirs(mock_t)
|
|
+kernel_read_fs_sysctls(mock_t)
|
|
+# we run mount in mock_t
|
|
+kernel_mount_proc(mock_t)
|
|
+kernel_unmount_proc(mock_t)
|
|
+
|
|
+fs_mount_tmpfs(mock_t)
|
|
+fs_unmount_tmpfs(mock_t)
|
|
+fs_unmount_xattr_fs(mock_t)
|
|
+
|
|
+corecmd_exec_bin(mock_t)
|
|
+corecmd_exec_shell(mock_t)
|
|
+corecmd_dontaudit_exec_all_executables(mock_t)
|
|
+
|
|
+corenet_tcp_connect_git_port(mock_t)
|
|
+corenet_tcp_connect_http_port(mock_t)
|
|
+corenet_tcp_connect_ftp_port(mock_t)
|
|
+corenet_tcp_connect_all_ephemeral_ports(mock_t)
|
|
+
|
|
+dev_read_urand(mock_t)
|
|
+dev_rw_sysfs(mock_t)
|
|
+dev_setattr_sysfs_dirs(mock_t)
|
|
+dev_mount_sysfs_fs(mock_t)
|
|
+dev_unmount_sysfs_fs(mock_t)
|
|
+
|
|
+domain_read_all_domains_state(mock_t)
|
|
+domain_use_interactive_fds(mock_t)
|
|
+
|
|
+files_read_etc_runtime_files(mock_t)
|
|
+files_dontaudit_list_boot(mock_t)
|
|
+files_list_isid_type_dirs(mock_t)
|
|
+
|
|
+fs_getattr_all_fs(mock_t)
|
|
+fs_manage_cgroup_dirs(mock_t)
|
|
+fs_search_all(mock_t)
|
|
+fs_setattr_tmpfs_dirs(mock_t)
|
|
+
|
|
+selinux_get_enforce_mode(mock_t)
|
|
+
|
|
+term_search_ptys(mock_t)
|
|
+term_mount_pty_fs(mock_t)
|
|
+term_unmount_pty_fs(mock_t)
|
|
+
|
|
+auth_use_nsswitch(mock_t)
|
|
+
|
|
+init_exec(mock_t)
|
|
+init_dontaudit_stream_connect(mock_t)
|
|
+
|
|
+libs_exec_ldconfig(mock_t)
|
|
+
|
|
+logging_send_audit_msgs(mock_t)
|
|
+logging_send_syslog_msg(mock_t)
|
|
+
|
|
+userdom_use_user_ptys(mock_t)
|
|
+
|
|
+files_search_home(mock_t)
|
|
+
|
|
+tunable_policy(`mock_enable_homedirs',`
|
|
+ userdom_manage_user_home_content_dirs(mock_t)
|
|
+ userdom_manage_user_home_content_files(mock_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`mock_enable_homedirs && use_nfs_home_dirs',`
|
|
+ rpc_search_nfs_state_data(mock_t)
|
|
+ fs_list_auto_mountpoints(mock_t)
|
|
+ fs_manage_nfs_files(mock_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`mock_enable_homedirs && use_samba_home_dirs',`
|
|
+ fs_list_auto_mountpoints(mock_t)
|
|
+ fs_read_cifs_files(mock_t)
|
|
+ fs_manage_cifs_files(mock_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ abrt_read_spool_retrace(mock_t)
|
|
+ abrt_read_cache_retrace(mock_t)
|
|
+ abrt_stream_connect(mock_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ apache_read_sys_content_rw_files(mock_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rpm_exec(mock_t)
|
|
+ rpm_manage_cache(mock_t)
|
|
+ rpm_manage_db(mock_t)
|
|
+ rpm_manage_tmp_files(mock_t)
|
|
+ rpm_read_log(mock_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mount_exec(mock_t)
|
|
+ mount_rw_pid_files(mock_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+#
|
|
+# mock_build local policy
|
|
+#
|
|
+allow mock_build_t self:capability { sys_admin setfcap setuid sys_chroot chown dac_override sys_nice mknod fsetid setgid fowner };
|
|
+dontaudit mock_build_t self:capability audit_write;
|
|
+allow mock_build_t self:process { fork setsched setpgid signal_perms };
|
|
+allow mock_build_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
|
|
+# Needed because mock can run java and mono withing build environment
|
|
+allow mock_build_t self:process { execmem execstack };
|
|
+dontaudit mock_build_t self:process { siginh noatsecure rlimitinh };
|
|
+allow mock_build_t self:fifo_file manage_fifo_file_perms;
|
|
+allow mock_build_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow mock_build_t self:unix_dgram_socket create_socket_perms;
|
|
+allow mock_build_t self:dir list_dir_perms;
|
|
+allow mock_build_t self:dir read_file_perms;
|
|
+
|
|
+ps_process_pattern(mock_t, mock_build_t)
|
|
+allow mock_t mock_build_t:process signal_perms;
|
|
+domtrans_pattern(mock_t, mock_build_exec_t, mock_build_t)
|
|
+domtrans_pattern(mock_t, mock_tmp_t, mock_build_t)
|
|
+domain_entry_file(mock_build_t, mock_tmp_t)
|
|
+domtrans_pattern(mock_t, mock_var_lib_t, mock_build_t)
|
|
+domain_entry_file(mock_build_t, mock_var_lib_t)
|
|
+
|
|
+manage_dirs_pattern(mock_build_t, mock_cache_t, mock_cache_t)
|
|
+manage_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
|
|
+manage_lnk_files_pattern(mock_build_t, mock_cache_t, mock_cache_t)
|
|
+files_var_filetrans(mock_build_t, mock_cache_t, { dir file } )
|
|
+
|
|
+manage_dirs_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
|
|
+manage_files_pattern(mock_build_t, mock_tmp_t, mock_tmp_t)
|
|
+files_tmp_filetrans(mock_build_t, mock_tmp_t, { dir file })
|
|
+can_exec(mock_build_t, mock_tmp_t)
|
|
+
|
|
+manage_dirs_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
|
|
+manage_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
|
|
+manage_lnk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
|
|
+manage_blk_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
|
|
+manage_chr_files_pattern(mock_build_t, mock_var_lib_t, mock_var_lib_t)
|
|
+files_var_lib_filetrans(mock_build_t, mock_var_lib_t, { dir file })
|
|
+can_exec(mock_build_t, mock_var_lib_t)
|
|
+allow mock_build_t mock_var_lib_t:dir mounton;
|
|
+allow mock_build_t mock_var_lib_t:dir relabel_dir_perms;
|
|
+allow mock_build_t mock_var_lib_t:file relabel_file_perms;
|
|
+
|
|
+kernel_list_proc(mock_build_t)
|
|
+kernel_read_irq_sysctls(mock_build_t)
|
|
+kernel_read_system_state(mock_build_t)
|
|
+kernel_read_network_state(mock_build_t)
|
|
+kernel_read_kernel_sysctls(mock_build_t)
|
|
+kernel_request_load_module(mock_build_t)
|
|
+kernel_dontaudit_setattr_proc_dirs(mock_build_t)
|
|
+
|
|
+corecmd_exec_bin(mock_build_t)
|
|
+corecmd_exec_shell(mock_build_t)
|
|
+corecmd_dontaudit_exec_all_executables(mock_build_t)
|
|
+
|
|
+dev_getattr_all_chr_files(mock_build_t)
|
|
+dev_dontaudit_list_all_dev_nodes(mock_build_t)
|
|
+dev_dontaudit_getattr_all(mock_build_t)
|
|
+fs_getattr_all_dirs(mock_build_t)
|
|
+dev_read_sysfs(mock_build_t)
|
|
+
|
|
+domain_dontaudit_read_all_domains_state(mock_build_t)
|
|
+domain_use_interactive_fds(mock_build_t)
|
|
+
|
|
+files_dontaudit_list_boot(mock_build_t)
|
|
+
|
|
+fs_getattr_all_fs(mock_build_t)
|
|
+fs_manage_cgroup_dirs(mock_build_t)
|
|
+
|
|
+selinux_get_enforce_mode(mock_build_t)
|
|
+
|
|
+auth_use_nsswitch(mock_build_t)
|
|
+
|
|
+init_exec(mock_build_t)
|
|
+init_dontaudit_stream_connect(mock_build_t)
|
|
+
|
|
+libs_exec_ldconfig(mock_build_t)
|
|
+
|
|
+tunable_policy(`mock_enable_homedirs',`
|
|
+ userdom_read_user_home_content_files(mock_build_t)
|
|
+')
|
|
diff --git a/modemmanager.fc b/modemmanager.fc
|
|
index a83894c..481dca3 100644
|
|
--- a/modemmanager.fc
|
|
+++ b/modemmanager.fc
|
|
@@ -1 +1,4 @@
|
|
/usr/sbin/modem-manager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
|
|
+/usr/sbin/ModemManager -- gen_context(system_u:object_r:modemmanager_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/ModemManager.service -- gen_context(system_u:object_r:modemmanager_unit_file_t,s0)
|
|
diff --git a/modemmanager.if b/modemmanager.if
|
|
index b1ac8b5..9b22bea 100644
|
|
--- a/modemmanager.if
|
|
+++ b/modemmanager.if
|
|
@@ -21,6 +21,30 @@ interface(`modemmanager_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute modemmanager server in the modemmanager domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`modemmanager_systemctl',`
|
|
+ gen_require(`
|
|
+ type modemmanager_t;
|
|
+ type modemmanager_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 modemmanager_unit_file_t:file read_file_perms;
|
|
+ allow $1 modemmanager_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, modemmanager_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Send and receive messages from
|
|
## modemmanager over dbus.
|
|
## </summary>
|
|
@@ -39,3 +63,33 @@ interface(`modemmanager_dbus_chat',`
|
|
allow $1 modemmanager_t:dbus send_msg;
|
|
allow modemmanager_t $1:dbus send_msg;
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an modemmanager environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`modemmanager_admin',`
|
|
+ gen_require(`
|
|
+ type modemmanager_t;
|
|
+ type modemmanager_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 modemmanager_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, modemmanager_t)
|
|
+
|
|
+ modemmanager_systemctl($1)
|
|
+ admin_pattern($1, modemmanager_unit_file_t)
|
|
+ allow $1 modemmanager_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/modemmanager.te b/modemmanager.te
|
|
index d15eb5b..a0dae5e 100644
|
|
--- a/modemmanager.te
|
|
+++ b/modemmanager.te
|
|
@@ -11,6 +11,9 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
|
|
typealias modemmanager_t alias ModemManager_t;
|
|
typealias modemmanager_exec_t alias ModemManager_exec_t;
|
|
|
|
+type modemmanager_unit_file_t;
|
|
+systemd_unit_file(modemmanager_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -27,12 +30,12 @@ kernel_read_system_state(modemmanager_t)
|
|
dev_read_sysfs(modemmanager_t)
|
|
dev_rw_modem(modemmanager_t)
|
|
|
|
-files_read_etc_files(modemmanager_t)
|
|
|
|
term_use_generic_ptys(modemmanager_t)
|
|
term_use_unallocated_ttys(modemmanager_t)
|
|
+term_use_usb_ttys(modemmanager_t)
|
|
|
|
-miscfiles_read_localization(modemmanager_t)
|
|
+xserver_read_state_xdm(modemmanager_t)
|
|
|
|
logging_send_syslog_msg(modemmanager_t)
|
|
|
|
diff --git a/mojomojo.if b/mojomojo.if
|
|
index 73952f4..b19a6ee 100644
|
|
--- a/mojomojo.if
|
|
+++ b/mojomojo.if
|
|
@@ -15,7 +15,6 @@
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`mojomojo_admin',`
|
|
refpolicywarn(`$0($*) has been deprecated, use apache_admin() instead.')
|
|
diff --git a/mojomojo.te b/mojomojo.te
|
|
index b94102e..9556487 100644
|
|
--- a/mojomojo.te
|
|
+++ b/mojomojo.te
|
|
@@ -5,21 +5,41 @@ policy_module(mojomojo, 1.1.0)
|
|
# Declarations
|
|
#
|
|
|
|
-apache_content_template(mojomojo)
|
|
+type httpd_mojomojo_tmp_t;
|
|
+files_tmp_file(httpd_mojomojo_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
|
|
+optional_policy(`
|
|
+ apache_content_template(mojomojo)
|
|
|
|
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
|
|
-corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
|
|
-corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
|
|
+ allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
|
|
|
|
-files_search_var_lib(httpd_mojomojo_script_t)
|
|
+ manage_dirs_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
|
|
+ manage_files_pattern(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, httpd_mojomojo_tmp_t)
|
|
+ files_tmp_filetrans(httpd_mojomojo_script_t, httpd_mojomojo_tmp_t, { file dir })
|
|
|
|
-sysnet_dns_name_resolve(httpd_mojomojo_script_t)
|
|
+ corenet_tcp_connect_postgresql_port(httpd_mojomojo_script_t)
|
|
+ corenet_tcp_connect_mysqld_port(httpd_mojomojo_script_t)
|
|
+ corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
|
|
+ corenet_sendrecv_postgresql_client_packets(httpd_mojomojo_script_t)
|
|
+ corenet_sendrecv_mysqld_client_packets(httpd_mojomojo_script_t)
|
|
+ corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
|
|
|
|
-mta_send_mail(httpd_mojomojo_script_t)
|
|
+ files_search_var_lib(httpd_mojomojo_script_t)
|
|
+
|
|
+ sysnet_dns_name_resolve(httpd_mojomojo_script_t)
|
|
+
|
|
+ mta_send_mail(httpd_mojomojo_script_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ mysql_stream_connect(httpd_mojomojo_script_t)
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
+ postgresql_stream_connect(httpd_mojomojo_script_t)
|
|
+ ')
|
|
+')
|
|
diff --git a/mongodb.te b/mongodb.te
|
|
index 169f236..9faddc2 100644
|
|
--- a/mongodb.te
|
|
+++ b/mongodb.te
|
|
@@ -49,13 +49,11 @@ corenet_all_recvfrom_unlabeled(mongod_t)
|
|
corenet_all_recvfrom_netlabel(mongod_t)
|
|
corenet_tcp_sendrecv_generic_if(mongod_t)
|
|
corenet_tcp_sendrecv_generic_node(mongod_t)
|
|
+corenet_tcp_connect_mongod_port(mongod_t)
|
|
corenet_tcp_bind_generic_node(mongod_t)
|
|
|
|
dev_read_sysfs(mongod_t)
|
|
dev_read_urand(mongod_t)
|
|
|
|
-files_read_etc_files(mongod_t)
|
|
-
|
|
fs_getattr_all_fs(mongod_t)
|
|
|
|
-miscfiles_read_localization(mongod_t)
|
|
diff --git a/mono.te b/mono.te
|
|
index a6a8643..c0f6cf5 100644
|
|
--- a/mono.te
|
|
+++ b/mono.te
|
|
@@ -28,7 +28,7 @@ allow mono_domain self:process { signal getsched execheap execmem execstack };
|
|
# local policy
|
|
#
|
|
|
|
-userdom_user_home_dir_filetrans_user_home_content(mono_t, { dir file lnk_file fifo_file sock_file })
|
|
+userdom_filetrans_home_content(mono_t)
|
|
|
|
init_dbus_chat_script(mono_t)
|
|
|
|
diff --git a/monop.if b/monop.if
|
|
index 8fdaece..5440757 100644
|
|
--- a/monop.if
|
|
+++ b/monop.if
|
|
@@ -31,7 +31,7 @@ interface(`monop_admin',`
|
|
role_transition $2 monopd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- logging_search_etc($1)
|
|
+ logging_search_logs($1)
|
|
admin_pattern($1, monopd_etc_t)
|
|
|
|
files_search_pids($1)
|
|
diff --git a/monop.te b/monop.te
|
|
index 5f93763..8596763 100644
|
|
--- a/monop.te
|
|
+++ b/monop.te
|
|
@@ -43,7 +43,6 @@ kernel_read_kernel_sysctls(monopd_t)
|
|
kernel_list_proc(monopd_t)
|
|
kernel_read_proc_symlinks(monopd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(monopd_t)
|
|
corenet_all_recvfrom_netlabel(monopd_t)
|
|
corenet_tcp_sendrecv_generic_if(monopd_t)
|
|
corenet_tcp_sendrecv_generic_node(monopd_t)
|
|
@@ -57,15 +56,11 @@ dev_read_sysfs(monopd_t)
|
|
|
|
domain_use_interactive_fds(monopd_t)
|
|
|
|
-files_read_etc_files(monopd_t)
|
|
-
|
|
fs_getattr_all_fs(monopd_t)
|
|
fs_search_auto_mountpoints(monopd_t)
|
|
|
|
logging_send_syslog_msg(monopd_t)
|
|
|
|
-miscfiles_read_localization(monopd_t)
|
|
-
|
|
sysnet_dns_name_resolve(monopd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(monopd_t)
|
|
diff --git a/motion.fc b/motion.fc
|
|
new file mode 100644
|
|
index 0000000..7415106
|
|
--- /dev/null
|
|
+++ b/motion.fc
|
|
@@ -0,0 +1,9 @@
|
|
+/usr/bin/motion -- gen_context(system_u:object_r:motion_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/motion.* -- gen_context(system_u:object_r:motion_unit_file_t,s0)
|
|
+
|
|
+/var/log/motion\.log.* -- gen_context(system_u:object_r:motion_log_t,s0)
|
|
+
|
|
+/var/run/motion\.pid -- gen_context(system_u:object_r:motion_var_run_t,s0)
|
|
+
|
|
+/var/motion(/.*)? gen_context(system_u:object_r:motion_data_t,s0)
|
|
diff --git a/motion.if b/motion.if
|
|
new file mode 100644
|
|
index 0000000..1b1b04c
|
|
--- /dev/null
|
|
+++ b/motion.if
|
|
@@ -0,0 +1,193 @@
|
|
+
|
|
+## <summary>Detect motion using a video4linux device</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the motion domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`motion_domtrans',`
|
|
+ gen_require(`
|
|
+ type motion_t, motion_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, motion_exec_t, motion_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Read motion's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`motion_read_log',`
|
|
+ gen_require(`
|
|
+ type motion_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, motion_log_t, motion_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to motion log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`motion_append_log',`
|
|
+ gen_require(`
|
|
+ type motion_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, motion_log_t, motion_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage motion log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`motion_manage_log',`
|
|
+ gen_require(`
|
|
+ type motion_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, motion_log_t, motion_log_t)
|
|
+ manage_files_pattern($1, motion_log_t, motion_log_t)
|
|
+ manage_lnk_files_pattern($1, motion_log_t, motion_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage motion pid files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`motion_manage_pid',`
|
|
+ gen_require(`
|
|
+ type motion_var_run_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, motion_var_run_t, motion_var_run_t)
|
|
+ manage_files_pattern($1, motion_var_run_t, motion_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage motion data files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`motion_manage_data',`
|
|
+ gen_require(`
|
|
+ type motion_data_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, motion_data_t, motion_data_t)
|
|
+ manage_files_pattern($1, motion_data_t, motion_data_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute motion server in the motion domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`motion_systemctl',`
|
|
+ gen_require(`
|
|
+ type motion_t;
|
|
+ type motion_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_password_run($1)
|
|
+ allow $1 motion_unit_file_t:file read_file_perms;
|
|
+ allow $1 motion_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, motion_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage all motion files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`motion_manage_all_files',`
|
|
+
|
|
+ motion_manage_log($1)
|
|
+ motion_manage_pid($1)
|
|
+ motion_manage_data($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an motion environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`motion_admin',`
|
|
+ gen_require(`
|
|
+ type motion_t;
|
|
+ type motion_log_t;
|
|
+ type motion_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 motion_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, motion_t)
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, motion_log_t)
|
|
+
|
|
+ motion_systemctl($1)
|
|
+ admin_pattern($1, motion_unit_file_t)
|
|
+ allow $1 motion_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/motion.te b/motion.te
|
|
new file mode 100644
|
|
index 0000000..b694afc
|
|
--- /dev/null
|
|
+++ b/motion.te
|
|
@@ -0,0 +1,64 @@
|
|
+policy_module(motion, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type motion_t;
|
|
+type motion_exec_t;
|
|
+init_daemon_domain(motion_t, motion_exec_t)
|
|
+
|
|
+type motion_log_t;
|
|
+logging_log_file(motion_log_t)
|
|
+
|
|
+type motion_unit_file_t;
|
|
+systemd_unit_file(motion_unit_file_t)
|
|
+
|
|
+type motion_var_run_t;
|
|
+files_pid_file(motion_var_run_t)
|
|
+
|
|
+type motion_data_t;
|
|
+files_type(motion_data_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# motion local policy
|
|
+#
|
|
+allow motion_t self:udp_socket { create connect getattr };
|
|
+allow motion_t self:tcp_socket { bind create setopt listen };
|
|
+allow motion_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(motion_t, motion_log_t, motion_log_t)
|
|
+manage_files_pattern(motion_t, motion_log_t, motion_log_t)
|
|
+logging_log_filetrans(motion_t, motion_log_t, { dir file })
|
|
+
|
|
+manage_dirs_pattern(motion_t, motion_var_run_t, motion_var_run_t)
|
|
+manage_files_pattern(motion_t, motion_var_run_t, motion_var_run_t)
|
|
+files_pid_filetrans(motion_t, motion_var_run_t, { dir file })
|
|
+
|
|
+manage_dirs_pattern(motion_t, motion_data_t, motion_data_t)
|
|
+manage_files_pattern(motion_t, motion_data_t, motion_data_t)
|
|
+files_var_filetrans(motion_t, motion_data_t, { dir file })
|
|
+
|
|
+corenet_tcp_bind_http_cache_port(motion_t)
|
|
+corenet_tcp_bind_transproxy_port(motion_t)
|
|
+corenet_tcp_connect_http_port(motion_t)
|
|
+corenet_tcp_bind_generic_node(motion_t)
|
|
+
|
|
+dev_read_video_dev(motion_t)
|
|
+dev_write_video_dev(motion_t)
|
|
+
|
|
+domain_use_interactive_fds(motion_t)
|
|
+
|
|
+logging_send_syslog_msg(motion_t)
|
|
+
|
|
+sysnet_read_config(motion_t)
|
|
+
|
|
+userdom_home_manager(motion_t)
|
|
+
|
|
+optional_policy(`
|
|
+ zoneminder_domtrans(motion_t)
|
|
+ zoneminder_manage_lib_files(motion_t)
|
|
+')
|
|
+
|
|
diff --git a/mozilla.fc b/mozilla.fc
|
|
index 6ffaba2..a4d75bf 100644
|
|
--- a/mozilla.fc
|
|
+++ b/mozilla.fc
|
|
@@ -1,38 +1,69 @@
|
|
-HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
-HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
-HOME_DIR/\.mozilla/plugins(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
|
-HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
-HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
-
|
|
-HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
|
-HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
|
-HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
|
-HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
|
-HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
|
-HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
|
-HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
|
-HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
|
|
-
|
|
-/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+HOME_DIR/\.config/chromium(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.galeon(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.cache/mozilla(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.thunderbird(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/POkemon.*(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.netscape(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.phoenix(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.webex(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.gnashpluginrc gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/abc -- gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.grl-podcasts(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.icedtea(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.juniper_networks(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.lyx(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.quakelive(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.spicec(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.texlive2013(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.ICAClient(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/\.IBMERS(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+HOME_DIR/zimbrauserdata(/.*)? gen_context(system_u:object_r:mozilla_home_t,s0)
|
|
+#
|
|
+# /bin
|
|
+#
|
|
+/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+/usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
/usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+/usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
/usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
/usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
|
-/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
|
|
|
-/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
|
|
-/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
-/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+ifdef(`distro_redhat',`
|
|
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
|
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
|
/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
|
-/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
|
-/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
|
+')
|
|
+
|
|
+ifdef(`distro_debian',`
|
|
+/usr/lib/iceweasel/iceweasel -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+')
|
|
+
|
|
+#
|
|
+# /lib
|
|
+#
|
|
+
|
|
+/usr/lib/galeon/galeon -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+/usr/lib/netscape/.+/communicator/communicator-smotif\.real -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+/usr/lib/netscape/base-4/wrapper -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+/usr/lib/mozilla[^/]*/reg.+ -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+/usr/lib/mozilla[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+/usr/lib/firefox[^/]*/mozilla-.* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+/usr/lib/[^/]*firefox[^/]*/firefox-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+/usr/lib/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
|
|
+
|
|
+/usr/lib/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0)
|
|
+
|
|
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:mozilla_plugin_rw_t,s0)
|
|
+
|
|
+ifdef(`distro_redhat',`
|
|
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
|
|
+')
|
|
diff --git a/mozilla.if b/mozilla.if
|
|
index 6194b80..ada96f0 100644
|
|
--- a/mozilla.if
|
|
+++ b/mozilla.if
|
|
@@ -1,146 +1,75 @@
|
|
-## <summary>Policy for Mozilla and related web browsers.</summary>
|
|
+## <summary>Policy for Mozilla and related web browsers</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for mozilla.
|
|
+## Role access for mozilla
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mozilla_role',`
|
|
gen_require(`
|
|
type mozilla_t, mozilla_exec_t, mozilla_home_t;
|
|
- type mozilla_tmp_t, mozilla_tmpfs_t, mozilla_plugin_tmp_t;
|
|
- type mozilla_plugin_tmpfs_t, mozilla_plugin_home_t;
|
|
attribute_role mozilla_roles;
|
|
')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
roleattribute $1 mozilla_roles;
|
|
|
|
- ########################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
-
|
|
- domtrans_pattern($2, mozilla_exec_t, mozilla_t)
|
|
+ domain_auto_trans($2, mozilla_exec_t, mozilla_t)
|
|
+ # Unrestricted inheritance from the caller.
|
|
+ allow $2 mozilla_t:process { noatsecure siginh rlimitinh };
|
|
+ allow mozilla_t $2:fd use;
|
|
+ allow mozilla_t $2:process { sigchld signull };
|
|
+ allow mozilla_t $2:unix_stream_socket connectto;
|
|
|
|
- allow $2 mozilla_t:process { noatsecure siginh rlimitinh ptrace signal_perms };
|
|
+ # Allow the user domain to signal/ps.
|
|
ps_process_pattern($2, mozilla_t)
|
|
-
|
|
- allow mozilla_t $2:process signull;
|
|
- allow mozilla_t $2:unix_stream_socket connectto;
|
|
+ allow $2 mozilla_t:process signal_perms;
|
|
|
|
allow $2 mozilla_t:fd use;
|
|
- allow $2 mozilla_t:shm rw_shm_perms;
|
|
-
|
|
- stream_connect_pattern($2, mozilla_tmpfs_t, mozilla_tmpfs_t, mozilla_t)
|
|
+ allow $2 mozilla_t:shm { associate getattr };
|
|
+ allow $2 mozilla_t:shm { unix_read unix_write };
|
|
+ allow $2 mozilla_t:unix_stream_socket connectto;
|
|
|
|
- allow $2 { mozilla_home_t mozilla_plugin_home_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
|
|
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
|
|
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
|
|
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
|
|
+ # X access, Home files
|
|
+ manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
|
|
+ manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
|
+ manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
|
+ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
|
|
+ relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
|
+ relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
|
|
|
|
- filetrans_pattern($2, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
|
|
+ #should be remove then with adding of roleattribute
|
|
+ mozilla_run_plugin(mozilla_t, $1)
|
|
+ mozilla_dbus_chat($2)
|
|
|
|
- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 { mozilla_tmp_t mozilla_plugin_tmp_t }:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
|
-
|
|
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
|
- allow $2 { mozilla_tmpfs_t mozilla_plugin_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
|
+ userdom_manage_tmp_role($1, mozilla_t)
|
|
|
|
optional_policy(`
|
|
- mozilla_dbus_chat($2)
|
|
+ nsplugin_role($1, mozilla_t)
|
|
')
|
|
-')
|
|
|
|
-########################################
|
|
-## <summary>
|
|
-## Role access for mozilla plugin.
|
|
-## </summary>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## User domain for the role.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`mozilla_role_plugin',`
|
|
- gen_require(`
|
|
- type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t;
|
|
- type mozilla_home_t;
|
|
+ optional_policy(`
|
|
+ pulseaudio_role($1, mozilla_t)
|
|
+ pulseaudio_filetrans_admin_home_content(mozilla_t)
|
|
+ pulseaudio_filetrans_home_content(mozilla_t)
|
|
')
|
|
|
|
- mozilla_run_plugin($2, $1)
|
|
- mozilla_run_plugin_config($2, $1)
|
|
-
|
|
- allow $2 { mozilla_plugin_t mozilla_plugin_config_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($2, { mozilla_plugin_t mozilla_plugin_config_t })
|
|
-
|
|
- allow $2 mozilla_plugin_t:unix_stream_socket rw_socket_perms;
|
|
- allow $2 mozilla_plugin_t:fd use;
|
|
-
|
|
- stream_connect_pattern($2, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
|
|
-
|
|
- allow mozilla_plugin_t $2:process signull;
|
|
- allow mozilla_plugin_t $2:unix_stream_socket { connectto rw_socket_perms };
|
|
- allow mozilla_plugin_t $2:unix_dgram_socket { sendto rw_socket_perms };
|
|
- allow mozilla_plugin_t $2:shm { rw_shm_perms destroy };
|
|
- allow mozilla_plugin_t $2:sem create_sem_perms;
|
|
-
|
|
- allow $2 mozilla_home_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 mozilla_home_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 mozilla_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".galeon")
|
|
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".mozilla")
|
|
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".netscape")
|
|
- userdom_user_home_dir_filetrans($2, mozilla_home_t, dir, ".phoenix")
|
|
+ mozilla_filetrans_home_content($2)
|
|
|
|
- allow $2 mozilla_plugin_tmp_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 mozilla_plugin_tmp_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 mozilla_plugin_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
|
-
|
|
- allow $2 mozilla_plugin_tmpfs_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 mozilla_plugin_tmpfs_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 mozilla_plugin_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
|
- allow $2 mozilla_plugin_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
|
-
|
|
- allow $2 mozilla_plugin_rw_t:dir list_dir_perms;
|
|
- allow $2 mozilla_plugin_rw_t:file read_file_perms;
|
|
- allow $2 mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
- can_exec($2, mozilla_plugin_rw_t)
|
|
-
|
|
- optional_policy(`
|
|
- mozilla_dbus_chat_plugin($2)
|
|
- ')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read mozilla home directory content.
|
|
+## Read mozilla home directory content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -153,15 +82,15 @@ interface(`mozilla_read_user_home_files',`
|
|
type mozilla_home_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
allow $1 mozilla_home_t:dir list_dir_perms;
|
|
allow $1 mozilla_home_t:file read_file_perms;
|
|
allow $1 mozilla_home_t:lnk_file read_lnk_file_perms;
|
|
+ userdom_search_user_home_dirs($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Write mozilla home directory files.
|
|
+## Write mozilla home directory content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -174,14 +103,13 @@ interface(`mozilla_write_user_home_files',`
|
|
type mozilla_home_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
write_files_pattern($1, mozilla_home_t, mozilla_home_t)
|
|
+ userdom_search_user_home_dirs($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read and
|
|
-## write mozilla home directory files.
|
|
+## Dontaudit attempts to read/write mozilla home directory content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -194,14 +122,12 @@ interface(`mozilla_dontaudit_rw_user_home_files',`
|
|
type mozilla_home_t;
|
|
')
|
|
|
|
- dontaudit $1 mozilla_home_t:file rw_file_perms;
|
|
+ dontaudit $1 mozilla_home_t:file rw_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempt to Create,
|
|
-## read, write, and delete mozilla
|
|
-## home directory content.
|
|
+## Dontaudit attempts to write mozilla home directory content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -216,12 +142,11 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
|
|
|
|
dontaudit $1 mozilla_home_t:dir manage_dir_perms;
|
|
dontaudit $1 mozilla_home_t:file manage_file_perms;
|
|
- dontaudit $1 mozilla_home_t:lnk_file manage_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute mozilla home directory files. (Deprecated)
|
|
+## Execute mozilla home directory content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -230,33 +155,16 @@ interface(`mozilla_dontaudit_manage_user_home_files',`
|
|
## </param>
|
|
#
|
|
interface(`mozilla_exec_user_home_files',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use mozilla_exec_user_plugin_home_files() instead.')
|
|
- mozilla_exec_user_plugin_home_files($1)
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Execute mozilla plugin home directory files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`mozilla_exec_user_plugin_home_files',`
|
|
gen_require(`
|
|
- type mozilla_home_t, mozilla_plugin_home_t;
|
|
+ type mozilla_home_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- exec_files_pattern($1, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
|
|
+ can_exec($1, mozilla_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Mozilla home directory file
|
|
-## text relocation. (Deprecated)
|
|
+## Execmod mozilla home directory content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -265,140 +173,153 @@ interface(`mozilla_exec_user_plugin_home_files',`
|
|
## </param>
|
|
#
|
|
interface(`mozilla_execmod_user_home_files',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use mozilla_execmod_user_plugin_home_files() instead.')
|
|
- mozilla_execmod_user_plugin_home_files($1)
|
|
+ gen_require(`
|
|
+ type mozilla_home_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mozilla_home_t:file execmod;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Mozilla plugin home directory file
|
|
-## text relocation.
|
|
+## Run mozilla in the mozilla domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mozilla_execmod_user_plugin_home_files',`
|
|
+interface(`mozilla_domtrans',`
|
|
gen_require(`
|
|
- type mozilla_plugin_home_t;
|
|
+ type mozilla_t, mozilla_exec_t;
|
|
')
|
|
|
|
- allow $1 mozilla_plugin_home_t:file execmod;
|
|
+ domtrans_pattern($1, mozilla_exec_t, mozilla_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Run mozilla in the mozilla domain.
|
|
+## Execute a mozilla_exec_t in the specified domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
+## <param name="target_domain">
|
|
+## <summary>
|
|
+## The type of the new process.
|
|
+## </summary>
|
|
+## </param>
|
|
#
|
|
-interface(`mozilla_domtrans',`
|
|
+interface(`mozilla_domtrans_spec',`
|
|
gen_require(`
|
|
- type mozilla_t, mozilla_exec_t;
|
|
+ type mozilla_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, mozilla_exec_t, mozilla_t)
|
|
+ domain_entry_file($2, mozilla_exec_t)
|
|
+ domtrans_pattern($1, mozilla_exec_t, $2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run mozilla plugin.
|
|
+## Execute a domain transition to run mozilla_plugin.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mozilla_domtrans_plugin',`
|
|
gen_require(`
|
|
type mozilla_plugin_t, mozilla_plugin_exec_t;
|
|
+ type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
|
|
+ type mozilla_plugin_rw_t;
|
|
+ class dbus send_msg;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, mozilla_plugin_exec_t, mozilla_plugin_t)
|
|
+ domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
|
|
+ allow mozilla_plugin_t $1:process signull;
|
|
+ dontaudit mozilla_plugin_config_t $1:file read_inherited_file_perms;
|
|
+ dontaudit mozilla_plugin_t $1:process signal;
|
|
+ allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms };
|
|
+ allow $1 mozilla_plugin_t:fd use;
|
|
+
|
|
+ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms;
|
|
+ allow mozilla_plugin_t $1:unix_dgram_socket { sendto rw_socket_perms };
|
|
+ allow mozilla_plugin_t $1:shm { rw_shm_perms destroy };
|
|
+ allow mozilla_plugin_t $1:sem create_sem_perms;
|
|
+
|
|
+ ps_process_pattern($1, mozilla_plugin_t)
|
|
+ allow $1 mozilla_plugin_t:process signal_perms;
|
|
+
|
|
+ list_dirs_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
|
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
|
+ read_lnk_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
|
+ can_exec($1, mozilla_plugin_rw_t)
|
|
+
|
|
+ allow $1 mozilla_plugin_t:dbus send_msg;
|
|
+ allow mozilla_plugin_t $1:dbus send_msg;
|
|
+
|
|
+ allow mozilla_plugin_t $1:process signull;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute mozilla plugin in the
|
|
-## mozilla plugin domain, and allow
|
|
-## the specified role the mozilla
|
|
-## plugin domain.
|
|
+## Execute mozilla_plugin in the mozilla_plugin domain, and
|
|
+## allow the specified role the mozilla_plugin domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed the mozilla_plugin domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mozilla_run_plugin',`
|
|
gen_require(`
|
|
- attribute_role mozilla_plugin_roles;
|
|
+ type mozilla_plugin_t;
|
|
+ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
|
|
')
|
|
|
|
mozilla_domtrans_plugin($1)
|
|
roleattribute $2 mozilla_plugin_roles;
|
|
-')
|
|
+ roleattribute $2 mozilla_plugin_config_roles;
|
|
|
|
-########################################
|
|
-## <summary>
|
|
-## Execute a domain transition to
|
|
-## run mozilla plugin config.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`mozilla_domtrans_plugin_config',`
|
|
- gen_require(`
|
|
- type mozilla_plugin_config_t, mozilla_plugin_config_exec_t;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 mozilla_plugin_t:process ptrace;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, mozilla_plugin_config_exec_t, mozilla_plugin_config_t)
|
|
+ optional_policy(`
|
|
+ lpd_run_lpr(mozilla_plugin_t, $2)
|
|
+ ')
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Execute mozilla plugin config in
|
|
-## the mozilla plugin config domain,
|
|
-## and allow the specified role the
|
|
-## mozilla plugin config domain.
|
|
+## Execute qemu unconfined programs in the role.
|
|
## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## The role to allow the mozilla_plugin domain.
|
|
+## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
-interface(`mozilla_run_plugin_config',`
|
|
- gen_require(`
|
|
- attribute_role mozilla_plugin_config_roles;
|
|
- ')
|
|
+interface(`mozilla_role_plugin',`
|
|
+ gen_require(`
|
|
+ attribute_role mozilla_plugin_roles, mozilla_plugin_config_roles;
|
|
+ ')
|
|
|
|
- mozilla_domtrans_plugin_config($1)
|
|
- roleattribute $2 mozilla_plugin_config_roles;
|
|
+ roleattribute $1 mozilla_plugin_roles;
|
|
+ roleattribute $1 mozilla_plugin_config_roles;
|
|
')
|
|
|
|
########################################
|
|
@@ -424,8 +345,7 @@ interface(`mozilla_dbus_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send and receive messages from
|
|
-## mozilla plugin over dbus.
|
|
+## read/write mozilla per user tcp_socket
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -433,76 +353,126 @@ interface(`mozilla_dbus_chat',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mozilla_dbus_chat_plugin',`
|
|
+interface(`mozilla_rw_tcp_sockets',`
|
|
gen_require(`
|
|
- type mozilla_plugin_t;
|
|
- class dbus send_msg;
|
|
+ type mozilla_t;
|
|
')
|
|
|
|
- allow $1 mozilla_plugin_t:dbus send_msg;
|
|
- allow mozilla_plugin_t $1:dbus send_msg;
|
|
+ allow $1 mozilla_t:tcp_socket rw_socket_perms;
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Read and write mozilla TCP sockets.
|
|
+## Read mozilla_plugin tmpfs files
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mozilla_rw_tcp_sockets',`
|
|
- gen_require(`
|
|
- type mozilla_t;
|
|
- ')
|
|
+interface(`mozilla_plugin_read_tmpfs_files',`
|
|
+ gen_require(`
|
|
+ type mozilla_plugin_tmpfs_t;
|
|
+ ')
|
|
|
|
- allow $1 mozilla_t:tcp_socket rw_socket_perms;
|
|
+ allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read/Write mozilla_plugin tmpfs files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mozilla_plugin_rw_tmpfs_files',`
|
|
+ gen_require(`
|
|
+ type mozilla_plugin_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ rw_files_pattern($1, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## mozilla plugin rw files.
|
|
+## Delete mozilla_plugin tmpfs files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mozilla_manage_plugin_rw_files',`
|
|
+interface(`mozilla_plugin_delete_tmpfs_files',`
|
|
gen_require(`
|
|
- type mozilla_plugin_rw_t;
|
|
+ type mozilla_plugin_tmpfs_t;
|
|
')
|
|
|
|
- libs_search_lib($1)
|
|
- manage_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
|
+ allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Dontaudit generict ipc read/write to a mozilla_plugin
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mozilla_plugin_dontaudit_rw_sem',`
|
|
+ gen_require(`
|
|
+ type mozilla_plugin_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mozilla_plugin_t:sem { unix_read unix_write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read mozilla_plugin tmpfs files.
|
|
+## Dontaudit read/write to a mozilla_plugin leaks
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mozilla_plugin_read_tmpfs_files',`
|
|
+interface(`mozilla_plugin_dontaudit_leaks',`
|
|
gen_require(`
|
|
- type mozilla_plugin_tmpfs_t;
|
|
+ type mozilla_plugin_t;
|
|
')
|
|
|
|
- fs_search_tmpfs($1)
|
|
- allow $1 mozilla_plugin_tmpfs_t:file read_file_perms;
|
|
+ dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write };
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Dontaudit read/write to a mozilla_plugin tmp files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mozilla_plugin_dontaudit_rw_tmp_files',`
|
|
+ gen_require(`
|
|
+ type mozilla_plugin_tmp_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 mozilla_plugin_tmp_t:file { read write };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Delete mozilla_plugin tmpfs files.
|
|
+## Create, read, write, and delete
|
|
+## mozilla_plugin rw files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -510,19 +480,18 @@ interface(`mozilla_plugin_read_tmpfs_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mozilla_plugin_delete_tmpfs_files',`
|
|
+interface(`mozilla_plugin_manage_rw_files',`
|
|
gen_require(`
|
|
- type mozilla_plugin_tmpfs_t;
|
|
+ type mozilla_plugin_rw_t;
|
|
')
|
|
|
|
- fs_search_tmpfs($1)
|
|
- allow $1 mozilla_plugin_tmpfs_t:file delete_file_perms;
|
|
+ allow $1 mozilla_plugin_rw_t:file manage_file_perms;
|
|
+ allow $1 mozilla_plugin_rw_t:dir rw_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## generic mozilla plugin home content.
|
|
+## read mozilla_plugin rw files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -530,45 +499,58 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mozilla_manage_generic_plugin_home_content',`
|
|
+interface(`mozilla_plugin_read_rw_files',`
|
|
gen_require(`
|
|
- type mozilla_plugin_home_t;
|
|
+ type mozilla_plugin_rw_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 mozilla_plugin_home_t:dir manage_dir_perms;
|
|
- allow $1 mozilla_plugin_home_t:file manage_file_perms;
|
|
- allow $1 mozilla_plugin_home_t:fifo_file manage_fifo_file_perms;
|
|
- allow $1 mozilla_plugin_home_t:lnk_file manage_lnk_file_perms;
|
|
- allow $1 mozilla_plugin_home_t:sock_file manage_sock_file_perms;
|
|
+ read_files_pattern($1, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create objects in user home
|
|
-## directories with the generic mozilla
|
|
-## plugin home type.
|
|
+## Create mozilla content in the user home directory
|
|
+## with an correct label.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
#
|
|
-interface(`mozilla_home_filetrans_plugin_home',`
|
|
+interface(`mozilla_filetrans_home_content',`
|
|
+
|
|
gen_require(`
|
|
- type mozilla_plugin_home_t;
|
|
+ type mozilla_home_t;
|
|
')
|
|
|
|
- userdom_user_home_dir_filetrans($1, mozilla_plugin_home_t, $2, $3)
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".galeon")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".java")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".mozilla")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".thunderbird")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".netscape")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".phoenix")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".adobe")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".macromedia")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gnash")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".grl-podcasts")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".gcjwebplugin")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedteaplugin")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".icedtea")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, "abc")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".lyx")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".IBMERS")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, file, ".gnashpluginrc")
|
|
+ userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".webex")
|
|
+ optional_policy(`
|
|
+ gnome_cache_filetrans($1, mozilla_home_t, dir, "mozilla")
|
|
+ ')
|
|
')
|
|
+
|
|
diff --git a/mozilla.te b/mozilla.te
|
|
index 11ac8e4..7655da0 100644
|
|
--- a/mozilla.te
|
|
+++ b/mozilla.te
|
|
@@ -6,17 +6,41 @@ policy_module(mozilla, 2.8.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether mozilla can
|
|
-## make its stack executable.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow mozilla plugin domain to connect to the network using TCP.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(mozilla_execstack, false)
|
|
+gen_tunable(mozilla_plugin_can_network_connect, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow mozilla plugin to support spice protocols.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(mozilla_plugin_use_spice, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow mozilla plugin to support GPS.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(mozilla_plugin_use_gps, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow confined web browsers to read home directory content
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(mozilla_read_content, false)
|
|
|
|
attribute_role mozilla_roles;
|
|
attribute_role mozilla_plugin_roles;
|
|
attribute_role mozilla_plugin_config_roles;
|
|
|
|
+roleattribute system_r mozilla_roles;
|
|
+roleattribute system_r mozilla_plugin_roles;
|
|
+roleattribute system_r mozilla_plugin_config_roles;
|
|
+
|
|
type mozilla_t;
|
|
type mozilla_exec_t;
|
|
typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t };
|
|
@@ -24,6 +48,9 @@ typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t };
|
|
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
|
|
role mozilla_roles types mozilla_t;
|
|
|
|
+type mozilla_conf_t;
|
|
+files_config_file(mozilla_conf_t)
|
|
+
|
|
type mozilla_home_t;
|
|
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
|
|
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
|
|
@@ -31,28 +58,24 @@ userdom_user_home_content(mozilla_home_t)
|
|
|
|
type mozilla_plugin_t;
|
|
type mozilla_plugin_exec_t;
|
|
-userdom_user_application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
|
|
+application_domain(mozilla_plugin_t, mozilla_plugin_exec_t)
|
|
role mozilla_plugin_roles types mozilla_plugin_t;
|
|
|
|
-type mozilla_plugin_home_t;
|
|
-userdom_user_home_content(mozilla_plugin_home_t)
|
|
-
|
|
type mozilla_plugin_tmp_t;
|
|
+userdom_user_tmp_content(mozilla_plugin_tmp_t)
|
|
userdom_user_tmp_file(mozilla_plugin_tmp_t)
|
|
|
|
type mozilla_plugin_tmpfs_t;
|
|
+userdom_user_tmpfs_content(mozilla_plugin_tmpfs_t)
|
|
userdom_user_tmpfs_file(mozilla_plugin_tmpfs_t)
|
|
|
|
-optional_policy(`
|
|
- pulseaudio_tmpfs_content(mozilla_plugin_tmpfs_t)
|
|
-')
|
|
-
|
|
type mozilla_plugin_rw_t;
|
|
files_type(mozilla_plugin_rw_t)
|
|
|
|
type mozilla_plugin_config_t;
|
|
type mozilla_plugin_config_exec_t;
|
|
-userdom_user_application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
|
|
+application_domain(mozilla_plugin_config_t, mozilla_plugin_config_exec_t)
|
|
+role mozilla_roles types mozilla_plugin_config_t;
|
|
role mozilla_plugin_config_roles types mozilla_plugin_config_t;
|
|
|
|
type mozilla_tmp_t;
|
|
@@ -63,10 +86,6 @@ typealias mozilla_tmpfs_t alias { user_mozilla_tmpfs_t staff_mozilla_tmpfs_t sys
|
|
typealias mozilla_tmpfs_t alias { auditadm_mozilla_tmpfs_t secadm_mozilla_tmpfs_t };
|
|
userdom_user_tmpfs_file(mozilla_tmpfs_t)
|
|
|
|
-optional_policy(`
|
|
- pulseaudio_tmpfs_content(mozilla_tmpfs_t)
|
|
-')
|
|
-
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -75,27 +94,30 @@ optional_policy(`
|
|
allow mozilla_t self:capability { sys_nice setgid setuid };
|
|
allow mozilla_t self:process { sigkill signal setsched getsched setrlimit };
|
|
allow mozilla_t self:fifo_file rw_fifo_file_perms;
|
|
-allow mozilla_t self:shm create_shm_perms;
|
|
+allow mozilla_t self:shm { unix_read unix_write read write destroy create };
|
|
allow mozilla_t self:sem create_sem_perms;
|
|
allow mozilla_t self:socket create_socket_perms;
|
|
-allow mozilla_t self:unix_stream_socket { accept listen };
|
|
+allow mozilla_t self:unix_stream_socket { listen accept };
|
|
+# Browse the web, connect to printer
|
|
+allow mozilla_t self:tcp_socket create_socket_perms;
|
|
+allow mozilla_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
-allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
|
|
-allow mozilla_t mozilla_plugin_t:fd use;
|
|
+# for bash - old mozilla binary
|
|
+can_exec(mozilla_t, mozilla_exec_t)
|
|
|
|
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
|
|
-allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file manage_file_perms;
|
|
-allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
|
|
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
|
|
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
|
|
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".netscape")
|
|
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".phoenix")
|
|
+# X access, Home files
|
|
+manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
|
|
+manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
|
|
+manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
|
|
+userdom_search_user_home_dirs(mozilla_t)
|
|
|
|
-filetrans_pattern(mozilla_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
|
|
+# Mozpluggerrc
|
|
+allow mozilla_t mozilla_conf_t:file read_file_perms;
|
|
|
|
manage_files_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
|
|
manage_dirs_pattern(mozilla_t, mozilla_tmp_t, mozilla_tmp_t)
|
|
-files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
|
|
+# mozilla will manage user_tmp_t, so it will transition to it.
|
|
+#files_tmp_filetrans(mozilla_t, mozilla_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
|
|
manage_lnk_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
|
|
@@ -103,76 +125,69 @@ manage_fifo_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
|
|
manage_sock_files_pattern(mozilla_t, mozilla_tmpfs_t, mozilla_tmpfs_t)
|
|
fs_tmpfs_filetrans(mozilla_t, mozilla_tmpfs_t, { file lnk_file sock_file fifo_file })
|
|
|
|
-allow mozilla_t mozilla_plugin_rw_t:dir list_dir_perms;
|
|
-allow mozilla_t mozilla_plugin_rw_t:file read_file_perms;
|
|
-allow mozilla_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
-stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_plugin_t)
|
|
-
|
|
-can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t })
|
|
-
|
|
kernel_read_kernel_sysctls(mozilla_t)
|
|
kernel_read_network_state(mozilla_t)
|
|
+# Access /proc, sysctl
|
|
kernel_read_system_state(mozilla_t)
|
|
kernel_read_net_sysctls(mozilla_t)
|
|
|
|
+# Look for plugins
|
|
corecmd_list_bin(mozilla_t)
|
|
+# for bash - old mozilla binary
|
|
corecmd_exec_shell(mozilla_t)
|
|
corecmd_exec_bin(mozilla_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(mozilla_t)
|
|
+# Browse the web, connect to printer
|
|
corenet_all_recvfrom_netlabel(mozilla_t)
|
|
corenet_tcp_sendrecv_generic_if(mozilla_t)
|
|
+corenet_raw_sendrecv_generic_if(mozilla_t)
|
|
corenet_tcp_sendrecv_generic_node(mozilla_t)
|
|
-
|
|
-corenet_sendrecv_http_client_packets(mozilla_t)
|
|
-corenet_tcp_connect_http_port(mozilla_t)
|
|
+corenet_raw_sendrecv_generic_node(mozilla_t)
|
|
corenet_tcp_sendrecv_http_port(mozilla_t)
|
|
-
|
|
-corenet_sendrecv_http_cache_client_packets(mozilla_t)
|
|
-corenet_tcp_connect_http_cache_port(mozilla_t)
|
|
corenet_tcp_sendrecv_http_cache_port(mozilla_t)
|
|
-
|
|
-corenet_sendrecv_squid_client_packets(mozilla_t)
|
|
-corenet_tcp_connect_squid_port(mozilla_t)
|
|
corenet_tcp_sendrecv_squid_port(mozilla_t)
|
|
-
|
|
-corenet_sendrecv_ftp_client_packets(mozilla_t)
|
|
-corenet_tcp_connect_ftp_port(mozilla_t)
|
|
corenet_tcp_sendrecv_ftp_port(mozilla_t)
|
|
-
|
|
-corenet_sendrecv_ipp_client_packets(mozilla_t)
|
|
-corenet_tcp_connect_ipp_port(mozilla_t)
|
|
+corenet_tcp_connect_all_ephemeral_ports(mozilla_t)
|
|
corenet_tcp_sendrecv_ipp_port(mozilla_t)
|
|
-
|
|
-corenet_sendrecv_soundd_client_packets(mozilla_t)
|
|
+corenet_tcp_connect_http_port(mozilla_t)
|
|
+corenet_tcp_connect_http_cache_port(mozilla_t)
|
|
+corenet_tcp_connect_squid_port(mozilla_t)
|
|
+corenet_tcp_connect_ftp_port(mozilla_t)
|
|
+corenet_tcp_connect_ipp_port(mozilla_t)
|
|
+corenet_tcp_connect_generic_port(mozilla_t)
|
|
corenet_tcp_connect_soundd_port(mozilla_t)
|
|
-corenet_tcp_sendrecv_soundd_port(mozilla_t)
|
|
-
|
|
-corenet_sendrecv_speech_client_packets(mozilla_t)
|
|
+corenet_sendrecv_http_client_packets(mozilla_t)
|
|
+corenet_sendrecv_http_cache_client_packets(mozilla_t)
|
|
+corenet_sendrecv_squid_client_packets(mozilla_t)
|
|
+corenet_sendrecv_ftp_client_packets(mozilla_t)
|
|
+corenet_sendrecv_ipp_client_packets(mozilla_t)
|
|
+corenet_sendrecv_generic_client_packets(mozilla_t)
|
|
+# Should not need other ports
|
|
+corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t)
|
|
+corenet_dontaudit_tcp_bind_generic_port(mozilla_t)
|
|
corenet_tcp_connect_speech_port(mozilla_t)
|
|
-corenet_tcp_sendrecv_speech_port(mozilla_t)
|
|
|
|
-dev_getattr_sysfs_dirs(mozilla_t)
|
|
-dev_read_sound(mozilla_t)
|
|
-dev_read_rand(mozilla_t)
|
|
dev_read_urand(mozilla_t)
|
|
-dev_rw_dri(mozilla_t)
|
|
+dev_read_rand(mozilla_t)
|
|
dev_write_sound(mozilla_t)
|
|
+dev_read_sound(mozilla_t)
|
|
+dev_dontaudit_rw_dri(mozilla_t)
|
|
+dev_getattr_sysfs_dirs(mozilla_t)
|
|
|
|
domain_dontaudit_read_all_domains_state(mozilla_t)
|
|
|
|
files_read_etc_runtime_files(mozilla_t)
|
|
-files_read_usr_files(mozilla_t)
|
|
-files_read_var_files(mozilla_t)
|
|
+# /var/lib
|
|
files_read_var_lib_files(mozilla_t)
|
|
+# interacting with gstreamer
|
|
+files_read_var_files(mozilla_t)
|
|
files_read_var_symlinks(mozilla_t)
|
|
files_dontaudit_getattr_boot_dirs(mozilla_t)
|
|
|
|
-fs_getattr_all_fs(mozilla_t)
|
|
+fs_dontaudit_getattr_all_fs(mozilla_t)
|
|
fs_search_auto_mountpoints(mozilla_t)
|
|
fs_list_inotifyfs(mozilla_t)
|
|
-fs_rw_tmpfs_files(mozilla_t)
|
|
+fs_rw_inherited_tmpfs_files(mozilla_t)
|
|
|
|
term_dontaudit_getattr_pty_dirs(mozilla_t)
|
|
|
|
@@ -181,56 +196,73 @@ auth_use_nsswitch(mozilla_t)
|
|
logging_send_syslog_msg(mozilla_t)
|
|
|
|
miscfiles_read_fonts(mozilla_t)
|
|
-miscfiles_read_localization(mozilla_t)
|
|
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
|
|
|
|
-userdom_use_user_ptys(mozilla_t)
|
|
-
|
|
-userdom_manage_user_tmp_dirs(mozilla_t)
|
|
-userdom_manage_user_tmp_files(mozilla_t)
|
|
-
|
|
-userdom_manage_user_home_content_dirs(mozilla_t)
|
|
-userdom_manage_user_home_content_files(mozilla_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(mozilla_t, { dir file })
|
|
+userdom_use_inherited_user_ptys(mozilla_t)
|
|
|
|
-userdom_write_user_tmp_sockets(mozilla_t)
|
|
-
|
|
-mozilla_run_plugin(mozilla_t, mozilla_roles)
|
|
-mozilla_run_plugin_config(mozilla_t, mozilla_roles)
|
|
+#mozilla_run_plugin(mozilla_t, mozilla_roles)
|
|
|
|
xserver_user_x_domain_template(mozilla, mozilla_t, mozilla_tmpfs_t)
|
|
xserver_dontaudit_read_xdm_tmp_files(mozilla_t)
|
|
xserver_dontaudit_getattr_xdm_tmp_sockets(mozilla_t)
|
|
|
|
-ifndef(`enable_mls',`
|
|
- fs_list_dos(mozilla_t)
|
|
- fs_read_dos_files(mozilla_t)
|
|
-
|
|
- fs_search_removable(mozilla_t)
|
|
- fs_read_removable_files(mozilla_t)
|
|
- fs_read_removable_symlinks(mozilla_t)
|
|
-
|
|
- fs_read_iso9660_files(mozilla_t)
|
|
+tunable_policy(`selinuxuser_execstack',`
|
|
+ allow mozilla_t self:process execstack;
|
|
')
|
|
|
|
-tunable_policy(`allow_execmem',`
|
|
+tunable_policy(`deny_execmem',`',`
|
|
allow mozilla_t self:process execmem;
|
|
')
|
|
|
|
-tunable_policy(`mozilla_execstack',`
|
|
- allow mozilla_t self:process { execmem execstack };
|
|
-')
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(mozilla_t)
|
|
- fs_manage_nfs_files(mozilla_t)
|
|
- fs_manage_nfs_symlinks(mozilla_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(mozilla_t)
|
|
- fs_manage_cifs_files(mozilla_t)
|
|
- fs_manage_cifs_symlinks(mozilla_t)
|
|
+userdom_home_manager(mozilla_t)
|
|
+
|
|
+# Uploads, local html
|
|
+tunable_policy(`mozilla_read_content && use_nfs_home_dirs',`
|
|
+ fs_list_auto_mountpoints(mozilla_t)
|
|
+ files_list_home(mozilla_t)
|
|
+ fs_read_nfs_files(mozilla_t)
|
|
+ fs_read_nfs_symlinks(mozilla_t)
|
|
+
|
|
+',`
|
|
+ files_dontaudit_list_home(mozilla_t)
|
|
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
|
|
+ fs_dontaudit_read_nfs_files(mozilla_t)
|
|
+ fs_dontaudit_list_nfs(mozilla_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`mozilla_read_content && use_samba_home_dirs',`
|
|
+ fs_list_auto_mountpoints(mozilla_t)
|
|
+ files_list_home(mozilla_t)
|
|
+ fs_read_cifs_files(mozilla_t)
|
|
+ fs_read_cifs_symlinks(mozilla_t)
|
|
+',`
|
|
+ files_dontaudit_list_home(mozilla_t)
|
|
+ fs_dontaudit_list_auto_mountpoints(mozilla_t)
|
|
+ fs_dontaudit_read_cifs_files(mozilla_t)
|
|
+ fs_dontaudit_list_cifs(mozilla_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`mozilla_read_content',`
|
|
+ userdom_list_user_tmp(mozilla_t)
|
|
+ userdom_read_user_tmp_files(mozilla_t)
|
|
+ userdom_read_user_tmp_symlinks(mozilla_t)
|
|
+ userdom_read_user_home_content_files(mozilla_t)
|
|
+ userdom_read_user_home_content_symlinks(mozilla_t)
|
|
+
|
|
+ ifndef(`enable_mls',`
|
|
+ fs_search_removable(mozilla_t)
|
|
+ fs_read_removable_files(mozilla_t)
|
|
+ fs_read_removable_symlinks(mozilla_t)
|
|
+ ')
|
|
+',`
|
|
+ files_dontaudit_list_tmp(mozilla_t)
|
|
+ files_dontaudit_list_home(mozilla_t)
|
|
+ fs_dontaudit_list_removable(mozilla_t)
|
|
+ fs_dontaudit_read_removable_files(mozilla_t)
|
|
+ userdom_dontaudit_list_user_tmp(mozilla_t)
|
|
+ userdom_dontaudit_read_user_tmp_files(mozilla_t)
|
|
+ userdom_dontaudit_list_user_home_dirs(mozilla_t)
|
|
+ userdom_dontaudit_read_user_home_content_files(mozilla_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -244,19 +276,12 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
cups_read_rw_config(mozilla_t)
|
|
+ cups_dbus_chat(mozilla_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- dbus_all_session_bus_client(mozilla_t)
|
|
dbus_system_bus_client(mozilla_t)
|
|
-
|
|
- optional_policy(`
|
|
- cups_dbus_chat(mozilla_t)
|
|
- ')
|
|
-
|
|
- optional_policy(`
|
|
- mozilla_dbus_chat_plugin(mozilla_t)
|
|
- ')
|
|
+ dbus_session_bus_client(mozilla_t)
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(mozilla_t)
|
|
@@ -265,33 +290,32 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
gnome_stream_connect_gconf(mozilla_t)
|
|
- gnome_manage_generic_gconf_home_content(mozilla_t)
|
|
- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconf")
|
|
- gnome_home_filetrans_gconf_home(mozilla_t, dir, ".gconfd")
|
|
- gnome_manage_generic_home_content(mozilla_t)
|
|
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome")
|
|
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2")
|
|
- gnome_home_filetrans_gnome_home(mozilla_t, dir, ".gnome2_private")
|
|
+ gnome_manage_config(mozilla_t)
|
|
+ gnome_manage_gconf_home_files(mozilla_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ java_domtrans(mozilla_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- java_exec(mozilla_t)
|
|
- java_manage_generic_home_content(mozilla_t)
|
|
- java_home_filetrans_java_home(mozilla_t, dir, ".java")
|
|
+ lpd_domtrans_lpr(mozilla_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- lpd_run_lpr(mozilla_t, mozilla_roles)
|
|
+ mplayer_domtrans(mozilla_t)
|
|
+ mplayer_read_user_home_files(mozilla_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mplayer_exec(mozilla_t)
|
|
- mplayer_manage_generic_home_content(mozilla_t)
|
|
- mplayer_home_filetrans_mplayer_home(mozilla_t, dir, ".mplayer")
|
|
+ nscd_socket_use(mozilla_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- pulseaudio_run(mozilla_t, mozilla_roles)
|
|
+ #pulseaudio_role(mozilla_roles, mozilla_t)
|
|
+ pulseaudio_exec(mozilla_t)
|
|
+ pulseaudio_stream_connect(mozilla_t)
|
|
+ pulseaudio_manage_home_files(mozilla_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -300,259 +324,236 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Plugin local policy
|
|
+# mozilla_plugin local policy
|
|
#
|
|
|
|
-dontaudit mozilla_plugin_t self:capability { ipc_lock sys_nice sys_ptrace sys_tty_config };
|
|
-allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms setrlimit };
|
|
-allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
|
|
+dontaudit mozilla_plugin_t self:capability { sys_admin ipc_lock sys_nice sys_tty_config };
|
|
+dontaudit mozilla_plugin_t self:capability2 block_suspend;
|
|
+
|
|
+allow mozilla_plugin_t self:process { setpgid getsched setsched signal_perms execmem execstack setrlimit transition };
|
|
+allow mozilla_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow mozilla_plugin_t self:netlink_socket create_socket_perms;
|
|
+allow mozilla_plugin_t self:tcp_socket create_stream_socket_perms;
|
|
+allow mozilla_plugin_t self:udp_socket create_socket_perms;
|
|
allow mozilla_plugin_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
+
|
|
allow mozilla_plugin_t self:sem create_sem_perms;
|
|
allow mozilla_plugin_t self:shm create_shm_perms;
|
|
-allow mozilla_plugin_t self:tcp_socket { accept listen };
|
|
-allow mozilla_plugin_t self:unix_stream_socket { accept connectto listen };
|
|
-
|
|
-allow mozilla_plugin_t mozilla_t:unix_stream_socket rw_socket_perms;
|
|
-allow mozilla_plugin_t mozilla_t:unix_dgram_socket rw_socket_perms;
|
|
-allow mozilla_plugin_t mozilla_t:shm { rw_shm_perms destroy };
|
|
-allow mozilla_plugin_t mozilla_t:sem create_sem_perms;
|
|
-
|
|
-manage_dirs_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
|
|
-manage_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
|
|
-manage_lnk_files_pattern(mozilla_plugin_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
|
|
-
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".galeon")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".mozilla")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".netscape")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, dir, ".phoenix")
|
|
-
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".adobe")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".macromedia")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gnash")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".spicec")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, ".ICAClient")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
|
|
-
|
|
-filetrans_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
|
|
+allow mozilla_plugin_t self:msgq create_msgq_perms;
|
|
+allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms;
|
|
+allow mozilla_plugin_t self:unix_dgram_socket sendto;
|
|
+allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
+
|
|
+can_exec(mozilla_plugin_t, mozilla_home_t)
|
|
+manage_dirs_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
|
|
+manage_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
|
|
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
|
|
+manage_fifo_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t)
|
|
|
|
manage_dirs_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
|
|
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
|
|
+manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
|
|
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
|
|
-files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
|
|
-userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file })
|
|
+manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
|
|
+files_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
|
|
+userdom_user_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
|
|
+xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
|
|
+can_exec(mozilla_plugin_t, mozilla_plugin_tmp_t)
|
|
|
|
manage_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
|
|
manage_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
|
|
manage_fifo_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
|
|
manage_sock_files_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t)
|
|
fs_tmpfs_filetrans(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
|
|
+userdom_tmpfs_filetrans_to(mozilla_plugin_t, mozilla_plugin_tmpfs_t, { file lnk_file sock_file fifo_file })
|
|
|
|
allow mozilla_plugin_t mozilla_plugin_rw_t:dir list_dir_perms;
|
|
-allow mozilla_plugin_t mozilla_plugin_rw_t:file read_file_perms;
|
|
-allow mozilla_plugin_t mozilla_plugin_rw_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
-dgram_send_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
|
|
-stream_connect_pattern(mozilla_plugin_t, mozilla_plugin_tmpfs_t, mozilla_plugin_tmpfs_t, mozilla_t)
|
|
+read_lnk_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
|
+read_files_pattern(mozilla_plugin_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
|
|
|
-can_exec(mozilla_plugin_t, { mozilla_exec_t mozilla_plugin_home_t mozilla_plugin_tmp_t })
|
|
+can_exec(mozilla_plugin_t, mozilla_exec_t)
|
|
|
|
kernel_read_all_sysctls(mozilla_plugin_t)
|
|
kernel_read_system_state(mozilla_plugin_t)
|
|
kernel_read_network_state(mozilla_plugin_t)
|
|
kernel_request_load_module(mozilla_plugin_t)
|
|
kernel_dontaudit_getattr_core_if(mozilla_plugin_t)
|
|
+files_dontaudit_read_root_files(mozilla_plugin_t)
|
|
|
|
corecmd_exec_bin(mozilla_plugin_t)
|
|
corecmd_exec_shell(mozilla_plugin_t)
|
|
+corecmd_dontaudit_access_all_executables(mozilla_plugin_t)
|
|
+corecmd_getattr_all_executables(mozilla_plugin_t)
|
|
|
|
-corenet_all_recvfrom_netlabel(mozilla_plugin_t)
|
|
-corenet_all_recvfrom_unlabeled(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_generic_if(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_generic_node(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_asterisk_client_packets(mozilla_plugin_t)
|
|
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
|
|
+corenet_tcp_connect_all_ephemeral_ports(mozilla_plugin_t)
|
|
+corenet_tcp_connect_aol_port(mozilla_plugin_t)
|
|
corenet_tcp_connect_asterisk_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_asterisk_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_ftp_client_packets(mozilla_plugin_t)
|
|
+corenet_tcp_connect_commplex_link_port(mozilla_plugin_t)
|
|
+corenet_tcp_connect_couchdb_port(mozilla_plugin_t)
|
|
+corenet_tcp_connect_flash_port(mozilla_plugin_t)
|
|
corenet_tcp_connect_ftp_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_ftp_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_gatekeeper_client_packets(mozilla_plugin_t)
|
|
corenet_tcp_connect_gatekeeper_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_gatekeeper_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_http_client_packets(mozilla_plugin_t)
|
|
-corenet_tcp_connect_http_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_http_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_http_cache_client_packets(mozilla_plugin_t)
|
|
+corenet_tcp_connect_generic_port(mozilla_plugin_t)
|
|
corenet_tcp_connect_http_cache_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_http_cache_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_ipp_client_packets(mozilla_plugin_t)
|
|
+corenet_tcp_connect_http_port(mozilla_plugin_t)
|
|
corenet_tcp_connect_ipp_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_ipp_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_ircd_client_packets(mozilla_plugin_t)
|
|
+corenet_tcp_connect_ipsecnat_port(mozilla_plugin_t)
|
|
corenet_tcp_connect_ircd_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_ircd_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_jabber_client_client_packets(mozilla_plugin_t)
|
|
corenet_tcp_connect_jabber_client_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_jabber_client_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_mmcc_client_packets(mozilla_plugin_t)
|
|
+corenet_tcp_connect_jboss_management_port(mozilla_plugin_t)
|
|
corenet_tcp_connect_mmcc_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_mmcc_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_monopd_client_packets(mozilla_plugin_t)
|
|
corenet_tcp_connect_monopd_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_monopd_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_soundd_client_packets(mozilla_plugin_t)
|
|
+corenet_tcp_connect_msnp_port(mozilla_plugin_t)
|
|
+corenet_tcp_connect_ms_streaming_port(mozilla_plugin_t)
|
|
+corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t)
|
|
+corenet_tcp_connect_rtsp_port(mozilla_plugin_t)
|
|
corenet_tcp_connect_soundd_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_soundd_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_speech_client_packets(mozilla_plugin_t)
|
|
corenet_tcp_connect_speech_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_speech_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_squid_client_packets(mozilla_plugin_t)
|
|
corenet_tcp_connect_squid_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_squid_port(mozilla_plugin_t)
|
|
-
|
|
-corenet_sendrecv_vnc_client_packets(mozilla_plugin_t)
|
|
+corenet_tcp_connect_tor_port(mozilla_plugin_t)
|
|
+corenet_tcp_connect_transproxy_port(mozilla_plugin_t)
|
|
corenet_tcp_connect_vnc_port(mozilla_plugin_t)
|
|
-corenet_tcp_sendrecv_vnc_port(mozilla_plugin_t)
|
|
+corenet_tcp_connect_whois_port(mozilla_plugin_t)
|
|
+corenet_tcp_bind_generic_node(mozilla_plugin_t)
|
|
+corenet_udp_bind_generic_node(mozilla_plugin_t)
|
|
+corenet_tcp_bind_jboss_debug_port(mozilla_plugin_t)
|
|
+corenet_dontaudit_udp_bind_ssdp_port(mozilla_plugin_t)
|
|
|
|
-dev_read_generic_usb_dev(mozilla_plugin_t)
|
|
+dev_dontaudit_append_rand(mozilla_plugin_t)
|
|
dev_read_rand(mozilla_plugin_t)
|
|
-dev_read_realtime_clock(mozilla_plugin_t)
|
|
-dev_read_sound(mozilla_plugin_t)
|
|
-dev_read_sysfs(mozilla_plugin_t)
|
|
dev_read_urand(mozilla_plugin_t)
|
|
+dev_read_generic_usb_dev(mozilla_plugin_t)
|
|
dev_read_video_dev(mozilla_plugin_t)
|
|
-dev_write_sound(mozilla_plugin_t)
|
|
dev_write_video_dev(mozilla_plugin_t)
|
|
-dev_rw_dri(mozilla_plugin_t)
|
|
+dev_read_realtime_clock(mozilla_plugin_t)
|
|
+dev_read_sysfs(mozilla_plugin_t)
|
|
+dev_read_sound(mozilla_plugin_t)
|
|
+dev_write_sound(mozilla_plugin_t)
|
|
+# for nvidia driver
|
|
dev_rw_xserver_misc(mozilla_plugin_t)
|
|
+dev_rwx_zero(mozilla_plugin_t)
|
|
+dev_dontaudit_read_mtrr(mozilla_plugin_t)
|
|
+xserver_dri_domain(mozilla_plugin_t)
|
|
|
|
-dev_dontaudit_getattr_generic_files(mozilla_plugin_t)
|
|
-dev_dontaudit_getattr_generic_pipes(mozilla_plugin_t)
|
|
-dev_dontaudit_getattr_all_blk_files(mozilla_plugin_t)
|
|
-dev_dontaudit_getattr_all_chr_files(mozilla_plugin_t)
|
|
+dev_dontaudit_getattr_all(mozilla_plugin_t)
|
|
|
|
domain_use_interactive_fds(mozilla_plugin_t)
|
|
domain_dontaudit_read_all_domains_state(mozilla_plugin_t)
|
|
|
|
-files_exec_usr_files(mozilla_plugin_t)
|
|
-files_list_mnt(mozilla_plugin_t)
|
|
files_read_config_files(mozilla_plugin_t)
|
|
-files_read_usr_files(mozilla_plugin_t)
|
|
+files_list_mnt(mozilla_plugin_t)
|
|
+files_exec_usr_files(mozilla_plugin_t)
|
|
+fs_rw_inherited_tmpfs_files(mozilla_plugin_t)
|
|
+files_dontaudit_all_access_check(mozilla_plugin_t)
|
|
|
|
fs_getattr_all_fs(mozilla_plugin_t)
|
|
-# fs_read_hugetlbfs_files(mozilla_plugin_t)
|
|
-fs_search_auto_mountpoints(mozilla_plugin_t)
|
|
-
|
|
-term_getattr_all_ttys(mozilla_plugin_t)
|
|
-term_getattr_all_ptys(mozilla_plugin_t)
|
|
+fs_list_dos(mozilla_plugin_t)
|
|
+fs_read_noxattr_fs_files(mozilla_plugin_t)
|
|
+fs_read_hugetlbfs_files(mozilla_plugin_t)
|
|
+fs_exec_hugetlbfs_files(mozilla_plugin_t)
|
|
|
|
application_exec(mozilla_plugin_t)
|
|
+application_dontaudit_signull(mozilla_plugin_t)
|
|
|
|
auth_use_nsswitch(mozilla_plugin_t)
|
|
|
|
+init_dontaudit_getattr_initctl(mozilla_plugin_t)
|
|
+init_read_all_script_files(mozilla_plugin_t)
|
|
+
|
|
libs_exec_ld_so(mozilla_plugin_t)
|
|
libs_exec_lib_files(mozilla_plugin_t)
|
|
+libs_legacy_use_shared_libs(mozilla_plugin_t)
|
|
|
|
logging_send_syslog_msg(mozilla_plugin_t)
|
|
|
|
-miscfiles_read_localization(mozilla_plugin_t)
|
|
miscfiles_read_fonts(mozilla_plugin_t)
|
|
miscfiles_read_generic_certs(mozilla_plugin_t)
|
|
+miscfiles_dontaudit_write_generic_cert_files(mozilla_plugin_t)
|
|
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
|
|
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
|
|
|
|
-userdom_manage_user_tmp_dirs(mozilla_plugin_t)
|
|
-userdom_manage_user_tmp_files(mozilla_plugin_t)
|
|
-
|
|
-userdom_manage_user_home_content_dirs(mozilla_plugin_t)
|
|
-userdom_manage_user_home_content_files(mozilla_plugin_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(mozilla_plugin_t, { dir file })
|
|
+systemd_read_logind_sessions_files(mozilla_plugin_t)
|
|
|
|
-userdom_write_user_tmp_sockets(mozilla_plugin_t)
|
|
+term_getattr_all_ttys(mozilla_plugin_t)
|
|
+term_getattr_all_ptys(mozilla_plugin_t)
|
|
+term_getattr_ptmx(mozilla_plugin_t)
|
|
+term_dontaudit_use_ptmx(mozilla_plugin_t)
|
|
|
|
+userdom_dontaudit_setattr_user_tmpfs(mozilla_plugin_t)
|
|
+userdom_rw_user_tmpfs_files(mozilla_plugin_t)
|
|
+userdom_delete_user_tmpfs_files(mozilla_plugin_t)
|
|
userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
|
|
+userdom_manage_user_tmp_sockets(mozilla_plugin_t)
|
|
+userdom_manage_user_tmp_dirs(mozilla_plugin_t)
|
|
+userdom_rw_inherited_user_tmp_files(mozilla_plugin_t)
|
|
+userdom_delete_user_tmp_files(mozilla_plugin_t)
|
|
+userdom_rw_inherited_user_home_sock_files(mozilla_plugin_t)
|
|
+userdom_manage_home_certs(mozilla_plugin_t)
|
|
+userdom_read_user_tmp_symlinks(mozilla_plugin_t)
|
|
+userdom_stream_connect(mozilla_plugin_t)
|
|
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_t)
|
|
|
|
-ifndef(`enable_mls',`
|
|
- fs_list_dos(mozilla_plugin_t)
|
|
- fs_read_dos_files(mozilla_plugin_t)
|
|
-
|
|
- fs_search_removable(mozilla_plugin_t)
|
|
- fs_read_removable_files(mozilla_plugin_t)
|
|
- fs_read_removable_symlinks(mozilla_plugin_t)
|
|
+userdom_read_user_home_content_files(mozilla_plugin_t)
|
|
+userdom_read_user_home_content_symlinks(mozilla_plugin_t)
|
|
+userdom_read_home_certs(mozilla_plugin_t)
|
|
+userdom_read_home_audio_files(mozilla_plugin_t)
|
|
+userdom_exec_user_tmp_files(mozilla_plugin_t)
|
|
|
|
- fs_read_iso9660_files(mozilla_plugin_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`allow_execmem',`
|
|
- allow mozilla_plugin_t self:process execmem;
|
|
-')
|
|
+userdom_home_manager(mozilla_plugin_t)
|
|
|
|
-tunable_policy(`mozilla_execstack',`
|
|
- allow mozilla_plugin_t self:process { execmem execstack };
|
|
+tunable_policy(`mozilla_plugin_can_network_connect',`
|
|
+ corenet_tcp_connect_all_ports(mozilla_plugin_t)
|
|
')
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(mozilla_plugin_t)
|
|
- fs_manage_nfs_files(mozilla_plugin_t)
|
|
- fs_manage_nfs_symlinks(mozilla_plugin_t)
|
|
+optional_policy(`
|
|
+ alsa_read_rw_config(mozilla_plugin_t)
|
|
+ alsa_read_home_files(mozilla_plugin_t)
|
|
')
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(mozilla_plugin_t)
|
|
- fs_manage_cifs_files(mozilla_plugin_t)
|
|
- fs_manage_cifs_symlinks(mozilla_plugin_t)
|
|
+optional_policy(`
|
|
+ apache_list_modules(mozilla_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- alsa_read_rw_config(mozilla_plugin_t)
|
|
- alsa_read_home_files(mozilla_plugin_t)
|
|
+ cups_stream_connect(mozilla_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t)
|
|
+ dbus_system_bus_client(mozilla_plugin_t)
|
|
+ dbus_session_bus_client(mozilla_plugin_t)
|
|
+ dbus_connect_session_bus(mozilla_plugin_t)
|
|
+ dbus_read_lib_files(mozilla_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- dbus_all_session_bus_client(mozilla_plugin_t)
|
|
- dbus_connect_all_session_bus(mozilla_plugin_t)
|
|
- dbus_system_bus_client(mozilla_plugin_t)
|
|
+ gnome_manage_config(mozilla_plugin_t)
|
|
+ gnome_read_usr_config(mozilla_plugin_t)
|
|
+ gnome_filetrans_home_content(mozilla_plugin_t)
|
|
+ gnome_exec_gstreamer_home_files(mozilla_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- gnome_manage_generic_home_content(mozilla_plugin_t)
|
|
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome")
|
|
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2")
|
|
- gnome_home_filetrans_gnome_home(mozilla_plugin_t, dir, ".gnome2_private")
|
|
+ gpm_dontaudit_getattr_gpmctl(mozilla_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
java_exec(mozilla_plugin_t)
|
|
- java_manage_generic_home_content(mozilla_plugin_t)
|
|
- java_home_filetrans_java_home(mozilla_plugin_t, dir, ".java")
|
|
')
|
|
|
|
optional_policy(`
|
|
- lpd_run_lpr(mozilla_plugin_t, mozilla_plugin_roles)
|
|
+ mplayer_exec(mozilla_plugin_t)
|
|
+ mplayer_manage_generic_home_content(mozilla_plugin_t)
|
|
+ mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
|
|
')
|
|
|
|
optional_policy(`
|
|
- mplayer_exec(mozilla_plugin_t)
|
|
- mplayer_manage_generic_home_content(mozilla_plugin_t)
|
|
- mplayer_home_filetrans_mplayer_home(mozilla_plugin_t, dir, ".mplayer")
|
|
+ pulseaudio_exec(mozilla_plugin_t)
|
|
+ pulseaudio_stream_connect(mozilla_plugin_t)
|
|
+ pulseaudio_setattr_home_dir(mozilla_plugin_t)
|
|
+ pulseaudio_manage_home_dirs(mozilla_plugin_t)
|
|
+ pulseaudio_manage_home_files(mozilla_plugin_t)
|
|
+ pulseaudio_manage_home_symlinks(mozilla_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -560,7 +561,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
|
|
+ rtkit_scheduled(mozilla_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -568,108 +569,130 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- xserver_read_user_xauth(mozilla_plugin_t)
|
|
+ xserver_xdm_tmp_filetrans(mozilla_plugin_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file })
|
|
+ xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
|
|
xserver_read_xdm_pid(mozilla_plugin_t)
|
|
xserver_stream_connect(mozilla_plugin_t)
|
|
xserver_use_user_fonts(mozilla_plugin_t)
|
|
- xserver_dontaudit_read_xdm_tmp_files(mozilla_plugin_t)
|
|
+ xserver_read_user_iceauth(mozilla_plugin_t)
|
|
+ xserver_read_user_xauth(mozilla_plugin_t)
|
|
+ xserver_append_xdm_home_files(mozilla_plugin_t)
|
|
+ xserver_dontaudit_xdm_tmp_dirs(mozilla_plugin_t)
|
|
+ xserver_dontaudit_xdm_rw_stream_sockets(mozilla_plugin_t)
|
|
+ xserver_filetrans_fonts_cache_home_content(mozilla_plugin_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Plugin config local policy
|
|
+# mozilla_plugin_config local policy
|
|
#
|
|
|
|
allow mozilla_plugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
|
|
-allow mozilla_plugin_config_t self:process { setsched signal_perms getsched };
|
|
-allow mozilla_plugin_config_t self:fifo_file rw_fifo_file_perms;
|
|
-allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
|
-
|
|
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:dir manage_dir_perms;
|
|
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:file manage_file_perms;
|
|
-allow mozilla_plugin_config_t mozilla_plugin_rw_t:lnk_file manage_lnk_file_perms;
|
|
+allow mozilla_plugin_config_t self:process { setsched signal_perms getsched execmem execstack };
|
|
|
|
-manage_dirs_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, { mozilla_home_t mozilla_plugin_home_t })
|
|
-manage_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
|
|
-manage_lnk_files_pattern(mozilla_plugin_config_t, { mozilla_home_t mozilla_plugin_home_t }, mozilla_plugin_home_t)
|
|
-
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".galeon")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".mozilla")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".netscape")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_home_t, dir, ".phoenix")
|
|
+allow mozilla_plugin_config_t self:fifo_file rw_file_perms;
|
|
+allow mozilla_plugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".adobe")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".macromedia")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gnash")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".gcjwebplugin")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".icedteaplugin")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".spicec")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, ".ICAClient")
|
|
-userdom_user_home_dir_filetrans(mozilla_plugin_config_t, mozilla_plugin_home_t, dir, "zimbrauserdata")
|
|
+ps_process_pattern(mozilla_plugin_config_t,mozilla_plugin_t)
|
|
|
|
-filetrans_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_plugin_home_t, dir, "plugins")
|
|
+dev_read_sysfs(mozilla_plugin_config_t)
|
|
+dev_read_urand(mozilla_plugin_config_t)
|
|
+dev_dontaudit_read_rand(mozilla_plugin_config_t)
|
|
+dev_dontaudit_rw_dri(mozilla_plugin_config_t)
|
|
|
|
-can_exec(mozilla_plugin_config_t, { mozilla_plugin_rw_t mozilla_plugin_home_t })
|
|
+fs_search_auto_mountpoints(mozilla_plugin_config_t)
|
|
+fs_list_inotifyfs(mozilla_plugin_config_t)
|
|
|
|
-ps_process_pattern(mozilla_plugin_config_t, mozilla_plugin_t)
|
|
-
|
|
-kernel_read_system_state(mozilla_plugin_config_t)
|
|
-kernel_request_load_module(mozilla_plugin_config_t)
|
|
+can_exec(mozilla_plugin_config_t, mozilla_plugin_rw_t)
|
|
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
|
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
|
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_rw_t, mozilla_plugin_rw_t)
|
|
+
|
|
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
|
|
+manage_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
|
|
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
|
|
+manage_fifo_files_pattern(mozilla_plugin_config_t, mozilla_home_t, mozilla_home_t)
|
|
+mozilla_filetrans_home_content(mozilla_plugin_t)
|
|
+
|
|
+manage_dirs_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
|
|
+manage_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
|
|
+manage_lnk_files_pattern(mozilla_plugin_config_t, mozilla_plugin_tmp_t, mozilla_plugin_tmp_t)
|
|
+files_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file fifo_file sock_file lnk_file })
|
|
+userdom_user_tmp_filetrans(mozilla_plugin_config_t, mozilla_plugin_tmp_t, { dir file })
|
|
+mozilla_filetrans_home_content(mozilla_plugin_config_t)
|
|
+dontaudit mozilla_plugin_t mozilla_plugin_tmp_t:file relabelfrom;
|
|
|
|
corecmd_exec_bin(mozilla_plugin_config_t)
|
|
corecmd_exec_shell(mozilla_plugin_config_t)
|
|
|
|
-dev_read_urand(mozilla_plugin_config_t)
|
|
-dev_rw_dri(mozilla_plugin_config_t)
|
|
-dev_search_sysfs(mozilla_plugin_config_t)
|
|
-dev_dontaudit_read_rand(mozilla_plugin_config_t)
|
|
+kernel_read_system_state(mozilla_plugin_config_t)
|
|
+kernel_request_load_module(mozilla_plugin_config_t)
|
|
|
|
domain_use_interactive_fds(mozilla_plugin_config_t)
|
|
|
|
-files_list_tmp(mozilla_plugin_config_t)
|
|
-files_read_usr_files(mozilla_plugin_config_t)
|
|
files_dontaudit_search_home(mozilla_plugin_config_t)
|
|
+files_list_tmp(mozilla_plugin_config_t)
|
|
|
|
fs_getattr_all_fs(mozilla_plugin_config_t)
|
|
-fs_search_auto_mountpoints(mozilla_plugin_config_t)
|
|
-fs_list_inotifyfs(mozilla_plugin_config_t)
|
|
+
|
|
+term_dontaudit_use_ptmx(mozilla_plugin_config_t)
|
|
|
|
auth_use_nsswitch(mozilla_plugin_config_t)
|
|
|
|
-miscfiles_read_localization(mozilla_plugin_config_t)
|
|
miscfiles_read_fonts(mozilla_plugin_config_t)
|
|
|
|
+userdom_search_user_home_content(mozilla_plugin_config_t)
|
|
userdom_read_user_home_content_symlinks(mozilla_plugin_config_t)
|
|
userdom_read_user_home_content_files(mozilla_plugin_config_t)
|
|
+userdom_dontaudit_search_admin_dir(mozilla_plugin_config_t)
|
|
+userdom_use_inherited_user_ptys(mozilla_plugin_config_t)
|
|
+userdom_dontaudit_use_user_terminals(mozilla_plugin_config_t)
|
|
+userdom_dontaudit_rw_user_tmp_pipes(mozilla_plugin_config_t)
|
|
+userdom_dontaudit_write_all_user_home_content_files(mozilla_plugin_config_t)
|
|
+userdom_dontaudit_write_all_user_tmp_content_files(mozilla_plugin_config_t)
|
|
|
|
-userdom_use_user_ptys(mozilla_plugin_config_t)
|
|
+domtrans_pattern(mozilla_plugin_config_t, mozilla_plugin_exec_t, mozilla_plugin_t)
|
|
|
|
-mozilla_run_plugin(mozilla_plugin_config_t, mozilla_plugin_config_roles)
|
|
+tunable_policy(`use_ecryptfs_home_dirs',`
|
|
+ fs_read_ecryptfs_files(mozilla_plugin_config_t)
|
|
+')
|
|
|
|
-tunable_policy(`allow_execmem',`
|
|
- allow mozilla_plugin_config_t self:process execmem;
|
|
+optional_policy(`
|
|
+ gnome_dontaudit_rw_inherited_config(mozilla_plugin_config_t)
|
|
')
|
|
|
|
-tunable_policy(`mozilla_execstack',`
|
|
- allow mozilla_plugin_config_t self:process { execmem execstack };
|
|
+optional_policy(`
|
|
+ xserver_use_user_fonts(mozilla_plugin_config_t)
|
|
')
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(mozilla_plugin_config_t)
|
|
- fs_manage_nfs_files(mozilla_plugin_config_t)
|
|
- fs_manage_nfs_symlinks(mozilla_plugin_config_t)
|
|
+ifdef(`distro_redhat',`
|
|
+ typealias mozilla_plugin_t alias nsplugin_t;
|
|
+ typealias mozilla_plugin_exec_t alias nsplugin_exec_t;
|
|
+ typealias mozilla_plugin_rw_t alias nsplugin_rw_t;
|
|
+ typealias mozilla_plugin_tmp_t alias nsplugin_tmp_t;
|
|
+ typealias mozilla_home_t alias nsplugin_home_t;
|
|
+ typealias mozilla_plugin_config_t alias nsplugin_config_t;
|
|
+ typealias mozilla_plugin_config_exec_t alias nsplugin_config_exec_t;
|
|
')
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(mozilla_plugin_config_t)
|
|
- fs_manage_cifs_files(mozilla_plugin_config_t)
|
|
- fs_manage_cifs_symlinks(mozilla_plugin_config_t)
|
|
+#tunable_policy(`mozilla_plugin_enable_homedirs',`
|
|
+# userdom_user_home_dir_filetrans(mozilla_plugin_t, mozilla_home_t, { dir file })
|
|
+#', `
|
|
+
|
|
+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, file)
|
|
+ #userdom_user_home_dir_filetrans_pattern(mozilla_plugin_t, dir)
|
|
+#')
|
|
+
|
|
+tunable_policy(`selinuxuser_execmod',`
|
|
+ userdom_execmod_user_home_files(mozilla_plugin_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_config_t)
|
|
+tunable_policy(`mozilla_plugin_use_spice',`
|
|
+ dev_rw_generic_usb_dev(mozilla_plugin_t)
|
|
+ corenet_tcp_bind_vnc_port(mozilla_plugin_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- xserver_use_user_fonts(mozilla_plugin_config_t)
|
|
+tunable_policy(`mozilla_plugin_use_gps',`
|
|
+ fs_manage_dos_dirs(mozilla_plugin_t)
|
|
+ fs_manage_dos_files(mozilla_plugin_t)
|
|
')
|
|
diff --git a/mpd.fc b/mpd.fc
|
|
index 313ce52..ae93e07 100644
|
|
--- a/mpd.fc
|
|
+++ b/mpd.fc
|
|
@@ -1,3 +1,5 @@
|
|
+HOME_DIR/\.mpd(/.*)? gen_context(system_u:object_r:mpd_home_t,s0)
|
|
+
|
|
/etc/mpd\.conf -- gen_context(system_u:object_r:mpd_etc_t,s0)
|
|
|
|
/etc/rc\.d/init\.d/mpd -- gen_context(system_u:object_r:mpd_initrc_exec_t,s0)
|
|
@@ -9,3 +11,5 @@
|
|
/var/lib/mpd/playlists(/.*)? gen_context(system_u:object_r:mpd_data_t,s0)
|
|
|
|
/var/log/mpd(/.*)? gen_context(system_u:object_r:mpd_log_t,s0)
|
|
+
|
|
+/var/run/mpd(/.*)? gen_context(system_u:object_r:mpd_var_run_t,s0)
|
|
diff --git a/mpd.if b/mpd.if
|
|
index 5fa77c7..2e01c7d 100644
|
|
--- a/mpd.if
|
|
+++ b/mpd.if
|
|
@@ -322,6 +322,25 @@ interface(`mpd_manage_lib_dirs',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Connect to mpd over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mpd_stream_connect',`
|
|
+ gen_require(`
|
|
+ type mpd_t, mpd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, mpd_var_run_t, mpd_var_run_t, mpd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an mpd environment.
|
|
## </summary>
|
|
@@ -344,9 +363,13 @@ interface(`mpd_admin',`
|
|
type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t;
|
|
')
|
|
|
|
- allow $1 mpd_t:process { ptrace signal_perms };
|
|
+ allow $1 mpd_t:process signal_perms;
|
|
ps_process_pattern($1, mpd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 mpd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
mpd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 mpd_initrc_exec_t system_r;
|
|
diff --git a/mpd.te b/mpd.te
|
|
index fe72523..92632e8 100644
|
|
--- a/mpd.te
|
|
+++ b/mpd.te
|
|
@@ -62,6 +62,12 @@ files_type(mpd_var_lib_t)
|
|
type mpd_user_data_t;
|
|
userdom_user_home_content(mpd_user_data_t) # customizable
|
|
|
|
+type mpd_home_t;
|
|
+userdom_user_home_content(mpd_home_t)
|
|
+
|
|
+type mpd_var_run_t;
|
|
+files_pid_file(mpd_var_run_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -74,6 +80,7 @@ allow mpd_t self:unix_stream_socket { accept connectto listen };
|
|
allow mpd_t self:unix_dgram_socket sendto;
|
|
allow mpd_t self:tcp_socket { accept listen };
|
|
allow mpd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
+allow mpd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
|
|
allow mpd_t mpd_data_t:dir manage_dir_perms;
|
|
allow mpd_t mpd_data_t:file manage_file_perms;
|
|
@@ -104,13 +111,22 @@ manage_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
|
|
manage_lnk_files_pattern(mpd_t, mpd_var_lib_t, mpd_var_lib_t)
|
|
files_var_lib_filetrans(mpd_t, mpd_var_lib_t, dir)
|
|
|
|
+manage_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
|
|
+manage_dirs_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
|
|
+manage_sock_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
|
|
+manage_lnk_files_pattern(mpd_t, mpd_var_run_t, mpd_var_run_t)
|
|
+files_pid_filetrans(mpd_t, mpd_var_run_t, { file dir sock_file })
|
|
+
|
|
+manage_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
|
|
+manage_dirs_pattern(mpd_t, mpd_home_t, mpd_home_t)
|
|
+manage_lnk_files_pattern(mpd_t, mpd_home_t, mpd_home_t)
|
|
+
|
|
kernel_getattr_proc(mpd_t)
|
|
kernel_read_system_state(mpd_t)
|
|
kernel_read_kernel_sysctls(mpd_t)
|
|
|
|
corecmd_exec_bin(mpd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(mpd_t)
|
|
corenet_all_recvfrom_netlabel(mpd_t)
|
|
corenet_tcp_sendrecv_generic_if(mpd_t)
|
|
corenet_tcp_sendrecv_generic_node(mpd_t)
|
|
@@ -139,9 +155,9 @@ dev_read_sound(mpd_t)
|
|
dev_write_sound(mpd_t)
|
|
dev_read_sysfs(mpd_t)
|
|
|
|
-files_read_usr_files(mpd_t)
|
|
|
|
fs_getattr_all_fs(mpd_t)
|
|
+fs_getattr_all_dirs(mpd_t)
|
|
fs_list_inotifyfs(mpd_t)
|
|
fs_rw_anon_inodefs_files(mpd_t)
|
|
fs_search_auto_mountpoints(mpd_t)
|
|
@@ -150,15 +166,26 @@ auth_use_nsswitch(mpd_t)
|
|
|
|
logging_send_syslog_msg(mpd_t)
|
|
|
|
-miscfiles_read_localization(mpd_t)
|
|
+userdom_home_reader(mpd_t)
|
|
|
|
tunable_policy(`mpd_enable_homedirs',`
|
|
- userdom_search_user_home_dirs(mpd_t)
|
|
+ userdom_stream_connect(mpd_t)
|
|
+ userdom_read_home_audio_files(mpd_t)
|
|
+ userdom_list_user_tmp(mpd_t)
|
|
+ userdom_read_user_tmpfs_files(mpd_t)
|
|
+ userdom_dontaudit_setattr_user_tmp(mpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`mpd_enable_homedirs',`
|
|
+ pulseaudio_read_home_files(mpd_t)
|
|
+ ')
|
|
')
|
|
|
|
tunable_policy(`mpd_enable_homedirs && use_nfs_home_dirs',`
|
|
fs_read_nfs_files(mpd_t)
|
|
fs_read_nfs_symlinks(mpd_t)
|
|
+
|
|
')
|
|
|
|
tunable_policy(`mpd_enable_homedirs && use_samba_home_dirs',`
|
|
@@ -191,7 +218,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- pulseaudio_domtrans(mpd_t)
|
|
+ pulseaudio_exec(mpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -199,6 +226,16 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ #needed by pulseaudio
|
|
+ systemd_read_logind_sessions_files(mpd_t)
|
|
+ systemd_login_read_pid_files(mpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rtkit_daemon_dontaudit_dbus_chat(mpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
udev_read_db(mpd_t)
|
|
')
|
|
|
|
diff --git a/mplayer.if b/mplayer.if
|
|
index 861d5e9..1c3d5a5 100644
|
|
--- a/mplayer.if
|
|
+++ b/mplayer.if
|
|
@@ -161,3 +161,23 @@ interface(`mplayer_home_filetrans_mplayer_home',`
|
|
|
|
userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3)
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create specified objects in user home
|
|
+## directories with the generic mplayer
|
|
+## home type.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mplayer_filetrans_home_content',`
|
|
+ gen_require(`
|
|
+ type mplayer_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, mplayer_home_t, dir, ".mplayer")
|
|
+')
|
|
diff --git a/mplayer.te b/mplayer.te
|
|
index 0f03cd9..e3ed393 100644
|
|
--- a/mplayer.te
|
|
+++ b/mplayer.te
|
|
@@ -11,7 +11,7 @@ policy_module(mplayer, 2.5.0)
|
|
## its stack executable.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_mplayer_execstack, false)
|
|
+gen_tunable(mplayer_execstack, false)
|
|
|
|
attribute_role mencoder_roles;
|
|
attribute_role mplayer_roles;
|
|
@@ -67,7 +67,6 @@ kernel_read_kernel_sysctls(mencoder_t)
|
|
dev_rwx_zero(mencoder_t)
|
|
dev_read_video_dev(mencoder_t)
|
|
|
|
-files_read_usr_files(mencoder_t)
|
|
|
|
fs_search_auto_mountpoints(mencoder_t)
|
|
|
|
@@ -82,7 +81,7 @@ userdom_manage_user_tmp_files(mencoder_t)
|
|
|
|
userdom_manage_user_home_content_dirs(mencoder_t)
|
|
userdom_manage_user_home_content_files(mencoder_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(mencoder_t, { dir file })
|
|
+userdom_filetrans_home_content(mencoder_t)
|
|
|
|
ifndef(`enable_mls',`
|
|
fs_list_dos(mencoder_t)
|
|
@@ -95,15 +94,15 @@ ifndef(`enable_mls',`
|
|
fs_read_iso9660_files(mencoder_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_execmem',`
|
|
- allow mencoder_t self:process execmem;
|
|
+tunable_policy(`deny_execmem',`',`
|
|
+ allow mencoder_t self:process execmem;
|
|
')
|
|
|
|
-tunable_policy(`allow_execmod',`
|
|
+tunable_policy(`selinuxuser_execmod',`
|
|
dev_execmod_zero(mencoder_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_mplayer_execstack',`
|
|
+tunable_policy(`mplayer_execstack',`
|
|
allow mencoder_t self:process { execmem execstack };
|
|
')
|
|
|
|
@@ -183,7 +182,6 @@ files_dontaudit_getattr_non_security_files(mplayer_t)
|
|
files_read_non_security_files(mplayer_t)
|
|
files_list_home(mplayer_t)
|
|
files_read_etc_runtime_files(mplayer_t)
|
|
-files_read_usr_files(mplayer_t)
|
|
|
|
fs_getattr_all_fs(mplayer_t)
|
|
fs_search_auto_mountpoints(mplayer_t)
|
|
@@ -204,7 +202,7 @@ userdom_tmp_filetrans_user_tmp(mplayer_t, { dir file })
|
|
|
|
userdom_manage_user_home_content_dirs(mplayer_t)
|
|
userdom_manage_user_home_content_files(mplayer_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(mplayer_t, { dir file })
|
|
+userdom_filetrans_home_content(mplayer_t)
|
|
|
|
userdom_write_user_tmp_sockets(mplayer_t)
|
|
|
|
@@ -221,15 +219,15 @@ ifndef(`enable_mls',`
|
|
fs_read_iso9660_files(mplayer_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_execmem',`
|
|
- allow mplayer_t self:process execmem;
|
|
+tunable_policy(`deny_execmem',`',`
|
|
+ allow mplayer_t self:process execmem;
|
|
')
|
|
|
|
-tunable_policy(`allow_execmod',`
|
|
+tunable_policy(`selinuxuser_execmod',`
|
|
dev_execmod_zero(mplayer_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_mplayer_execstack',`
|
|
+tunable_policy(`mplayer_execstack',`
|
|
allow mplayer_t self:process { execmem execstack };
|
|
')
|
|
|
|
@@ -245,7 +243,7 @@ tunable_policy(`use_samba_home_dirs',`
|
|
fs_manage_cifs_symlinks(mplayer_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_mplayer_execstack',`
|
|
+tunable_policy(`mplayer_execstack',`
|
|
allow mplayer_t mplayer_tmpfs_t:file execute;
|
|
')
|
|
|
|
diff --git a/mrtg.te b/mrtg.te
|
|
index 65a246a..fa86320 100644
|
|
--- a/mrtg.te
|
|
+++ b/mrtg.te
|
|
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(mrtg_t)
|
|
corecmd_exec_bin(mrtg_t)
|
|
corecmd_exec_shell(mrtg_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(mrtg_t)
|
|
corenet_all_recvfrom_netlabel(mrtg_t)
|
|
corenet_tcp_sendrecv_generic_if(mrtg_t)
|
|
corenet_tcp_sendrecv_generic_node(mrtg_t)
|
|
@@ -82,7 +81,6 @@ domain_dontaudit_search_all_domains_state(mrtg_t)
|
|
|
|
files_getattr_tmp_dirs(mrtg_t)
|
|
files_read_etc_runtime_files(mrtg_t)
|
|
-files_read_usr_files(mrtg_t)
|
|
files_search_var(mrtg_t)
|
|
files_search_locks(mrtg_t)
|
|
files_search_var_lib(mrtg_t)
|
|
@@ -105,13 +103,12 @@ libs_read_lib_files(mrtg_t)
|
|
|
|
logging_send_syslog_msg(mrtg_t)
|
|
|
|
-miscfiles_read_localization(mrtg_t)
|
|
-
|
|
selinux_dontaudit_getattr_dir(mrtg_t)
|
|
|
|
-userdom_use_user_terminals(mrtg_t)
|
|
+userdom_use_inherited_user_terminals(mrtg_t)
|
|
userdom_dontaudit_read_user_home_content_files(mrtg_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
|
|
+userdom_dontaudit_list_admin_dir(mrtg_t)
|
|
|
|
netutils_domtrans_ping(mrtg_t)
|
|
|
|
diff --git a/mta.fc b/mta.fc
|
|
index f42896c..cb2791a 100644
|
|
--- a/mta.fc
|
|
+++ b/mta.fc
|
|
@@ -2,33 +2,43 @@ HOME_DIR/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
HOME_DIR/\.forward[^/]* -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
HOME_DIR/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
HOME_DIR/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
-HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
|
-HOME_DIR/\.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
|
+HOME_DIR/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
|
+HOME_DIR/.maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
|
|
|
-/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
|
|
-/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
|
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
+
|
|
+/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
|
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
|
-/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
|
|
+/etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
|
|
/etc/mail/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
|
-/etc/postfix/aliases.* -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
|
-
|
|
-/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
+/etc/mail/.*\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
|
|
+ifdef(`distro_redhat',`
|
|
+/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
|
|
+')
|
|
+
|
|
+/root/\.esmtp_queue -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
+/root/\.forward -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
+/root/dead\.letter -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
+/root/\.mailrc -- gen_context(system_u:object_r:mail_home_t,s0)
|
|
+/root/Maildir(/.*)? gen_context(system_u:object_r:mail_home_rw_t,s0)
|
|
+
|
|
+/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
/usr/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
|
|
/usr/lib/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
/usr/lib/courier/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
|
|
-/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
+/usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
/usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
/usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
-/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
+/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
|
|
-/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
|
+/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
|
|
|
/var/qmail/bin/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
|
|
|
|
-/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
|
+/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
|
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
|
/var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
|
|
-/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
|
+/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
|
|
diff --git a/mta.if b/mta.if
|
|
index ed81cac..e3840c1 100644
|
|
--- a/mta.if
|
|
+++ b/mta.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Common e-mail transfer agent policy.</summary>
|
|
+## <summary>Policy common to all email tranfer agents.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -18,23 +18,37 @@ interface(`mta_stub',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## The template to define a mail domain.
|
|
+## Basic mail transfer agent domain template.
|
|
## </summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## This template creates a derived domain which is
|
|
+## a email transfer agent, which sends mail on
|
|
+## behalf of the user.
|
|
+## </p>
|
|
+## <p>
|
|
+## This is the basic types and rules, common
|
|
+## to the system agent and user agents.
|
|
+## </p>
|
|
+## </desc>
|
|
## <param name="domain_prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## The prefix of the domain (e.g., user
|
|
+## is the prefix for user_t).
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
template(`mta_base_mail_template',`
|
|
+
|
|
gen_require(`
|
|
attribute user_mail_domain;
|
|
type sendmail_exec_t;
|
|
')
|
|
|
|
- ########################################
|
|
+ ##############################
|
|
#
|
|
- # Declarations
|
|
+ # $1_mail_t declarations
|
|
#
|
|
|
|
type $1_mail_t, user_mail_domain;
|
|
@@ -43,17 +57,18 @@ template(`mta_base_mail_template',`
|
|
type $1_mail_tmp_t;
|
|
files_tmp_file($1_mail_tmp_t)
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
manage_dirs_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
|
|
manage_files_pattern($1_mail_t, $1_mail_tmp_t, $1_mail_tmp_t)
|
|
files_tmp_filetrans($1_mail_t, $1_mail_tmp_t, { file dir })
|
|
|
|
+ kernel_read_system_state($1_mail_t)
|
|
+
|
|
+ corenet_all_recvfrom_netlabel($1_mail_t)
|
|
+
|
|
auth_use_nsswitch($1_mail_t)
|
|
|
|
+ logging_send_syslog_msg($1_mail_t)
|
|
+
|
|
optional_policy(`
|
|
postfix_domtrans_user_mail_handler($1_mail_t)
|
|
')
|
|
@@ -61,61 +76,41 @@ template(`mta_base_mail_template',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for mta.
|
|
+## Role access for mta
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`mta_role',`
|
|
gen_require(`
|
|
attribute mta_user_agent;
|
|
- attribute_role user_mail_roles;
|
|
- type user_mail_t, sendmail_exec_t, mail_home_t;
|
|
- type user_mail_tmp_t, mail_home_rw_t;
|
|
+ type user_mail_t, sendmail_exec_t;
|
|
')
|
|
|
|
- roleattribute $1 user_mail_roles;
|
|
-
|
|
- # this is something i need to fix
|
|
- # i dont know if and why it is needed
|
|
- # will role attribute work?
|
|
- role $1 types mta_user_agent;
|
|
+ role $1 types { user_mail_t mta_user_agent };
|
|
|
|
+ # Transition from the user domain to the derived domain.
|
|
domtrans_pattern($2, sendmail_exec_t, user_mail_t)
|
|
allow $2 sendmail_exec_t:lnk_file read_lnk_file_perms;
|
|
|
|
- allow $2 { user_mail_t mta_user_agent }:process { ptrace signal_perms };
|
|
- ps_process_pattern($2, { user_mail_t mta_user_agent })
|
|
-
|
|
- allow $2 mail_home_t:file { manage_file_perms relabel_file_perms };
|
|
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".esmtp_queue")
|
|
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".forward")
|
|
- userdom_user_home_dir_filetrans($2, mail_home_t, file, ".mailrc")
|
|
- userdom_user_home_dir_filetrans($2, mail_home_t, file, "dead.letter")
|
|
-
|
|
- allow $2 mail_home_rw_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
|
|
- userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
|
|
-
|
|
- allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms };
|
|
+ allow mta_user_agent $2:fd use;
|
|
+ allow mta_user_agent $2:process sigchld;
|
|
+ allow mta_user_agent $2:fifo_file rw_inherited_fifo_file_perms;
|
|
|
|
optional_policy(`
|
|
exim_run($2, $1)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mailman_run($2, $1)
|
|
+ mailman_run(mta_user_agent, $1)
|
|
')
|
|
')
|
|
|
|
@@ -163,125 +158,23 @@ interface(`mta_agent_executable',`
|
|
application_executable_file($1)
|
|
')
|
|
|
|
-#######################################
|
|
-## <summary>
|
|
-## Read mta mail home files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`mta_read_mail_home_files',`
|
|
- gen_require(`
|
|
- type mail_home_t;
|
|
- ')
|
|
-
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 mail_home_t:file read_file_perms;
|
|
-')
|
|
-
|
|
-#######################################
|
|
-## <summary>
|
|
-## Create, read, write, and delete
|
|
-## mta mail home files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`mta_manage_mail_home_files',`
|
|
- gen_require(`
|
|
- type mail_home_t;
|
|
- ')
|
|
-
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 mail_home_t:file manage_file_perms;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Create specified objects in user home
|
|
-## directories with the generic mail
|
|
-## home type.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`mta_home_filetrans_mail_home',`
|
|
- gen_require(`
|
|
- type mail_home_t;
|
|
- ')
|
|
-
|
|
- userdom_user_home_dir_filetrans($1, mail_home_t, $2, $3)
|
|
-')
|
|
-
|
|
-#######################################
|
|
-## <summary>
|
|
-## Create, read, write, and delete
|
|
-## mta mail home rw content.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`mta_manage_mail_home_rw_content',`
|
|
- gen_require(`
|
|
- type mail_home_rw_t;
|
|
- ')
|
|
-
|
|
- userdom_search_user_home_dirs($1)
|
|
- manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
|
|
- manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
|
|
- manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
|
|
-')
|
|
-
|
|
-########################################
|
|
+######################################
|
|
## <summary>
|
|
-## Create specified objects in user home
|
|
-## directories with the generic mail
|
|
-## home rw type.
|
|
+## Dontaudit read and write an leaked file descriptors
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mta_home_filetrans_mail_home_rw',`
|
|
+interface(`mta_dontaudit_leaks_system_mail',`
|
|
gen_require(`
|
|
- type mail_home_rw_t;
|
|
+ type system_mail_t;
|
|
')
|
|
|
|
- userdom_user_home_dir_filetrans($1, mail_home_rw_t, $2, $3)
|
|
+ dontaudit $1 system_mail_t:fifo_file write;
|
|
+ dontaudit $1 system_mail_t:tcp_socket { read write };
|
|
')
|
|
|
|
########################################
|
|
@@ -334,7 +227,6 @@ interface(`mta_sendmail_mailserver',`
|
|
')
|
|
|
|
init_system_domain($1, sendmail_exec_t)
|
|
-
|
|
typeattribute $1 mailserver_domain;
|
|
')
|
|
|
|
@@ -374,6 +266,15 @@ interface(`mta_mailserver_delivery',`
|
|
')
|
|
|
|
typeattribute $1 mailserver_delivery;
|
|
+
|
|
+ userdom_home_manager($1)
|
|
+
|
|
+ optional_policy(`
|
|
+ mta_rw_delivery_tcp_sockets($1)
|
|
+ ')
|
|
+
|
|
+ userdom_filetrans_home_content($1)
|
|
+
|
|
')
|
|
|
|
#######################################
|
|
@@ -394,6 +295,12 @@ interface(`mta_mailserver_user_agent',`
|
|
')
|
|
|
|
typeattribute $1 mta_user_agent;
|
|
+
|
|
+ optional_policy(`
|
|
+ # apache should set close-on-exec
|
|
+ apache_dontaudit_rw_stream_sockets($1)
|
|
+ apache_dontaudit_rw_sys_script_stream_sockets($1)
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
@@ -408,14 +315,19 @@ interface(`mta_mailserver_user_agent',`
|
|
#
|
|
interface(`mta_send_mail',`
|
|
gen_require(`
|
|
+ attribute mta_user_agent;
|
|
type system_mail_t;
|
|
attribute mta_exec_type;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
|
|
+ corecmd_read_bin_symlinks($1)
|
|
domtrans_pattern($1, mta_exec_type, system_mail_t)
|
|
|
|
- allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
|
|
+ allow mta_user_agent $1:fd use;
|
|
+ allow mta_user_agent $1:process sigchld;
|
|
+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
|
|
+ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -445,18 +357,24 @@ interface(`mta_send_mail',`
|
|
#
|
|
interface(`mta_sendmail_domtrans',`
|
|
gen_require(`
|
|
- type sendmail_exec_t;
|
|
+ attribute mta_exec_type;
|
|
+ attribute mta_user_agent;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domain_auto_trans($1, sendmail_exec_t, $2)
|
|
+ files_search_usr($1)
|
|
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
|
|
+ corecmd_read_bin_symlinks($1)
|
|
|
|
- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
|
|
+ allow $2 mta_exec_type:file entrypoint;
|
|
+ domtrans_pattern($1, mta_exec_type, $2)
|
|
+ allow mta_user_agent $1:fd use;
|
|
+ allow mta_user_agent $1:process sigchld;
|
|
+ allow mta_user_agent $1:fifo_file rw_inherited_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send signals to system mail.
|
|
+## Send system mail client a signal
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -464,7 +382,6 @@ interface(`mta_sendmail_domtrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-#
|
|
interface(`mta_signal_system_mail',`
|
|
gen_require(`
|
|
type system_mail_t;
|
|
@@ -475,7 +392,43 @@ interface(`mta_signal_system_mail',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send kill signals to system mail.
|
|
+## Send all user mail client a signal
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_signal_user_agent',`
|
|
+ gen_require(`
|
|
+ attribute mta_user_agent;
|
|
+ ')
|
|
+
|
|
+ allow $1 mta_user_agent:process signal;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send all user mail client a kill signal
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_kill_user_agent',`
|
|
+ gen_require(`
|
|
+ attribute mta_user_agent;
|
|
+ ')
|
|
+
|
|
+ allow $1 mta_user_agent:process sigkill;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send system mail client a kill signal
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -506,13 +459,32 @@ interface(`mta_sendmail_exec',`
|
|
type sendmail_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, sendmail_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read mail server configuration content.
|
|
+## Check whether sendmail executable
|
|
+## files are executable.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_sendmail_access_check',`
|
|
+ gen_require(`
|
|
+ type sendmail_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ allow $1 sendmail_exec_t:file { getattr_file_perms execute };
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read mail server configuration.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -528,13 +500,13 @@ interface(`mta_read_config',`
|
|
|
|
files_search_etc($1)
|
|
allow $1 etc_mail_t:dir list_dir_perms;
|
|
- allow $1 etc_mail_t:file read_file_perms;
|
|
- allow $1 etc_mail_t:lnk_file read_lnk_file_perms;
|
|
+ read_files_pattern($1, etc_mail_t, etc_mail_t)
|
|
+ read_lnk_files_pattern($1, etc_mail_t, etc_mail_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Write mail server configuration files.
|
|
+## write mail server configuration.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -548,33 +520,31 @@ interface(`mta_write_config',`
|
|
type etc_mail_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
write_files_pattern($1, etc_mail_t, etc_mail_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read mail address alias files.
|
|
+## Manage mail server configuration.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
-interface(`mta_read_aliases',`
|
|
+interface(`mta_manage_config',`
|
|
gen_require(`
|
|
- type etc_aliases_t;
|
|
+ type etc_mail_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
- allow $1 etc_aliases_t:file read_file_perms;
|
|
+ manage_files_pattern($1, etc_mail_t, etc_mail_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## mail address alias content.
|
|
+## Read mail address aliases.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -582,84 +552,66 @@ interface(`mta_read_aliases',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mta_manage_aliases',`
|
|
+interface(`mta_read_aliases',`
|
|
gen_require(`
|
|
type etc_aliases_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
- manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
|
|
- manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
|
|
+ allow $1 etc_aliases_t:file read_file_perms;
|
|
+ allow $1 etc_aliases_t:lnk_file read_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified object in generic
|
|
-## etc directories with the mail address
|
|
-## alias type.
|
|
+## Create, read, write, and delete mail address aliases.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object">
|
|
-## <summary>
|
|
-## The object class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
#
|
|
-interface(`mta_etc_filetrans_aliases',`
|
|
+interface(`mta_manage_aliases',`
|
|
gen_require(`
|
|
type etc_aliases_t;
|
|
')
|
|
|
|
- files_etc_filetrans($1, etc_aliases_t, $2, $3)
|
|
+ files_search_etc($1)
|
|
+ manage_files_pattern($1, etc_aliases_t, etc_aliases_t)
|
|
+ manage_lnk_files_pattern($1, etc_aliases_t, etc_aliases_t)
|
|
+ mta_etc_filetrans_aliases($1, "aliases")
|
|
+ mta_etc_filetrans_aliases($1, "aliases.db")
|
|
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified objects in specified
|
|
-## directories with a type transition to
|
|
-## the mail address alias type.
|
|
+## Type transition files created in /etc
|
|
+## to the mail address aliases type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="file_type">
|
|
-## <summary>
|
|
-## Directory to transition on.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object">
|
|
-## <summary>
|
|
-## The object class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
## <param name="name" optional="true">
|
|
## <summary>
|
|
## The name of the object being created.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mta_spec_filetrans_aliases',`
|
|
+interface(`mta_etc_filetrans_aliases',`
|
|
gen_require(`
|
|
type etc_aliases_t;
|
|
')
|
|
|
|
- filetrans_pattern($1, $2, etc_aliases_t, $3, $4)
|
|
+ files_etc_filetrans($1, etc_aliases_t, file, $2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write mail alias files.
|
|
+## Read and write mail aliases.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -674,14 +626,13 @@ interface(`mta_rw_aliases',`
|
|
')
|
|
|
|
files_search_etc($1)
|
|
- allow $1 etc_aliases_t:file rw_file_perms;
|
|
+ allow $1 etc_aliases_t:file { rw_file_perms setattr_file_perms };
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Do not audit attempts to read
|
|
-## and write TCP sockets of mail
|
|
-## delivery domains.
|
|
+## Do not audit attempts to read and write TCP
|
|
+## sockets of mail delivery domains.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -697,6 +648,25 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
|
|
dontaudit $1 mailserver_delivery:tcp_socket { read write };
|
|
')
|
|
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow attempts to read and write TCP
|
|
+## sockets of mail delivery domains.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_rw_delivery_tcp_sockets',`
|
|
+ gen_require(`
|
|
+ attribute mailserver_delivery;
|
|
+ ')
|
|
+
|
|
+ allow $1 mailserver_delivery:tcp_socket { read write };
|
|
+')
|
|
+
|
|
#######################################
|
|
## <summary>
|
|
## Connect to all mail servers over TCP. (Deprecated)
|
|
@@ -713,8 +683,8 @@ interface(`mta_tcp_connect_all_mailservers',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Do not audit attempts to read
|
|
-## mail spool symlinks.
|
|
+## Do not audit attempts to read a symlink
|
|
+## in the mail spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -732,7 +702,7 @@ interface(`mta_dontaudit_read_spool_symlinks',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Get attributes of mail spool content.
|
|
+## Get the attributes of mail spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -753,8 +723,8 @@ interface(`mta_getattr_spool',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to get
|
|
-## attributes of mail spool files.
|
|
+## Do not audit attempts to get the attributes
|
|
+## of mail spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -775,9 +745,8 @@ interface(`mta_dontaudit_getattr_spool_files',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Create specified objects in the
|
|
-## mail spool directory with a
|
|
-## private type.
|
|
+## Create private objects in the
|
|
+## mail spool directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -811,7 +780,7 @@ interface(`mta_spool_filetrans',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read mail spool files.
|
|
+## Read the mail spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -819,10 +788,10 @@ interface(`mta_spool_filetrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mta_read_spool_files',`
|
|
- gen_require(`
|
|
- type mail_spool_t;
|
|
- ')
|
|
+interface(`mta_read_spool',`
|
|
+ gen_require(`
|
|
+ type mail_spool_t;
|
|
+ ')
|
|
|
|
files_search_spool($1)
|
|
read_files_pattern($1, mail_spool_t, mail_spool_t)
|
|
@@ -830,7 +799,7 @@ interface(`mta_read_spool_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write mail spool files.
|
|
+## Read and write the mail spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -845,13 +814,14 @@ interface(`mta_rw_spool',`
|
|
|
|
files_search_spool($1)
|
|
allow $1 mail_spool_t:dir list_dir_perms;
|
|
- allow $1 mail_spool_t:file rw_file_perms;
|
|
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
|
|
+ allow $1 mail_spool_t:file setattr_file_perms;
|
|
+ manage_files_pattern($1, mail_spool_t, mail_spool_t)
|
|
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Create, read, and write mail spool files.
|
|
+## Create, read, and write the mail spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -866,13 +836,14 @@ interface(`mta_append_spool',`
|
|
|
|
files_search_spool($1)
|
|
allow $1 mail_spool_t:dir list_dir_perms;
|
|
- manage_files_pattern($1, mail_spool_t, mail_spool_t)
|
|
- allow $1 mail_spool_t:lnk_file read_lnk_file_perms;
|
|
+ create_files_pattern($1, mail_spool_t, mail_spool_t)
|
|
+ write_files_pattern($1, mail_spool_t, mail_spool_t)
|
|
+ read_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Delete mail spool files.
|
|
+## Delete from the mail spool.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -891,8 +862,7 @@ interface(`mta_delete_spool',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## mail spool content.
|
|
+## Create, read, write, and delete mail spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -911,45 +881,9 @@ interface(`mta_manage_spool',`
|
|
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
|
|
')
|
|
|
|
-#######################################
|
|
-## <summary>
|
|
-## Create specified objects in the
|
|
-## mail queue spool directory with a
|
|
-## private type.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="private type">
|
|
-## <summary>
|
|
-## The type of the object to be created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object">
|
|
-## <summary>
|
|
-## The object class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`mta_queue_filetrans',`
|
|
- gen_require(`
|
|
- type mqueue_spool_t;
|
|
- ')
|
|
-
|
|
- files_search_spool($1)
|
|
- filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
|
|
-')
|
|
-
|
|
########################################
|
|
## <summary>
|
|
-## Search mail queue directories.
|
|
+## Search mail queue dirs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -968,7 +902,7 @@ interface(`mta_search_queue',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## List mail queue directories.
|
|
+## List the mail queue.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -981,13 +915,13 @@ interface(`mta_list_queue',`
|
|
type mqueue_spool_t;
|
|
')
|
|
|
|
- files_search_spool($1)
|
|
allow $1 mqueue_spool_t:dir list_dir_perms;
|
|
+ files_search_spool($1)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read mail queue files.
|
|
+## Read the mail queue.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1000,14 +934,14 @@ interface(`mta_read_queue',`
|
|
type mqueue_spool_t;
|
|
')
|
|
|
|
- files_search_spool($1)
|
|
read_files_pattern($1, mqueue_spool_t, mqueue_spool_t)
|
|
+ files_search_spool($1)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Do not audit attempts to read and
|
|
-## write mail queue content.
|
|
+## write the mail queue.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1027,7 +961,7 @@ interface(`mta_dontaudit_rw_queue',`
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
-## mail queue content.
|
|
+## mail queue files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1047,6 +981,41 @@ interface(`mta_manage_queue',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
+## Create private objects in the
|
|
+## mqueue spool directory.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="private type">
|
|
+## <summary>
|
|
+## The type of the object to be created.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="object">
|
|
+## <summary>
|
|
+## The object class of the object being created.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="name" optional="true">
|
|
+## <summary>
|
|
+## The name of the object being created.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_spool_filetrans_queue',`
|
|
+ gen_require(`
|
|
+ type mqueue_spool_t;
|
|
+ ')
|
|
+
|
|
+ files_search_spool($1)
|
|
+ filetrans_pattern($1, mqueue_spool_t, $2, $3, $4)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
## Read sendmail binary.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -1055,6 +1024,7 @@ interface(`mta_manage_queue',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
+# cjp: added for postfix
|
|
interface(`mta_read_sendmail_bin',`
|
|
gen_require(`
|
|
type sendmail_exec_t;
|
|
@@ -1065,8 +1035,8 @@ interface(`mta_read_sendmail_bin',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read and write unix domain stream
|
|
-## sockets of all base mail domains.
|
|
+## Read and write unix domain stream sockets
|
|
+## of user mail domains.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1081,3 +1051,175 @@ interface(`mta_rw_user_mail_stream_sockets',`
|
|
|
|
allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Type transition files created in calling dir
|
|
+## to the mail address aliases type.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Directory to transition on.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_filetrans_aliases',`
|
|
+ gen_require(`
|
|
+ type etc_aliases_t;
|
|
+ ')
|
|
+
|
|
+ filetrans_pattern($1, $2, etc_aliases_t, file)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## ALlow domain to read mail content in the homedir
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_read_home',`
|
|
+ gen_require(`
|
|
+ type mail_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ read_files_pattern($1, mail_home_t, mail_home_t)
|
|
+
|
|
+ ifdef(`distro_redhat',`
|
|
+ userdom_search_admin_dir($1)
|
|
+ ')
|
|
+')
|
|
+
|
|
+####################################
|
|
+## <summary>
|
|
+## ALlow domain to read mail content in the homedir
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_read_home_rw',`
|
|
+ gen_require(`
|
|
+ type mail_home_rw_t;
|
|
+ ')
|
|
+
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ read_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
|
|
+ read_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
|
|
+
|
|
+ ifdef(`distro_redhat',`
|
|
+ userdom_search_admin_dir($1)
|
|
+ ')
|
|
+')
|
|
+
|
|
+####################################
|
|
+## <summary>
|
|
+## Allow domain to manage mail content in the homedir
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_manage_home_rw',`
|
|
+ gen_require(`
|
|
+ type mail_home_rw_t;
|
|
+ ')
|
|
+
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ userdom_search_admin_dir($1)
|
|
+ manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
|
|
+ manage_dirs_pattern($1, mail_home_rw_t, mail_home_rw_t)
|
|
+ manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
|
|
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
|
|
+
|
|
+ ifdef(`distro_redhat',`
|
|
+ userdom_search_admin_dir($1)
|
|
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
|
|
+ ')
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## create mail content in the in the /root directory
|
|
+## with an correct label.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_filetrans_admin_home_content',`
|
|
+ gen_require(`
|
|
+ type mail_home_t;
|
|
+ type mail_home_rw_t;
|
|
+ ')
|
|
+
|
|
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
|
|
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
|
|
+ userdom_admin_home_dir_filetrans($1, mail_home_t, file, ".forward")
|
|
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
|
|
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
|
|
+ userdom_admin_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to mta named home content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_filetrans_home_content',`
|
|
+ gen_require(`
|
|
+ type mail_home_t;
|
|
+ type mail_home_rw_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".mailrc")
|
|
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, "dead.letter")
|
|
+ userdom_user_home_dir_filetrans($1, mail_home_t, file, ".forward")
|
|
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, "Maildir")
|
|
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, dir, ".maildir")
|
|
+ userdom_user_home_dir_filetrans($1, mail_home_rw_t, file, ".esmtp_queue")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to mta named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mta_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type etc_aliases_t;
|
|
+ type etc_mail_t;
|
|
+ ')
|
|
+
|
|
+ filetrans_pattern($1, etc_mail_t, etc_aliases_t, { dir file })
|
|
+ mta_etc_filetrans_aliases($1, "aliases")
|
|
+ mta_etc_filetrans_aliases($1, "aliases.db")
|
|
+ mta_etc_filetrans_aliases($1, "aliasesdb-stamp")
|
|
+ mta_filetrans_home_content($1)
|
|
+ mta_filetrans_admin_home_content($1)
|
|
+')
|
|
diff --git a/mta.te b/mta.te
|
|
index ff1d68c..e61560a 100644
|
|
--- a/mta.te
|
|
+++ b/mta.te
|
|
@@ -14,8 +14,6 @@ attribute mailserver_sender;
|
|
|
|
attribute user_mail_domain;
|
|
|
|
-attribute_role user_mail_roles;
|
|
-
|
|
type etc_aliases_t;
|
|
files_type(etc_aliases_t)
|
|
|
|
@@ -30,9 +28,11 @@ userdom_user_home_content(mail_home_rw_t)
|
|
|
|
type mqueue_spool_t;
|
|
files_mountpoint(mqueue_spool_t)
|
|
+files_spool_file(mqueue_spool_t)
|
|
|
|
type mail_spool_t;
|
|
files_mountpoint(mail_spool_t)
|
|
+files_spool_file(mail_spool_t)
|
|
|
|
type sendmail_exec_t;
|
|
mta_agent_executable(sendmail_exec_t)
|
|
@@ -43,11 +43,9 @@ role system_r types system_mail_t;
|
|
mta_base_mail_template(user)
|
|
typealias user_mail_t alias { staff_mail_t sysadm_mail_t };
|
|
typealias user_mail_t alias { auditadm_mail_t secadm_mail_t };
|
|
-userdom_user_application_type(user_mail_t)
|
|
-role user_mail_roles types user_mail_t;
|
|
-
|
|
typealias user_mail_tmp_t alias { staff_mail_tmp_t sysadm_mail_tmp_t };
|
|
typealias user_mail_tmp_t alias { auditadm_mail_tmp_t secadm_mail_tmp_t };
|
|
+userdom_user_application_type(user_mail_t)
|
|
userdom_user_tmp_file(user_mail_tmp_t)
|
|
|
|
########################################
|
|
@@ -79,12 +77,10 @@ allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
|
|
can_exec(user_mail_domain, { mta_exec_type sendmail_exec_t })
|
|
|
|
kernel_read_crypto_sysctls(user_mail_domain)
|
|
-kernel_read_system_state(user_mail_domain)
|
|
kernel_read_kernel_sysctls(user_mail_domain)
|
|
kernel_read_network_state(user_mail_domain)
|
|
kernel_request_load_module(user_mail_domain)
|
|
|
|
-corenet_all_recvfrom_netlabel(user_mail_domain)
|
|
corenet_tcp_sendrecv_generic_if(user_mail_domain)
|
|
corenet_tcp_sendrecv_generic_node(user_mail_domain)
|
|
|
|
@@ -107,10 +103,6 @@ fs_getattr_all_fs(user_mail_domain)
|
|
|
|
init_dontaudit_rw_utmp(user_mail_domain)
|
|
|
|
-logging_send_syslog_msg(user_mail_domain)
|
|
-
|
|
-miscfiles_read_localization(user_mail_domain)
|
|
-
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_manage_cifs_dirs(user_mail_domain)
|
|
fs_manage_cifs_files(user_mail_domain)
|
|
@@ -124,6 +116,11 @@ tunable_policy(`use_nfs_home_dirs',`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ antivirus_stream_connect(user_mail_domain)
|
|
+ antivirus_stream_connect(mta_user_agent)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
courier_manage_spool_dirs(user_mail_domain)
|
|
courier_manage_spool_files(user_mail_domain)
|
|
courier_rw_spool_pipes(user_mail_domain)
|
|
@@ -150,6 +147,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ openshift_rw_inherited_content(mta_user_agent)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
procmail_exec(user_mail_domain)
|
|
')
|
|
|
|
@@ -171,52 +172,69 @@ optional_policy(`
|
|
# System local policy
|
|
#
|
|
|
|
+# newalias required this, not sure if it is needed in 'if' file
|
|
allow system_mail_t self:capability { dac_override fowner };
|
|
-
|
|
-read_files_pattern(system_mail_t, etc_mail_t, etc_mail_t)
|
|
-
|
|
-read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
|
|
+dontaudit system_mail_t self:capability net_admin;
|
|
|
|
allow system_mail_t mail_home_t:file manage_file_perms;
|
|
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".esmtp_queue")
|
|
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".forward")
|
|
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, ".mailrc")
|
|
-userdom_user_home_dir_filetrans(system_mail_t, mail_home_t, file, "dead.letter")
|
|
|
|
-allow system_mail_t user_mail_domain:dir list_dir_perms;
|
|
-allow system_mail_t user_mail_domain:file read_file_perms;
|
|
-allow system_mail_t user_mail_domain:lnk_file read_lnk_file_perms;
|
|
+read_files_pattern(system_mail_t, mailcontent_type, mailcontent_type)
|
|
|
|
corecmd_exec_shell(system_mail_t)
|
|
|
|
-dev_read_rand(system_mail_t)
|
|
dev_read_sysfs(system_mail_t)
|
|
+dev_read_rand(system_mail_t)
|
|
+dev_read_urand(system_mail_t)
|
|
|
|
-fs_rw_anon_inodefs_files(system_mail_t)
|
|
|
|
-selinux_getattr_fs(system_mail_t)
|
|
+fs_rw_anon_inodefs_files(system_mail_t)
|
|
|
|
term_dontaudit_use_unallocated_ttys(system_mail_t)
|
|
|
|
init_use_script_ptys(system_mail_t)
|
|
+init_dontaudit_rw_stream_socket(system_mail_t)
|
|
+
|
|
+userdom_use_inherited_user_terminals(system_mail_t)
|
|
+userdom_dontaudit_list_user_home_dirs(system_mail_t)
|
|
+userdom_dontaudit_list_admin_dir(system_mail_t)
|
|
|
|
-userdom_use_user_terminals(system_mail_t)
|
|
+manage_dirs_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
|
|
+manage_files_pattern(system_mail_t, mail_home_rw_t, mail_home_rw_t)
|
|
+
|
|
+allow system_mail_t mail_home_t:file manage_file_perms;
|
|
+userdom_admin_home_dir_filetrans(system_mail_t, mail_home_t, file)
|
|
+
|
|
+
|
|
+logging_append_all_logs(system_mail_t)
|
|
+
|
|
+logging_send_syslog_msg(system_mail_t)
|
|
|
|
optional_policy(`
|
|
apache_read_squirrelmail_data(system_mail_t)
|
|
apache_append_squirrelmail_data(system_mail_t)
|
|
+
|
|
+ # apache should set close-on-exec
|
|
apache_dontaudit_append_log(system_mail_t)
|
|
apache_dontaudit_rw_stream_sockets(system_mail_t)
|
|
apache_dontaudit_rw_tcp_sockets(system_mail_t)
|
|
apache_dontaudit_rw_sys_script_stream_sockets(system_mail_t)
|
|
+ apache_dontaudit_rw_tmp_files(system_mail_t)
|
|
+
|
|
+ apache_dontaudit_rw_fifo_file(user_mail_domain)
|
|
+ apache_dontaudit_rw_fifo_file(mta_user_agent)
|
|
+ # apache should set close-on-exec
|
|
+ apache_dontaudit_rw_stream_sockets(mta_user_agent)
|
|
+ apache_dontaudit_rw_sys_script_stream_sockets(mta_user_agent)
|
|
+ apache_append_log(mta_user_agent)
|
|
')
|
|
|
|
optional_policy(`
|
|
arpwatch_manage_tmp_files(system_mail_t)
|
|
|
|
- ifdef(`hide_broken_symptoms',`
|
|
- arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
|
|
- ')
|
|
+ ifdef(`hide_broken_symptoms', `
|
|
+ arpwatch_dontaudit_rw_packet_sockets(system_mail_t)
|
|
+ ')
|
|
+
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -225,17 +243,21 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- clamav_stream_connect(system_mail_t)
|
|
- clamav_append_log(system_mail_t)
|
|
+ courier_stream_connect_authdaemon(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cron_read_system_job_tmp_files(system_mail_t)
|
|
cron_dontaudit_write_pipes(system_mail_t)
|
|
cron_rw_system_job_stream_sockets(system_mail_t)
|
|
+ cron_rw_inherited_spool_files(system_mail_t)
|
|
+ cron_rw_inherited_user_spool_files(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ courier_manage_spool_dirs(system_mail_t)
|
|
+ courier_manage_spool_files(system_mail_t)
|
|
+ courier_rw_spool_pipes(system_mail_t)
|
|
courier_stream_connect_authdaemon(system_mail_t)
|
|
')
|
|
|
|
@@ -246,6 +268,7 @@ optional_policy(`
|
|
optional_policy(`
|
|
fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
|
|
fail2ban_append_log(system_mail_t)
|
|
+ fail2ban_dontaudit_leaks(system_mail_t)
|
|
fail2ban_rw_inherited_tmp_files(system_mail_t)
|
|
')
|
|
|
|
@@ -258,10 +281,15 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # newaliases runs as system_mail_t when the sendmail initscript does a restart
|
|
milter_getattr_all_sockets(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ munin_dontaudit_leaks(system_mail_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
nagios_read_tmp_files(system_mail_t)
|
|
')
|
|
|
|
@@ -272,6 +300,15 @@ optional_policy(`
|
|
manage_fifo_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
|
manage_sock_files_pattern(system_mail_t, etc_aliases_t, etc_aliases_t)
|
|
files_etc_filetrans(system_mail_t, etc_aliases_t, { file lnk_file sock_file fifo_file })
|
|
+
|
|
+ domain_use_interactive_fds(system_mail_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ qmail_domtrans_inject(system_mail_t)
|
|
+ qmail_manage_spool_dirs(system_mail_t)
|
|
+ qmail_manage_spool_files(system_mail_t)
|
|
+ qmail_rw_spool_pipes(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -287,42 +324,36 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- spamassassin_stream_connect_spamd(system_mail_t)
|
|
+ spamd_stream_connect(system_mail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
smartmon_read_tmp_files(system_mail_t)
|
|
')
|
|
|
|
-########################################
|
|
-#
|
|
-# MTA user agent local policy
|
|
-#
|
|
-
|
|
-userdom_use_user_terminals(mta_user_agent)
|
|
-
|
|
-optional_policy(`
|
|
- apache_append_log(mta_user_agent)
|
|
-')
|
|
+# should break this up among sections:
|
|
|
|
optional_policy(`
|
|
+ # why is mail delivered to a directory of type arpwatch_data_t?
|
|
+ arpwatch_search_data(mailserver_delivery)
|
|
arpwatch_manage_tmp_files(mta_user_agent)
|
|
|
|
- ifdef(`hide_broken_symptoms',`
|
|
- arpwatch_dontaudit_rw_packet_sockets(mta_user_agent)
|
|
- ')
|
|
-
|
|
optional_policy(`
|
|
cron_read_system_job_tmp_files(mta_user_agent)
|
|
')
|
|
')
|
|
|
|
+ifdef(`hide_broken_symptoms',`
|
|
+ domain_dontaudit_leaks(user_mail_domain)
|
|
+ domain_dontaudit_leaks(mta_user_agent)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
# Mailserver delivery local policy
|
|
#
|
|
|
|
-allow mailserver_delivery self:fifo_file rw_fifo_file_perms;
|
|
+allow mailserver_delivery self:fifo_file rw_inherited_fifo_file_perms;
|
|
|
|
allow mailserver_delivery mail_spool_t:dir list_dir_perms;
|
|
create_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
|
@@ -331,40 +362,26 @@ append_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
|
create_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
|
read_lnk_files_pattern(mailserver_delivery, mail_spool_t, mail_spool_t)
|
|
|
|
+userdom_search_admin_dir(mailserver_delivery)
|
|
+read_files_pattern(mailserver_delivery, mail_home_t, mail_home_t)
|
|
+
|
|
manage_dirs_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
|
|
-manage_files_pattern(mailserver_delivery, { mail_home_t mail_home_rw_t }, { mail_home_t mail_home_rw_t })
|
|
+manage_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
|
|
manage_lnk_files_pattern(mailserver_delivery, mail_home_rw_t, mail_home_rw_t)
|
|
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".esmtp_queue")
|
|
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forward")
|
|
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc")
|
|
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter")
|
|
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir")
|
|
-userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir")
|
|
|
|
read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(mailserver_delivery)
|
|
- fs_manage_cifs_files(mailserver_delivery)
|
|
- fs_read_cifs_symlinks(mailserver_delivery)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(mailserver_delivery)
|
|
- fs_manage_nfs_files(mailserver_delivery)
|
|
- fs_read_nfs_symlinks(mailserver_delivery)
|
|
-')
|
|
-
|
|
optional_policy(`
|
|
- arpwatch_search_data(mailserver_delivery)
|
|
+ dovecot_manage_spool(mailserver_delivery)
|
|
+ dovecot_domtrans_deliver(mailserver_delivery)
|
|
')
|
|
|
|
optional_policy(`
|
|
- dovecot_manage_spool(mailserver_delivery)
|
|
- dovecot_domtrans_deliver(mailserver_delivery)
|
|
+ logwatch_search_cache_dir(mailserver_delivery)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # so MTA can access /var/lib/mailman/mail/wrapper
|
|
files_search_var_lib(mailserver_delivery)
|
|
|
|
mailman_domtrans(mailserver_delivery)
|
|
@@ -372,6 +389,13 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mailman_manage_data_files(mailserver_domain)
|
|
+ mailman_domtrans(mailserver_domain)
|
|
+ mailman_append_log(mailserver_domain)
|
|
+ mailman_read_log(mailserver_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
postfix_rw_inherited_master_pipes(mailserver_delivery)
|
|
')
|
|
|
|
@@ -381,24 +405,49 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# User local policy
|
|
+# User send mail local policy
|
|
#
|
|
|
|
-manage_files_pattern(user_mail_t, mail_home_t, mail_home_t)
|
|
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".esmtp_queue")
|
|
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".forward")
|
|
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, ".mailrc")
|
|
-userdom_user_home_dir_filetrans(user_mail_t, mail_home_t, file, "dead.letter")
|
|
+domain_use_interactive_fds(user_mail_t)
|
|
+
|
|
+userdom_use_inherited_user_terminals(user_mail_t)
|
|
+# Write to the user domain tty. cjp: why?
|
|
+userdom_use_inherited_user_terminals(mta_user_agent)
|
|
+# Create dead.letter in user home directories.
|
|
+userdom_manage_user_home_content_files(user_mail_t)
|
|
+userdom_filetrans_home_content(user_mail_t)
|
|
+# for reading .forward - maybe we need a new type for it?
|
|
+# also for delivering mail to maildir
|
|
+userdom_manage_user_home_content_dirs(mailserver_delivery)
|
|
+userdom_manage_user_home_content_files(mailserver_delivery)
|
|
+userdom_manage_user_home_content_symlinks(mailserver_delivery)
|
|
+userdom_manage_user_home_content_pipes(mailserver_delivery)
|
|
+userdom_manage_user_home_content_sockets(mailserver_delivery)
|
|
+allow mailserver_delivery mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
|
|
+
|
|
+# Read user temporary files.
|
|
+userdom_read_user_tmp_files(user_mail_t)
|
|
+userdom_dontaudit_append_user_tmp_files(user_mail_t)
|
|
+# cjp: this should probably be read all user tmp
|
|
+# files in an appropriate place for mta_user_agent
|
|
+userdom_read_user_tmp_files(mta_user_agent)
|
|
|
|
dev_read_sysfs(user_mail_t)
|
|
|
|
-userdom_use_user_terminals(user_mail_t)
|
|
+tunable_policy(`use_samba_home_dirs',`
|
|
+ fs_manage_cifs_files(user_mail_t)
|
|
+ fs_manage_cifs_symlinks(user_mail_t)
|
|
+')
|
|
|
|
optional_policy(`
|
|
allow user_mail_t self:capability dac_override;
|
|
|
|
+ # Read user temporary files.
|
|
+ # postfix seems to need write access if the file handle is opened read/write
|
|
userdom_rw_user_tmp_files(user_mail_t)
|
|
|
|
postfix_read_config(user_mail_t)
|
|
postfix_list_spool(user_mail_t)
|
|
')
|
|
+
|
|
+
|
|
diff --git a/munin.fc b/munin.fc
|
|
index eb4b72a..4968324 100644
|
|
--- a/munin.fc
|
|
+++ b/munin.fc
|
|
@@ -1,77 +1,79 @@
|
|
-/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
|
|
-
|
|
+/etc/munin(/.*)? gen_context(system_u:object_r:munin_etc_t,s0)
|
|
/etc/rc\.d/init\.d/munin-node -- gen_context(system_u:object_r:munin_initrc_exec_t,s0)
|
|
|
|
-/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
|
-
|
|
-/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
|
-
|
|
+/usr/bin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
|
+/usr/sbin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
|
/usr/share/munin/munin-.* -- gen_context(system_u:object_r:munin_exec_t,s0)
|
|
|
|
+# label all plugins as unconfined_munin_plugin_exec_t
|
|
/usr/share/munin/plugins/.* -- gen_context(system_u:object_r:unconfined_munin_plugin_exec_t,s0)
|
|
|
|
-/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
|
|
+# disk plugins
|
|
+/usr/share/munin/plugins/diskstat.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/df.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/hddtemp.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/smart_.* -- gen_context(system_u:object_r:disk_munin_plugin_exec_t,s0)
|
|
|
|
-/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
+# mail plugins
|
|
+/usr/share/munin/plugins/courier_mta_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/exim_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/mailman -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/mailscanner -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/postfix_mail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/sendmail_.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/qmail.* -- gen_context(system_u:object_r:mail_munin_plugin_exec_t,s0)
|
|
|
|
-/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+# services plugins
|
|
+/usr/share/munin/plugins/apache_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/asterisk_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/http_loadtime -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/fail2ban -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/lpstat -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/mysql_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/named -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/ntp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/nut.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/openvpn -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/ping_ -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/postgres_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/samba -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/slapd_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/snmp_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/squid_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/tomcat_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/varnish_.* -- gen_context(system_u:object_r:services_munin_plugin_exec_t,s0)
|
|
|
|
+# selinux plugins
|
|
/usr/share/munin/plugins/selinux_avcstat -- gen_context(system_u:object_r:selinux_munin_plugin_exec_t,s0)
|
|
|
|
+# system plugins
|
|
/usr/share/munin/plugins/acpi -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/cpu.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/forks -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/if_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/iostat.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/interrupts -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/proc_pri -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/processes -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/swap -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
-/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
+/usr/share/munin/plugins/threads -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/unbound -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/uptime -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/users -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
|
|
|
|
-/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
|
+/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
|
|
/var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
|
|
-
|
|
-/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
|
|
-
|
|
-/var/run/munin.* gen_context(system_u:object_r:munin_var_run_t,s0)
|
|
-
|
|
-/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
|
|
+/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
|
|
+/var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
|
|
+/var/www/html/munin(/.*)? gen_context(system_u:object_r:httpd_munin_content_t,s0)
|
|
/var/www/html/munin/cgi(/.*)? gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
|
|
+/var/www/html/cgi/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
|
|
+/var/www/cgi-bin/munin.* gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
|
|
diff --git a/munin.if b/munin.if
|
|
index b744fe3..4c1b6a8 100644
|
|
--- a/munin.if
|
|
+++ b/munin.if
|
|
@@ -1,12 +1,13 @@
|
|
-## <summary>Munin network-wide load graphing.</summary>
|
|
+## <summary>Munin network-wide load graphing (formerly LRRD)</summary>
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## The template to define a munin plugin domain.
|
|
+## Create a set of derived types for various
|
|
+## munin plugins,
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## The name to be used for deriving type names.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
@@ -14,12 +15,8 @@ template(`munin_plugin_template',`
|
|
gen_require(`
|
|
attribute munin_plugin_domain, munin_plugin_tmp_content;
|
|
type munin_t;
|
|
- ')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
+ ')
|
|
|
|
type $1_munin_plugin_t, munin_plugin_domain;
|
|
type $1_munin_plugin_exec_t;
|
|
@@ -33,15 +30,22 @@ template(`munin_plugin_template',`
|
|
files_tmp_file($1_munin_plugin_tmp_t)
|
|
|
|
########################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
+ #
|
|
+ # Policy
|
|
+ #
|
|
|
|
+ # automatic transition rules from munin domain
|
|
+ # to specific munin plugin domain
|
|
domtrans_pattern(munin_t, $1_munin_plugin_exec_t, $1_munin_plugin_t)
|
|
|
|
manage_files_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
|
|
manage_dirs_pattern($1_munin_plugin_t, $1_munin_plugin_tmp_t, $1_munin_plugin_tmp_t)
|
|
files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
|
|
+
|
|
+ kernel_read_system_state($1_munin_plugin_t)
|
|
+
|
|
+ corenet_all_recvfrom_unlabeled($1_munin_plugin_t)
|
|
+ corenet_all_recvfrom_netlabel($1_munin_plugin_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -66,7 +70,7 @@ interface(`munin_stream_connect',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read munin configuration content.
|
|
+## Read munin configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -80,15 +84,53 @@ interface(`munin_read_config',`
|
|
type munin_etc_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
allow $1 munin_etc_t:dir list_dir_perms;
|
|
allow $1 munin_etc_t:file read_file_perms;
|
|
allow $1 munin_etc_t:lnk_file read_lnk_file_perms;
|
|
+ files_search_etc($1)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Append munin log files.
|
|
+## Read munin library files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`munin_read_var_lib_files',`
|
|
+ gen_require(`
|
|
+ type munin_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, munin_var_lib_t, munin_var_lib_t)
|
|
+
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## dontaudit read and write an leaked file descriptors
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`munin_dontaudit_leaks',`
|
|
+ gen_require(`
|
|
+ type munin_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 munin_t:tcp_socket { read write };
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Append to the munin log.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -147,8 +189,8 @@ interface(`munin_dontaudit_search_lib',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an munin environment.
|
|
+## All of the rules required to administrate
|
|
+## an munin environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -157,7 +199,7 @@ interface(`munin_dontaudit_search_lib',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the munin domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -170,8 +212,12 @@ interface(`munin_admin',`
|
|
type httpd_munin_content_t, munin_plugin_state_t, munin_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 { munin_plugin_domain munin_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { munin_plugin_domain munin_t })
|
|
+ allow $1 munin_t:process signal_perms;
|
|
+ ps_process_pattern($1, munin_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 munin_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, munin_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/munin.te b/munin.te
|
|
index b708708..cead88c 100644
|
|
--- a/munin.te
|
|
+++ b/munin.te
|
|
@@ -44,12 +44,15 @@ files_tmpfs_file(services_munin_plugin_tmpfs_t)
|
|
munin_plugin_template(system)
|
|
munin_plugin_template(unconfined)
|
|
|
|
+type httpd_munin_script_tmp_t;
|
|
+files_tmp_file(httpd_munin_script_tmp_t)
|
|
+
|
|
################################
|
|
#
|
|
# Common munin plugin local policy
|
|
#
|
|
|
|
-allow munin_plugin_domain self:process signal;
|
|
+allow munin_plugin_domain self:process signal_perms;
|
|
allow munin_plugin_domain self:fifo_file rw_fifo_file_perms;
|
|
|
|
allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms;
|
|
@@ -62,23 +65,17 @@ allow munin_plugin_domain munin_var_lib_t:dir search_dir_perms;
|
|
|
|
manage_files_pattern(munin_plugin_domain, munin_plugin_state_t, munin_plugin_state_t)
|
|
|
|
-kernel_read_system_state(munin_plugin_domain)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(munin_plugin_domain)
|
|
-corenet_all_recvfrom_netlabel(munin_plugin_domain)
|
|
corenet_tcp_sendrecv_generic_if(munin_plugin_domain)
|
|
corenet_tcp_sendrecv_generic_node(munin_plugin_domain)
|
|
|
|
corecmd_exec_bin(munin_plugin_domain)
|
|
corecmd_exec_shell(munin_plugin_domain)
|
|
|
|
-files_read_etc_files(munin_plugin_domain)
|
|
-files_read_usr_files(munin_plugin_domain)
|
|
files_search_var_lib(munin_plugin_domain)
|
|
|
|
fs_getattr_all_fs(munin_plugin_domain)
|
|
|
|
-miscfiles_read_localization(munin_plugin_domain)
|
|
+auth_read_passwd(munin_plugin_domain)
|
|
|
|
optional_policy(`
|
|
nscd_use(munin_plugin_domain)
|
|
@@ -118,7 +115,7 @@ manage_dirs_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
|
manage_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
|
manage_lnk_files_pattern(munin_t, munin_var_lib_t, munin_var_lib_t)
|
|
|
|
-read_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
|
|
+rw_files_pattern(munin_t, munin_plugin_state_t, munin_plugin_state_t)
|
|
|
|
manage_dirs_pattern(munin_t, munin_var_run_t, munin_var_run_t)
|
|
manage_files_pattern(munin_t, munin_var_run_t, munin_var_run_t)
|
|
@@ -134,7 +131,6 @@ kernel_read_all_sysctls(munin_t)
|
|
corecmd_exec_bin(munin_t)
|
|
corecmd_exec_shell(munin_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(munin_t)
|
|
corenet_all_recvfrom_netlabel(munin_t)
|
|
corenet_tcp_sendrecv_generic_if(munin_t)
|
|
corenet_tcp_sendrecv_generic_node(munin_t)
|
|
@@ -157,7 +153,6 @@ domain_use_interactive_fds(munin_t)
|
|
domain_read_all_domains_state(munin_t)
|
|
|
|
files_read_etc_runtime_files(munin_t)
|
|
-files_read_usr_files(munin_t)
|
|
files_list_spool(munin_t)
|
|
|
|
fs_getattr_all_fs(munin_t)
|
|
@@ -169,7 +164,6 @@ logging_send_syslog_msg(munin_t)
|
|
logging_read_all_logs(munin_t)
|
|
|
|
miscfiles_read_fonts(munin_t)
|
|
-miscfiles_read_localization(munin_t)
|
|
miscfiles_setattr_fonts_cache_dirs(munin_t)
|
|
|
|
sysnet_exec_ifconfig(munin_t)
|
|
@@ -177,13 +171,6 @@ sysnet_exec_ifconfig(munin_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(munin_t)
|
|
userdom_dontaudit_search_user_home_dirs(munin_t)
|
|
|
|
-optional_policy(`
|
|
- apache_content_template(munin)
|
|
-
|
|
- manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
|
- manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
|
- apache_search_sys_content(munin_t)
|
|
-')
|
|
|
|
optional_policy(`
|
|
cron_system_entry(munin_t, munin_exec_t)
|
|
@@ -217,7 +204,6 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
postfix_list_spool(munin_t)
|
|
- postfix_getattr_all_spool_files(munin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -246,21 +232,23 @@ allow disk_munin_plugin_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
rw_files_pattern(disk_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
|
|
|
+kernel_read_fs_sysctls(disk_munin_plugin_t)
|
|
+
|
|
corenet_sendrecv_hddtemp_client_packets(disk_munin_plugin_t)
|
|
corenet_tcp_connect_hddtemp_port(disk_munin_plugin_t)
|
|
corenet_tcp_sendrecv_hddtemp_port(disk_munin_plugin_t)
|
|
|
|
-dev_getattr_all_blk_files(disk_munin_plugin_t)
|
|
+files_read_etc_runtime_files(disk_munin_plugin_t)
|
|
+
|
|
dev_getattr_lvm_control(disk_munin_plugin_t)
|
|
dev_read_sysfs(disk_munin_plugin_t)
|
|
dev_read_urand(disk_munin_plugin_t)
|
|
-
|
|
-files_read_etc_runtime_files(disk_munin_plugin_t)
|
|
+dev_read_all_blk_files(disk_munin_plugin_t)
|
|
|
|
fs_getattr_all_fs(disk_munin_plugin_t)
|
|
fs_getattr_all_dirs(disk_munin_plugin_t)
|
|
|
|
-storage_getattr_fixed_disk_dev(disk_munin_plugin_t)
|
|
+storage_raw_read_fixed_disk(disk_munin_plugin_t)
|
|
|
|
sysnet_read_config(disk_munin_plugin_t)
|
|
|
|
@@ -272,6 +260,10 @@ optional_policy(`
|
|
fstools_exec(disk_munin_plugin_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ rpc_search_nfs_state_data(disk_munin_plugin_t)
|
|
+')
|
|
+
|
|
####################################
|
|
#
|
|
# Mail local policy
|
|
@@ -279,27 +271,36 @@ optional_policy(`
|
|
|
|
allow mail_munin_plugin_t self:capability dac_override;
|
|
|
|
+allow mail_munin_plugin_t self:tcp_socket create_stream_socket_perms;
|
|
+allow mail_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+
|
|
rw_files_pattern(mail_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
|
|
|
|
dev_read_urand(mail_munin_plugin_t)
|
|
|
|
logging_read_generic_logs(mail_munin_plugin_t)
|
|
|
|
+sysnet_read_config(mail_munin_plugin_t)
|
|
+
|
|
+optional_policy(`
|
|
+ exim_read_log(mail_munin_plugin_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
- mta_list_queue(mail_munin_plugin_t)
|
|
mta_read_config(mail_munin_plugin_t)
|
|
- mta_read_queue(mail_munin_plugin_t)
|
|
mta_send_mail(mail_munin_plugin_t)
|
|
+ mta_list_queue(mail_munin_plugin_t)
|
|
+ mta_read_queue(mail_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- nscd_use(mail_munin_plugin_t)
|
|
+ nscd_socket_use(mail_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- postfix_getattr_all_spool_files(mail_munin_plugin_t)
|
|
postfix_read_config(mail_munin_plugin_t)
|
|
postfix_list_spool(mail_munin_plugin_t)
|
|
+ postfix_getattr_spool_files(mail_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -339,7 +340,7 @@ dev_read_rand(services_munin_plugin_t)
|
|
sysnet_read_config(services_munin_plugin_t)
|
|
|
|
optional_policy(`
|
|
- bind_read_config(munin_services_plugin_t)
|
|
+ bind_read_config(services_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -361,7 +362,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- nscd_use(services_munin_plugin_t)
|
|
+ nscd_socket_use(services_munin_plugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ntp_exec(services_munin_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -393,6 +398,7 @@ read_files_pattern(system_munin_plugin_t, munin_log_t, munin_log_t)
|
|
|
|
kernel_read_network_state(system_munin_plugin_t)
|
|
kernel_read_all_sysctls(system_munin_plugin_t)
|
|
+kernel_read_fs_sysctls(system_munin_plugin_t)
|
|
|
|
dev_read_sysfs(system_munin_plugin_t)
|
|
dev_read_urand(system_munin_plugin_t)
|
|
@@ -421,3 +427,31 @@ optional_policy(`
|
|
optional_policy(`
|
|
unconfined_domain(unconfined_munin_plugin_t)
|
|
')
|
|
+
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# Munin CGI script local policy
|
|
+#
|
|
+
|
|
+apache_content_template(munin)
|
|
+
|
|
+manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
|
+manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
|
|
+
|
|
+manage_dirs_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t, httpd_munin_script_tmp_t)
|
|
+manage_files_pattern(httpd_munin_script_t, httpd_munin_script_tmp_t,httpd_munin_script_tmp_t)
|
|
+
|
|
+read_files_pattern(httpd_munin_script_t, munin_var_lib_t, munin_var_lib_t)
|
|
+read_files_pattern(httpd_munin_script_t, munin_etc_t, munin_etc_t)
|
|
+
|
|
+read_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
|
|
+append_files_pattern(httpd_munin_script_t, munin_log_t, munin_log_t)
|
|
+
|
|
+files_search_var_lib(httpd_munin_script_t)
|
|
+
|
|
+auth_read_passwd(httpd_munin_script_t)
|
|
+
|
|
+optional_policy(`
|
|
+ apache_search_sys_content(munin_t)
|
|
+')
|
|
diff --git a/mysql.fc b/mysql.fc
|
|
index 06f8666..7ef9c78 100644
|
|
--- a/mysql.fc
|
|
+++ b/mysql.fc
|
|
@@ -1,12 +1,24 @@
|
|
-HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
|
|
-
|
|
-/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
|
|
-/etc/my\.cnf\.d(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
|
|
-/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
|
|
-
|
|
-/etc/rc\.d/init\.d/mysqld? -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
|
|
-
|
|
+# mysql database server
|
|
+
|
|
+#
|
|
+# /HOME
|
|
+#
|
|
+HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
|
|
+/root/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t, s0)
|
|
+
|
|
+/usr/lib/systemd/system/mysqld.* -- gen_context(system_u:object_r:mysqld_unit_file_t,s0)
|
|
+
|
|
+#
|
|
+# /etc
|
|
+#
|
|
+/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
|
|
+/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
|
|
+/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
|
|
+
|
|
+#
|
|
+# /usr
|
|
+#
|
|
/usr/bin/mysqld_safe -- gen_context(system_u:object_r:mysqld_safe_exec_t,s0)
|
|
/usr/bin/mysql_upgrade -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
|
|
|
@@ -14,14 +26,17 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
|
|
|
|
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
|
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
|
|
-/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
|
+/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
|
|
|
-/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
|
|
-/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
|
+#
|
|
+# /var
|
|
+#
|
|
+/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
|
|
+/var/lib/mysql/mysql\.sock -s gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
|
|
|
/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
|
|
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
|
|
|
|
-/var/run/mysqld.* gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
|
-/var/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
|
|
-/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
|
|
+/var/run/mariadb(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
|
+/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
|
+/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
|
|
diff --git a/mysql.if b/mysql.if
|
|
index 687af38..404ed6d 100644
|
|
--- a/mysql.if
|
|
+++ b/mysql.if
|
|
@@ -1,23 +1,4 @@
|
|
-## <summary>Open source database.</summary>
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Role access for mysql.
|
|
-## </summary>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## User domain for the role.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`mysql_role',`
|
|
- refpolicywarn(`$0($*) has been deprecated')
|
|
-')
|
|
+## <summary>Policy for MySQL</summary>
|
|
|
|
######################################
|
|
## <summary>
|
|
@@ -34,38 +15,30 @@ interface(`mysql_domtrans',`
|
|
type mysqld_t, mysqld_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, mysqld_exec_t, mysqld_t)
|
|
')
|
|
|
|
-########################################
|
|
+######################################
|
|
## <summary>
|
|
-## Execute mysqld in the mysqld domain, and
|
|
-## allow the specified role the mysqld domain.
|
|
+## Execute MySQL in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mysql_run_mysqld',`
|
|
+interface(`mysql_exec',`
|
|
gen_require(`
|
|
- attribute_role mysqld_roles;
|
|
+ type mysqld_exec_t;
|
|
')
|
|
|
|
- mysql_domtrans($1)
|
|
- roleattribute $2 mysqld_roles;
|
|
+ can_exec($1, mysqld_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to mysqld.
|
|
+## Send a generic signal to MySQL.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -81,9 +54,27 @@ interface(`mysql_signal',`
|
|
allow $1 mysqld_t:process signal;
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Send a null signal to mysql.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mysql_signull',`
|
|
+ gen_require(`
|
|
+ type mysqld_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 mysqld_t:process signull;
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Connect to mysqld with a tcp socket.
|
|
+## Allow the specified domain to connect to postgresql with a tcp socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -104,8 +95,7 @@ interface(`mysql_tcp_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to mysqld with a unix
|
|
-# domain stream socket.
|
|
+## Connect to MySQL using a unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -120,12 +110,13 @@ interface(`mysql_stream_connect',`
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- stream_connect_pattern($1, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
|
|
+ stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
|
|
+ stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read mysqld configuration content.
|
|
+## Read MySQL configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -139,7 +130,6 @@ interface(`mysql_read_config',`
|
|
type mysqld_etc_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
allow $1 mysqld_etc_t:dir list_dir_perms;
|
|
allow $1 mysqld_etc_t:file read_file_perms;
|
|
allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
|
|
@@ -147,7 +137,8 @@ interface(`mysql_read_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search mysqld db directories.
|
|
+## Search the directories that contain MySQL
|
|
+## database storage.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -155,6 +146,8 @@ interface(`mysql_read_config',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
+# cjp: "_dir" in the name is added to clarify that this
|
|
+# is not searching the database itself.
|
|
interface(`mysql_search_db',`
|
|
gen_require(`
|
|
type mysqld_db_t;
|
|
@@ -166,7 +159,27 @@ interface(`mysql_search_db',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write mysqld database directories.
|
|
+## List the directories that contain MySQL
|
|
+## database storage.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mysql_list_db',`
|
|
+ gen_require(`
|
|
+ type mysqld_db_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ allow $1 mysqld_db_t:dir list_dir_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read and write to the MySQL database directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -185,8 +198,7 @@ interface(`mysql_rw_db_dirs',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## mysqld database directories.
|
|
+## Create, read, write, and delete MySQL database directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -205,7 +217,7 @@ interface(`mysql_manage_db_dirs',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Append mysqld database files.
|
|
+## Append to the MySQL database directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -224,7 +236,7 @@ interface(`mysql_append_db_files',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read and write mysqld database files.
|
|
+## Read and write to the MySQL database directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -243,8 +255,7 @@ interface(`mysql_rw_db_files',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## mysqld database files.
|
|
+## Create, read, write, and delete MySQL database files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -263,7 +274,7 @@ interface(`mysql_manage_db_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write mysqld database sockets.
|
|
+## Read and write to the MySQL database
|
|
## named socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -273,13 +284,18 @@ interface(`mysql_manage_db_files',`
|
|
## </param>
|
|
#
|
|
interface(`mysql_rw_db_sockets',`
|
|
- refpolicywarn(`$0($*) has been deprecated.')
|
|
+ gen_require(`
|
|
+ type mysqld_db_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ allow $1 mysqld_db_t:dir search_dir_perms;
|
|
+ allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## mysqld home files.
|
|
+## Write to the MySQL log.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -287,86 +303,92 @@ interface(`mysql_rw_db_sockets',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mysql_manage_mysqld_home_files',`
|
|
+interface(`mysql_write_log',`
|
|
gen_require(`
|
|
- type mysqld_home_t;
|
|
+ type mysqld_log_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 mysqld_home_t:file manage_file_perms;
|
|
+ logging_search_logs($1)
|
|
+ allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
|
|
')
|
|
|
|
-########################################
|
|
+######################################
|
|
## <summary>
|
|
-## Relabel mysqld home files.
|
|
+## Execute MySQL safe script in the mysql safe domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mysql_relabel_mysqld_home_files',`
|
|
+interface(`mysql_domtrans_mysql_safe',`
|
|
gen_require(`
|
|
- type mysqld_home_t;
|
|
+ type mysqld_safe_t, mysqld_safe_exec_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 mysqld_home_t:file relabel_file_perms;
|
|
+ domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
|
|
')
|
|
|
|
-########################################
|
|
+######################################
|
|
## <summary>
|
|
-## Create objects in user home
|
|
-## directories with the mysqld home type.
|
|
+## Execute MySQL_safe in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
+#
|
|
+interface(`mysql_safe_exec',`
|
|
+ gen_require(`
|
|
+ type mysqld_safe_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, mysqld_safe_exec_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Read MySQL PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mysql_home_filetrans_mysqld_home',`
|
|
+interface(`mysql_read_pid_files',`
|
|
gen_require(`
|
|
- type mysqld_home_t;
|
|
+ type mysqld_var_run_t;
|
|
')
|
|
|
|
- userdom_user_home_dir_filetrans($1, mysqld_home_t, $2, $3)
|
|
+ mysql_search_pid_files($1)
|
|
+ read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
|
|
')
|
|
|
|
-########################################
|
|
+#####################################
|
|
## <summary>
|
|
-## Write mysqld log files.
|
|
+## Search MySQL PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+##
|
|
#
|
|
-interface(`mysql_write_log',`
|
|
+interface(`mysql_search_pid_files',`
|
|
gen_require(`
|
|
- type mysqld_log_t;
|
|
+ type mysqld_var_run_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
- allow $1 mysqld_log_t:file write_file_perms;
|
|
+ search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
|
|
')
|
|
|
|
-######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Execute mysqld safe in the
|
|
-## mysqld safe domain.
|
|
+## Execute mysqld server in the mysqld domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -374,18 +396,22 @@ interface(`mysql_write_log',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mysql_domtrans_mysql_safe',`
|
|
+interface(`mysql_systemctl',`
|
|
gen_require(`
|
|
- type mysqld_safe_t, mysqld_safe_exec_t;
|
|
+ type mysqld_unit_file_t;
|
|
+ type mysqld_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 mysqld_unit_file_t:file read_file_perms;
|
|
+ allow $1 mysqld_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, mysqld_t)
|
|
')
|
|
|
|
-#####################################
|
|
+########################################
|
|
## <summary>
|
|
-## Read mysqld pid files.
|
|
+## read mysqld homedir content (.k5login)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -393,39 +419,37 @@ interface(`mysql_domtrans_mysql_safe',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`mysql_read_pid_files',`
|
|
+interface(`mysql_read_home_content',`
|
|
gen_require(`
|
|
- type mysqld_var_run_t;
|
|
+ type mysqld_home_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ read_files_pattern($1, mysqld_home_t, mysqld_home_t)
|
|
')
|
|
|
|
-#####################################
|
|
+########################################
|
|
## <summary>
|
|
-## Search mysqld pid files.
|
|
+## Transition to mysqld named content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-##
|
|
#
|
|
-interface(`mysql_search_pid_files',`
|
|
+interface(`mysql_filetrans_named_content',`
|
|
gen_require(`
|
|
- type mysqld_var_run_t;
|
|
+ type mysqld_home_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
|
|
+ userdom_admin_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
|
|
+ userdom_user_home_dir_filetrans($1, mysqld_home_t, file, ".my.cnf")
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an mysqld environment.
|
|
+## All of the rules required to administrate an mysql environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -434,41 +458,52 @@ interface(`mysql_search_pid_files',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the mysql domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`mysql_admin',`
|
|
gen_require(`
|
|
- type mysqld_t, mysqld_var_run_t, mysqld_etc_t;
|
|
+ type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
|
|
type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
|
|
- type mysqld_safe_t, mysqlmanagerd_t, mysqlmanagerd_var_run_t;
|
|
- type mysqld_initrc_exec_t, mysqlmanagerd_initrc_exec_t, mysqld_home_t;
|
|
+ type mysqld_etc_t;
|
|
+ type mysqld_home_t;
|
|
+ type mysqld_unit_file_t;
|
|
')
|
|
|
|
- allow $1 { mysqld_safe_t mysqld_t mysqlmanagerd_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { mysqld_safe_t mysqld_t mysqlmanagerd_t })
|
|
+ allow $1 mysqld_t:process signal_perms;
|
|
+ ps_process_pattern($1, mysqld_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 mysqld_t:process ptrace;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t })
|
|
+ init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
- role_transition $2 { mysqlmanagerd_initrc_exec_t mysqld_initrc_exec_t } system_r;
|
|
+ role_transition $2 mysqld_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, { mysqlmanagerd_var_run_t mysqld_var_run_t })
|
|
+ files_list_pids($1)
|
|
+ admin_pattern($1, mysqld_var_run_t)
|
|
|
|
- files_search_var_lib($1)
|
|
admin_pattern($1, mysqld_db_t)
|
|
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, { mysqld_etc_t mysqld_home_t })
|
|
+ files_list_etc($1)
|
|
+ admin_pattern($1, mysqld_etc_t)
|
|
|
|
- logging_search_logs($1)
|
|
+ logging_list_logs($1)
|
|
admin_pattern($1, mysqld_log_t)
|
|
|
|
- files_search_tmp($1)
|
|
+ files_list_tmp($1)
|
|
admin_pattern($1, mysqld_tmp_t)
|
|
|
|
- mysql_run_mysqld($1, $2)
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ files_list_root($1)
|
|
+ admin_pattern($1, mysqld_home_t)
|
|
+
|
|
+ mysql_systemctl($1)
|
|
+ admin_pattern($1, mysqld_unit_file_t)
|
|
+ allow $1 mysqld_unit_file_t:service all_service_perms;
|
|
+
|
|
+ mysql_stream_connect($1)
|
|
')
|
|
diff --git a/mysql.te b/mysql.te
|
|
index 7584bbe..3d9035c 100644
|
|
--- a/mysql.te
|
|
+++ b/mysql.te
|
|
@@ -6,20 +6,15 @@ policy_module(mysql, 1.14.1)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether mysqld can
|
|
-## connect to all TCP ports.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow mysqld to connect to all ports
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(mysql_connect_any, false)
|
|
|
|
-attribute_role mysqld_roles;
|
|
-
|
|
type mysqld_t;
|
|
type mysqld_exec_t;
|
|
init_daemon_domain(mysqld_t, mysqld_exec_t)
|
|
-application_domain(mysqld_t, mysqld_exec_t)
|
|
-role mysqld_roles types mysqld_t;
|
|
|
|
type mysqld_safe_t;
|
|
type mysqld_safe_exec_t;
|
|
@@ -27,7 +22,6 @@ init_daemon_domain(mysqld_safe_t, mysqld_safe_exec_t)
|
|
|
|
type mysqld_var_run_t;
|
|
files_pid_file(mysqld_var_run_t)
|
|
-init_daemon_run_dir(mysqld_var_run_t, "mysqld")
|
|
|
|
type mysqld_db_t;
|
|
files_type(mysqld_db_t)
|
|
@@ -38,6 +32,9 @@ files_config_file(mysqld_etc_t)
|
|
type mysqld_home_t;
|
|
userdom_user_home_content(mysqld_home_t)
|
|
|
|
+type mysqld_unit_file_t;
|
|
+systemd_unit_file(mysqld_unit_file_t)
|
|
+
|
|
type mysqld_initrc_exec_t;
|
|
init_script_file(mysqld_initrc_exec_t)
|
|
|
|
@@ -62,24 +59,24 @@ files_pid_file(mysqlmanagerd_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
|
|
+allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource net_bind_service };
|
|
dontaudit mysqld_t self:capability sys_tty_config;
|
|
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
|
|
allow mysqld_t self:fifo_file rw_fifo_file_perms;
|
|
allow mysqld_t self:shm create_shm_perms;
|
|
-allow mysqld_t self:unix_stream_socket { accept listen };
|
|
-allow mysqld_t self:tcp_socket { accept listen };
|
|
+allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow mysqld_t self:tcp_socket create_stream_socket_perms;
|
|
+allow mysqld_t self:udp_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
|
|
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
|
|
+manage_sock_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
|
|
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
|
|
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
|
|
|
|
-filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
|
|
-
|
|
-allow mysqld_t mysqld_etc_t:dir list_dir_perms;
|
|
-allow mysqld_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
|
|
+allow mysqld_t mysqld_etc_t:file read_file_perms;
|
|
allow mysqld_t mysqld_etc_t:lnk_file read_lnk_file_perms;
|
|
+allow mysqld_t mysqld_etc_t:dir list_dir_perms;
|
|
|
|
manage_dirs_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
|
|
manage_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
|
|
@@ -95,50 +92,54 @@ manage_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
|
|
manage_sock_files_pattern(mysqld_t, mysqld_var_run_t, mysqld_var_run_t)
|
|
files_pid_filetrans(mysqld_t, mysqld_var_run_t, { dir file sock_file })
|
|
|
|
-kernel_read_kernel_sysctls(mysqld_t)
|
|
+userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
|
|
+
|
|
kernel_read_network_state(mysqld_t)
|
|
kernel_read_system_state(mysqld_t)
|
|
+kernel_read_kernel_sysctls(mysqld_t)
|
|
+
|
|
+corecmd_exec_bin(mysqld_t)
|
|
+corecmd_exec_shell(mysqld_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(mysqld_t)
|
|
corenet_all_recvfrom_netlabel(mysqld_t)
|
|
corenet_tcp_sendrecv_generic_if(mysqld_t)
|
|
+corenet_udp_sendrecv_generic_if(mysqld_t)
|
|
corenet_tcp_sendrecv_generic_node(mysqld_t)
|
|
+corenet_udp_sendrecv_generic_node(mysqld_t)
|
|
+corenet_tcp_sendrecv_all_ports(mysqld_t)
|
|
+corenet_udp_sendrecv_all_ports(mysqld_t)
|
|
corenet_tcp_bind_generic_node(mysqld_t)
|
|
-
|
|
-corenet_sendrecv_mysqld_server_packets(mysqld_t)
|
|
corenet_tcp_bind_mysqld_port(mysqld_t)
|
|
-corenet_sendrecv_mysqld_client_packets(mysqld_t)
|
|
corenet_tcp_connect_mysqld_port(mysqld_t)
|
|
-corenet_tcp_sendrecv_mysqld_port(mysqld_t)
|
|
-
|
|
-corecmd_exec_bin(mysqld_t)
|
|
-corecmd_exec_shell(mysqld_t)
|
|
+corenet_sendrecv_mysqld_client_packets(mysqld_t)
|
|
+corenet_sendrecv_mysqld_server_packets(mysqld_t)
|
|
|
|
dev_read_sysfs(mysqld_t)
|
|
dev_read_urand(mysqld_t)
|
|
|
|
-domain_use_interactive_fds(mysqld_t)
|
|
-
|
|
fs_getattr_all_fs(mysqld_t)
|
|
fs_search_auto_mountpoints(mysqld_t)
|
|
fs_rw_hugetlbfs_files(mysqld_t)
|
|
|
|
+domain_use_interactive_fds(mysqld_t)
|
|
+
|
|
+files_getattr_var_lib_dirs(mysqld_t)
|
|
files_read_etc_runtime_files(mysqld_t)
|
|
-files_read_usr_files(mysqld_t)
|
|
+files_search_var_lib(mysqld_t)
|
|
|
|
auth_use_nsswitch(mysqld_t)
|
|
|
|
logging_send_syslog_msg(mysqld_t)
|
|
|
|
-miscfiles_read_localization(mysqld_t)
|
|
+sysnet_read_config(mysqld_t)
|
|
|
|
-userdom_search_user_home_dirs(mysqld_t)
|
|
-userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
|
|
+ifdef(`distro_redhat',`
|
|
+ filetrans_pattern(mysqld_t, mysqld_db_t, mysqld_var_run_t, sock_file)
|
|
+')
|
|
|
|
tunable_policy(`mysql_connect_any',`
|
|
- corenet_sendrecv_all_client_packets(mysqld_t)
|
|
corenet_tcp_connect_all_ports(mysqld_t)
|
|
- corenet_tcp_sendrecv_all_ports(mysqld_t)
|
|
+ corenet_sendrecv_all_client_packets(mysqld_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -146,6 +147,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ openshift_search_lib(mysqld_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
seutil_sigchld_newrole(mysqld_t)
|
|
')
|
|
|
|
@@ -155,21 +160,17 @@ optional_policy(`
|
|
|
|
#######################################
|
|
#
|
|
-# Safe local policy
|
|
+# Local mysqld_safe policy
|
|
#
|
|
|
|
-allow mysqld_safe_t self:capability { chown dac_override fowner kill };
|
|
+allow mysqld_safe_t self:capability { chown dac_override fowner kill sys_nice sys_resource };
|
|
allow mysqld_safe_t self:process { setsched getsched setrlimit };
|
|
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
-allow mysqld_safe_t mysqld_t:process signull;
|
|
-
|
|
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
|
|
-manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
|
|
+delete_sock_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
|
|
|
|
-allow mysqld_safe_t mysqld_etc_t:dir list_dir_perms;
|
|
-allow mysqld_safe_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
|
|
-allow mysqld_safe_t mysqld_etc_t:lnk_file read_lnk_file_perms;
|
|
+domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
|
|
|
|
list_dirs_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
|
manage_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
|
@@ -177,9 +178,7 @@ manage_lnk_files_pattern(mysqld_safe_t, mysqld_log_t, mysqld_log_t)
|
|
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
|
|
|
manage_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
|
|
-delete_sock_files_pattern(mysqld_safe_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t)
|
|
-
|
|
-domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
|
|
+delete_sock_files_pattern(mysqld_safe_t, mysqld_var_run_t, mysqld_var_run_t)
|
|
|
|
kernel_read_system_state(mysqld_safe_t)
|
|
kernel_read_kernel_sysctls(mysqld_safe_t)
|
|
@@ -187,21 +186,27 @@ kernel_read_kernel_sysctls(mysqld_safe_t)
|
|
corecmd_exec_bin(mysqld_safe_t)
|
|
corecmd_exec_shell(mysqld_safe_t)
|
|
|
|
+dev_read_urand(mysqld_safe_t)
|
|
dev_list_sysfs(mysqld_safe_t)
|
|
|
|
domain_read_all_domains_state(mysqld_safe_t)
|
|
|
|
-files_read_etc_files(mysqld_safe_t)
|
|
-files_read_usr_files(mysqld_safe_t)
|
|
-files_search_pids(mysqld_safe_t)
|
|
-files_dontaudit_getattr_all_dirs(mysqld_safe_t)
|
|
files_dontaudit_search_all_mountpoints(mysqld_safe_t)
|
|
+files_dontaudit_getattr_all_dirs(mysqld_safe_t)
|
|
+files_dontaudit_write_root_dirs(mysqld_safe_t)
|
|
|
|
+logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
|
|
logging_send_syslog_msg(mysqld_safe_t)
|
|
|
|
-miscfiles_read_localization(mysqld_safe_t)
|
|
+auth_read_passwd(mysqld_safe_t)
|
|
+
|
|
+domain_dontaudit_signull_all_domains(mysqld_safe_t)
|
|
|
|
-userdom_search_user_home_dirs(mysqld_safe_t)
|
|
+mysql_manage_db_files(mysqld_safe_t)
|
|
+mysql_read_config(mysqld_safe_t)
|
|
+mysql_search_pid_files(mysqld_safe_t)
|
|
+mysql_signull(mysqld_safe_t)
|
|
+mysql_write_log(mysqld_safe_t)
|
|
|
|
optional_policy(`
|
|
hostname_exec(mysqld_safe_t)
|
|
@@ -209,7 +214,7 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Manager local policy
|
|
+# MySQL Manager Policy
|
|
#
|
|
|
|
allow mysqlmanagerd_t self:capability { dac_override kill };
|
|
@@ -218,11 +223,12 @@ allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
|
|
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
|
|
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
-allow mysqlmanagerd_t mysqld_t:process signal;
|
|
-
|
|
-allow mysqlmanagerd_t mysqld_etc_t:dir list_dir_perms;
|
|
-allow mysqlmanagerd_t { mysqld_etc_t mysqld_home_t }:file read_file_perms;
|
|
-allow mysqlmanagerd_t mysqld_etc_t:lnk_file read_lnk_file_perms;
|
|
+mysql_read_config(initrc_t)
|
|
+mysql_read_config(mysqlmanagerd_t)
|
|
+mysql_read_pid_files(mysqlmanagerd_t)
|
|
+mysql_search_db(mysqlmanagerd_t)
|
|
+mysql_signal(mysqlmanagerd_t)
|
|
+mysql_stream_connect(mysqlmanagerd_t)
|
|
|
|
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
|
|
|
|
@@ -230,31 +236,20 @@ manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
|
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
|
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
|
|
|
|
-stream_connect_pattern(mysqlmanagerd_t, { mysqld_db_t mysqld_var_run_t }, mysqld_var_run_t, mysqld_t)
|
|
-
|
|
kernel_read_system_state(mysqlmanagerd_t)
|
|
|
|
corecmd_exec_shell(mysqlmanagerd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
|
|
corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
|
|
corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
|
|
corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
|
|
+corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
|
|
corenet_tcp_bind_generic_node(mysqlmanagerd_t)
|
|
-
|
|
-corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
|
|
corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
|
|
-corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
|
|
corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
|
|
-corenet_tcp_sendrecv_mysqlmanagerd_port(mysqlmanagerd_t)
|
|
+corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_t)
|
|
+corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_t)
|
|
|
|
dev_read_urand(mysqlmanagerd_t)
|
|
|
|
-files_read_etc_files(mysqlmanagerd_t)
|
|
-files_read_usr_files(mysqlmanagerd_t)
|
|
-files_search_pids(mysqlmanagerd_t)
|
|
-files_search_var_lib(mysqlmanagerd_t)
|
|
-
|
|
-miscfiles_read_localization(mysqlmanagerd_t)
|
|
-
|
|
-userdom_search_user_home_dirs(mysqlmanagerd_t)
|
|
+userdom_getattr_user_home_dirs(mysqlmanagerd_t)
|
|
diff --git a/mythtv.fc b/mythtv.fc
|
|
new file mode 100644
|
|
index 0000000..3a1c423
|
|
--- /dev/null
|
|
+++ b/mythtv.fc
|
|
@@ -0,0 +1,9 @@
|
|
+/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
|
|
+
|
|
+/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0)
|
|
+
|
|
+/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0)
|
|
+
|
|
+/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
|
|
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
|
|
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
|
|
diff --git a/mythtv.if b/mythtv.if
|
|
new file mode 100644
|
|
index 0000000..171f666
|
|
--- /dev/null
|
|
+++ b/mythtv.if
|
|
@@ -0,0 +1,152 @@
|
|
+
|
|
+## <summary>policy for httpd_mythtv_script</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the httpd_mythtv_script domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`httpd_mythtv_script_domtrans',`
|
|
+ gen_require(`
|
|
+ type httpd_mythtv_script_t, httpd_mythtv_script_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## read mythtv libs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mythtv_read_lib',`
|
|
+ gen_require(`
|
|
+ type mythtv_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
|
|
+ files_list_var_lib($1)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## mythtv lib content.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mythtv_manage_lib',`
|
|
+ gen_require(`
|
|
+ type mythtv_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
|
|
+ manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
|
|
+ files_list_var_lib($1)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## read mythtv logs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mythtv_read_log',`
|
|
+ gen_require(`
|
|
+ type mythtv_var_log_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
|
|
+ logging_search_logs($1)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Append mythtv log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mythtv_append_log',`
|
|
+ gen_require(`
|
|
+ type mythtv_var_log_t;
|
|
+ ')
|
|
+
|
|
+ append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
|
|
+ logging_search_logs($1)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## mythtv log content.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mythtv_manage_log',`
|
|
+ gen_require(`
|
|
+ type mythtv_var_log_t;
|
|
+ ')
|
|
+
|
|
+ manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
|
|
+ manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
|
|
+ logging_search_logs($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to
|
|
+## administrate an mythtv environment.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`mythtv_admin',`
|
|
+ gen_require(`
|
|
+ type httpd_mythtv_script_t, mythtv_var_lib_t;
|
|
+ type mythtv_var_log_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 httpd_mythtv_script_t:process signal_perms;
|
|
+ ps_process_pattern($1, httpd_mythtv_script_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 httpd_mythtv_script_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ logging_list_logs($1)
|
|
+ admin_pattern($1, mythtv_var_log_t)
|
|
+
|
|
+ files_list_var_lib($1)
|
|
+ admin_pattern($1, mythtv_var_lib_t)
|
|
+')
|
|
diff --git a/mythtv.te b/mythtv.te
|
|
new file mode 100644
|
|
index 0000000..90129ac
|
|
--- /dev/null
|
|
+++ b/mythtv.te
|
|
@@ -0,0 +1,41 @@
|
|
+policy_module(mythtv, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+apache_content_template(mythtv)
|
|
+
|
|
+type mythtv_var_lib_t;
|
|
+files_type(mythtv_var_lib_t)
|
|
+
|
|
+type mythtv_var_log_t;
|
|
+logging_log_file(mythtv_var_log_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# httpd_mythtv_script local policy
|
|
+#
|
|
+
|
|
+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
|
|
+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
|
|
+files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file })
|
|
+
|
|
+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
|
|
+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
|
|
+logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file )
|
|
+
|
|
+domain_use_interactive_fds(httpd_mythtv_script_t)
|
|
+
|
|
+files_read_etc_files(httpd_mythtv_script_t)
|
|
+
|
|
+fs_read_nfs_files(httpd_mythtv_script_t)
|
|
+
|
|
+miscfiles_read_localization(httpd_mythtv_script_t)
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_read_config(httpd_mythtv_script_t)
|
|
+ mysql_stream_connect(httpd_mythtv_script_t)
|
|
+ mysql_tcp_connect(httpd_mythtv_script_t)
|
|
+')
|
|
diff --git a/nagios.fc b/nagios.fc
|
|
index d78dfc3..a00cc2d 100644
|
|
--- a/nagios.fc
|
|
+++ b/nagios.fc
|
|
@@ -1,88 +1,97 @@
|
|
-/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
|
|
-/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
|
|
+/etc/nagios(/.*)? gen_context(system_u:object_r:nagios_etc_t,s0)
|
|
+/etc/nagios/nrpe\.cfg -- gen_context(system_u:object_r:nrpe_etc_t,s0)
|
|
+/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/nagios -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/nrpe -- gen_context(system_u:object_r:nagios_initrc_exec_t,s0)
|
|
+/usr/s?bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
|
|
+/usr/s?bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
|
|
|
|
-/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
|
|
-/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
|
|
+/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
+/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
|
|
-/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
|
|
-/usr/sbin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
|
|
+/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
|
+/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
|
|
|
-/usr/lib/cgi-bin/nagios(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
-/usr/lib/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
+/var/run/nagios.* gen_context(system_u:object_r:nagios_var_run_t,s0)
|
|
|
|
-/usr/lib/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
-/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
+/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
|
|
|
-/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
|
|
+ifdef(`distro_debian',`
|
|
+/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
|
|
+')
|
|
+/usr/lib/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
+/usr/lib/nagios/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
|
|
|
|
+# admin plugins
|
|
/usr/lib/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_admin_plugin_exec_t,s0)
|
|
|
|
-/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
|
+# check disk plugins
|
|
+/usr/lib/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
|
|
|
|
-/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
|
|
+# mail plugins
|
|
+/usr/lib/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_mail_plugin_exec_t,s0)
|
|
+
|
|
+/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
|
|
|
|
+# system plugins
|
|
/usr/lib/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
|
|
|
|
+# services plugins
|
|
/usr/lib/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
/usr/lib/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
-
|
|
-/usr/lib/nagios/plugins/check_by_ssh -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
+/usr/lib/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
|
|
|
|
-/usr/lib/pnp4nagios(/.*)? gen_context(system_u:object_r:nagios_var_lib_t,s0)
|
|
+# openshift plugins
|
|
+/usr/lib64/nagios/plugins/check_node_accept_status -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
|
|
+/usr/lib64/nagios/plugins/check_number_openshift_apps -- gen_context(system_u:object_r:nagios_openshift_plugin_exec_t,s0)
|
|
|
|
-/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
|
-/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
|
|
+# label all nagios plugin as unconfined by default
|
|
+/usr/lib/nagios/plugins/.* -- gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)
|
|
|
|
-/var/run/nagios.* -- gen_context(system_u:object_r:nagios_var_run_t,s0)
|
|
-/var/run/nrpe.* -- gen_context(system_u:object_r:nrpe_var_run_t,s0)
|
|
-
|
|
-/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0)
|
|
+# eventhandlers
|
|
+/usr/lib/nagios/plugins/eventhandlers(/.*) gen_context(system_u:object_r:nagios_eventhandler_plugin_exec_t,s0)
|
|
diff --git a/nagios.if b/nagios.if
|
|
index 0641e97..d7d9a79 100644
|
|
--- a/nagios.if
|
|
+++ b/nagios.if
|
|
@@ -1,12 +1,13 @@
|
|
-## <summary>Network monitoring server.</summary>
|
|
+## <summary>Net Saint / NAGIOS - network monitoring server</summary>
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## The template to define a nagios plugin domain.
|
|
+## Create a set of derived types for various
|
|
+## nagios plugins,
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="plugins_group_name">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## The name to be used for deriving type names.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
@@ -16,38 +17,31 @@ template(`nagios_plugin_template',`
|
|
type nagios_t, nrpe_t;
|
|
')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
type nagios_$1_plugin_t, nagios_plugin_domain;
|
|
type nagios_$1_plugin_exec_t;
|
|
application_domain(nagios_$1_plugin_t, nagios_$1_plugin_exec_t)
|
|
role system_r types nagios_$1_plugin_t;
|
|
|
|
- ########################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
-
|
|
domtrans_pattern(nrpe_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
|
|
allow nagios_t nagios_$1_plugin_exec_t:file ioctl;
|
|
|
|
+ # needed by command.cfg
|
|
domtrans_pattern(nagios_t, nagios_$1_plugin_exec_t, nagios_$1_plugin_t)
|
|
+
|
|
+ kernel_read_system_state(nagios_$1_plugin_t)
|
|
+
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read or
|
|
-## write nagios unnamed pipes.
|
|
+## Do not audit attempts to read or write nagios
|
|
+## unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`nagios_dontaudit_rw_pipes',`
|
|
gen_require(`
|
|
@@ -59,7 +53,8 @@ interface(`nagios_dontaudit_rw_pipes',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read nagios configuration content.
|
|
+## Allow the specified domain to read
|
|
+## nagios configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -73,15 +68,14 @@ interface(`nagios_read_config',`
|
|
type nagios_etc_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
allow $1 nagios_etc_t:dir list_dir_perms;
|
|
allow $1 nagios_etc_t:file read_file_perms;
|
|
- allow $1 nagios_etc_t:lnk_file read_lnk_file_perms;
|
|
+ files_search_etc($1)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Read nagios log files.
|
|
+## Read nagios logs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -100,8 +94,7 @@ interface(`nagios_read_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read or
|
|
-## write nagios log files.
|
|
+## Do not audit attempts to read or write nagios logs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -132,13 +125,14 @@ interface(`nagios_search_spool',`
|
|
type nagios_spool_t;
|
|
')
|
|
|
|
- files_search_spool($1)
|
|
allow $1 nagios_spool_t:dir search_dir_perms;
|
|
+ files_search_spool($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read nagios temporary files.
|
|
+## Allow the specified domain to read
|
|
+## nagios temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -151,13 +145,34 @@ interface(`nagios_read_tmp_files',`
|
|
type nagios_tmp_t;
|
|
')
|
|
|
|
- files_search_tmp($1)
|
|
allow $1 nagios_tmp_t:file read_file_perms;
|
|
+ files_search_tmp($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read
|
|
+## nagios temporary files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nagios_rw_inerited_tmp_files',`
|
|
+ gen_require(`
|
|
+ type nagios_tmp_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 nagios_tmp_t:file rw_inherited_file_perms;
|
|
+ files_search_tmp($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute nrpe with a domain transition.
|
|
+## Execute the nagios NRPE with
|
|
+## a domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -170,14 +185,13 @@ interface(`nagios_domtrans_nrpe',`
|
|
type nrpe_t, nrpe_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, nrpe_exec_t, nrpe_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an nagios environment.
|
|
+## All of the rules required to administrate
|
|
+## an nagios environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -186,44 +200,43 @@ interface(`nagios_domtrans_nrpe',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the nagios domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`nagios_admin',`
|
|
gen_require(`
|
|
- attribute nagios_plugin_domain;
|
|
type nagios_t, nrpe_t, nagios_initrc_exec_t;
|
|
- type nagios_tmp_t, nagios_log_t, nagios_var_lib_t;
|
|
- type nagios_etc_t, nrpe_etc_t, nrpe_var_run_t;
|
|
- type nagios_spool_t, nagios_var_run_t, nagios_system_plugin_tmp_t;
|
|
- type nagios_eventhandler_plugin_tmp_t;
|
|
+ type nagios_tmp_t, nagios_log_t, nagios_var_run_t;
|
|
+ type nagios_etc_t, nrpe_etc_t, nagios_spool_t;
|
|
')
|
|
|
|
- allow $1 { nagios_t nrpe_t nagios_plugin_domain }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { nagios_t nrpe_t nagios_plugin_domain })
|
|
+ allow $1 nagios_t:process signal_perms;
|
|
+ ps_process_pattern($1, nagios_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 nagios_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, nagios_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 nagios_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, { nagios_eventhandler_plugin_tmp_t nagios_tmp_t nagios_system_plugin_tmp_t })
|
|
+ files_list_tmp($1)
|
|
+ admin_pattern($1, nagios_tmp_t)
|
|
|
|
- logging_search_logs($1)
|
|
+ logging_list_logs($1)
|
|
admin_pattern($1, nagios_log_t)
|
|
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, { nrpe_etc_t nagios_etc_t })
|
|
+ files_list_etc($1)
|
|
+ admin_pattern($1, nagios_etc_t)
|
|
|
|
- files_search_spool($1)
|
|
+ files_list_spool($1)
|
|
admin_pattern($1, nagios_spool_t)
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, { nrpe_var_run_t nagios_var_run_t })
|
|
+ files_list_pids($1)
|
|
+ admin_pattern($1, nagios_var_run_t)
|
|
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, nagios_var_lib_t)
|
|
+ admin_pattern($1, nrpe_etc_t)
|
|
')
|
|
diff --git a/nagios.te b/nagios.te
|
|
index 7b3e682..f565a0e 100644
|
|
--- a/nagios.te
|
|
+++ b/nagios.te
|
|
@@ -27,7 +27,7 @@ type nagios_var_run_t;
|
|
files_pid_file(nagios_var_run_t)
|
|
|
|
type nagios_spool_t;
|
|
-files_type(nagios_spool_t)
|
|
+files_spool_file(nagios_spool_t)
|
|
|
|
type nagios_var_lib_t;
|
|
files_type(nagios_var_lib_t)
|
|
@@ -39,6 +39,7 @@ nagios_plugin_template(services)
|
|
nagios_plugin_template(system)
|
|
nagios_plugin_template(unconfined)
|
|
nagios_plugin_template(eventhandler)
|
|
+nagios_plugin_template(openshift)
|
|
|
|
type nagios_eventhandler_plugin_tmp_t;
|
|
files_tmp_file(nagios_eventhandler_plugin_tmp_t)
|
|
@@ -46,6 +47,9 @@ files_tmp_file(nagios_eventhandler_plugin_tmp_t)
|
|
type nagios_system_plugin_tmp_t;
|
|
files_tmp_file(nagios_system_plugin_tmp_t)
|
|
|
|
+type nagios_openshift_plugin_tmp_t;
|
|
+files_tmp_file(nagios_openshift_plugin_tmp_t)
|
|
+
|
|
type nrpe_t;
|
|
type nrpe_exec_t;
|
|
init_daemon_domain(nrpe_t, nrpe_exec_t)
|
|
@@ -63,19 +67,21 @@ files_pid_file(nrpe_var_run_t)
|
|
|
|
allow nagios_plugin_domain self:fifo_file rw_fifo_file_perms;
|
|
|
|
+allow nrpe_t nagios_plugin_domain:process { signal sigkill };
|
|
+
|
|
+allow nagios_t nagios_plugin_domain:process signal_perms;
|
|
+allow nagios_plugin_domain nagios_t:process signal_perms;
|
|
+
|
|
+# cjp: leaked file descriptor
|
|
dontaudit nagios_plugin_domain nrpe_t:tcp_socket { read write };
|
|
dontaudit nagios_plugin_domain nagios_log_t:file { read write };
|
|
|
|
-kernel_read_system_state(nagios_plugin_domain)
|
|
-
|
|
dev_read_urand(nagios_plugin_domain)
|
|
dev_read_rand(nagios_plugin_domain)
|
|
+dev_read_sysfs(nagios_plugin_domain)
|
|
|
|
-files_read_usr_files(nagios_plugin_domain)
|
|
-
|
|
-miscfiles_read_localization(nagios_plugin_domain)
|
|
-
|
|
-userdom_use_user_terminals(nagios_plugin_domain)
|
|
+userdom_use_inherited_user_ptys(nagios_plugin_domain)
|
|
+userdom_use_inherited_user_ttys(nagios_plugin_domain)
|
|
|
|
########################################
|
|
#
|
|
@@ -96,11 +102,13 @@ allow nagios_t nagios_etc_t:dir list_dir_perms;
|
|
allow nagios_t nagios_etc_t:file read_file_perms;
|
|
allow nagios_t nagios_etc_t:lnk_file read_lnk_file_perms;
|
|
|
|
-allow nagios_t nagios_log_t:dir setattr_dir_perms;
|
|
-append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
|
|
-create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
|
|
-setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
|
|
-logging_log_filetrans(nagios_t, nagios_log_t, file)
|
|
+#allow nagios_t nagios_log_t:dir setattr_dir_perms;
|
|
+#append_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
|
|
+#create_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
|
|
+#setattr_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
|
|
+manage_files_pattern(nagios_t, nagios_log_t, nagios_log_t)
|
|
+manage_dirs_pattern(nagios_t, nagios_log_t, nagios_log_t)
|
|
+logging_log_filetrans(nagios_t, nagios_log_t, { dir file })
|
|
|
|
manage_dirs_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
|
|
manage_files_pattern(nagios_t, nagios_tmp_t, nagios_tmp_t)
|
|
@@ -110,7 +118,8 @@ manage_files_pattern(nagios_t, nagios_var_run_t, nagios_var_run_t)
|
|
files_pid_filetrans(nagios_t, nagios_var_run_t, file)
|
|
|
|
manage_fifo_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
|
|
-files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
|
|
+manage_files_pattern(nagios_t, nagios_spool_t, nagios_spool_t)
|
|
+files_spool_filetrans(nagios_t, nagios_spool_t, { file fifo_file})
|
|
|
|
manage_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
|
|
manage_fifo_files_pattern(nagios_t, nagios_var_lib_t, nagios_var_lib_t)
|
|
@@ -123,7 +132,6 @@ kernel_read_software_raid_state(nagios_t)
|
|
corecmd_exec_bin(nagios_t)
|
|
corecmd_exec_shell(nagios_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(nagios_t)
|
|
corenet_all_recvfrom_netlabel(nagios_t)
|
|
corenet_tcp_sendrecv_generic_if(nagios_t)
|
|
corenet_tcp_sendrecv_generic_node(nagios_t)
|
|
@@ -143,7 +151,6 @@ domain_read_all_domains_state(nagios_t)
|
|
|
|
files_read_etc_runtime_files(nagios_t)
|
|
files_read_kernel_symbol_table(nagios_t)
|
|
-files_read_usr_files(nagios_t)
|
|
files_search_spool(nagios_t)
|
|
|
|
fs_getattr_all_fs(nagios_t)
|
|
@@ -153,8 +160,6 @@ auth_use_nsswitch(nagios_t)
|
|
|
|
logging_send_syslog_msg(nagios_t)
|
|
|
|
-miscfiles_read_localization(nagios_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
|
|
userdom_dontaudit_search_user_home_dirs(nagios_t)
|
|
|
|
@@ -178,6 +183,7 @@ optional_policy(`
|
|
#
|
|
# CGI local policy
|
|
#
|
|
+
|
|
optional_policy(`
|
|
apache_content_template(nagios)
|
|
typealias httpd_nagios_script_t alias nagios_cgi_t;
|
|
@@ -229,9 +235,9 @@ files_pid_filetrans(nrpe_t, nrpe_var_run_t, file)
|
|
|
|
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
|
|
|
|
+kernel_read_system_state(nrpe_t)
|
|
kernel_read_kernel_sysctls(nrpe_t)
|
|
kernel_read_software_raid_state(nrpe_t)
|
|
-kernel_read_system_state(nrpe_t)
|
|
|
|
corecmd_exec_bin(nrpe_t)
|
|
corecmd_exec_shell(nrpe_t)
|
|
@@ -252,8 +258,8 @@ dev_read_urand(nrpe_t)
|
|
domain_use_interactive_fds(nrpe_t)
|
|
domain_read_all_domains_state(nrpe_t)
|
|
|
|
+files_list_var(nrpe_t)
|
|
files_read_etc_runtime_files(nrpe_t)
|
|
-files_read_usr_files(nrpe_t)
|
|
|
|
fs_getattr_all_fs(nrpe_t)
|
|
fs_search_auto_mountpoints(nrpe_t)
|
|
@@ -262,8 +268,6 @@ auth_use_nsswitch(nrpe_t)
|
|
|
|
logging_send_syslog_msg(nrpe_t)
|
|
|
|
-miscfiles_read_localization(nrpe_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(nrpe_t)
|
|
|
|
optional_policy(`
|
|
@@ -310,15 +314,15 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
|
|
#
|
|
|
|
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
|
|
-allow nagios_mail_plugin_t self:tcp_socket { accept listen };
|
|
+allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
|
|
+allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
|
|
|
|
kernel_read_kernel_sysctls(nagios_mail_plugin_t)
|
|
|
|
corecmd_read_bin_files(nagios_mail_plugin_t)
|
|
corecmd_read_bin_symlinks(nagios_mail_plugin_t)
|
|
|
|
-files_read_etc_files(nagios_mail_plugin_t)
|
|
-
|
|
logging_send_syslog_msg(nagios_mail_plugin_t)
|
|
|
|
sysnet_dns_name_resolve(nagios_mail_plugin_t)
|
|
@@ -345,6 +349,9 @@ allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
|
|
|
|
kernel_read_software_raid_state(nagios_checkdisk_plugin_t)
|
|
|
|
+corecmd_exec_bin(nagios_checkdisk_plugin_t)
|
|
+
|
|
+files_getattr_all_dirs(nagios_checkdisk_plugin_t)
|
|
files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
|
|
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
|
|
|
|
@@ -357,9 +364,11 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
|
|
# Services local policy
|
|
#
|
|
|
|
-allow nagios_services_plugin_t self:capability net_raw;
|
|
+allow nagios_services_plugin_t self:capability { setuid net_bind_service net_raw };
|
|
allow nagios_services_plugin_t self:process { signal sigkill };
|
|
-allow nagios_services_plugin_t self:tcp_socket { accept listen };
|
|
+allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
|
|
+allow nagios_services_plugin_t self:udp_socket create_socket_perms;
|
|
+allow nagios_services_plugin_t self:rawip_socket create_socket_perms;
|
|
|
|
corecmd_exec_bin(nagios_services_plugin_t)
|
|
|
|
@@ -391,6 +400,11 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(nagios_services_plugin_t)
|
|
+ mysql_read_config(nagios_services_plugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ postgresql_stream_connect(nagios_services_plugin_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -411,6 +425,7 @@ manage_files_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_
|
|
manage_dirs_pattern(nagios_system_plugin_t, nagios_system_plugin_tmp_t, nagios_system_plugin_tmp_t)
|
|
files_tmp_filetrans(nagios_system_plugin_t, nagios_system_plugin_tmp_t, { dir file })
|
|
|
|
+kernel_read_system_state(nagios_system_plugin_t)
|
|
kernel_read_kernel_sysctls(nagios_system_plugin_t)
|
|
|
|
corecmd_exec_bin(nagios_system_plugin_t)
|
|
@@ -420,10 +435,10 @@ dev_read_sysfs(nagios_system_plugin_t)
|
|
|
|
domain_read_all_domains_state(nagios_system_plugin_t)
|
|
|
|
-files_read_etc_files(nagios_system_plugin_t)
|
|
-
|
|
fs_getattr_all_fs(nagios_system_plugin_t)
|
|
|
|
+auth_read_passwd(nagios_system_plugin_t)
|
|
+
|
|
optional_policy(`
|
|
init_read_utmp(nagios_system_plugin_t)
|
|
')
|
|
@@ -442,11 +457,44 @@ corecmd_exec_shell(nagios_eventhandler_plugin_t)
|
|
|
|
init_domtrans_script(nagios_eventhandler_plugin_t)
|
|
|
|
+systemd_exec_systemctl(nagios_eventhandler_plugin_t)
|
|
+
|
|
+allow nagios_t nagios_eventhandler_plugin_exec_t:dir list_dir_perms;
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(nagios_eventhandler_plugin_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
-# Unconfined plugin policy
|
|
+# nagios openshift plugin policy
|
|
+#
|
|
+
|
|
+allow nagios_openshift_plugin_t self:capability sys_ptrace;
|
|
+
|
|
+manage_dirs_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
|
|
+manage_files_pattern(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, nagios_openshift_plugin_tmp_t)
|
|
+files_tmp_filetrans(nagios_openshift_plugin_t, nagios_openshift_plugin_tmp_t, { file dir })
|
|
+
|
|
+corecmd_exec_bin(nagios_openshift_plugin_t)
|
|
+corecmd_exec_shell(nagios_openshift_plugin_t)
|
|
+
|
|
+domain_read_all_domains_state(nagios_openshift_plugin_t)
|
|
+
|
|
+fs_getattr_all_fs(nagios_openshift_plugin_t)
|
|
+
|
|
+optional_policy(`
|
|
+ apache_read_config(nagios_openshift_plugin_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# nagios plugin domain policy
|
|
#
|
|
|
|
optional_policy(`
|
|
unconfined_domain(nagios_unconfined_plugin_t)
|
|
')
|
|
+
|
|
+
|
|
+
|
|
diff --git a/namespace.fc b/namespace.fc
|
|
new file mode 100644
|
|
index 0000000..ce51c8d
|
|
--- /dev/null
|
|
+++ b/namespace.fc
|
|
@@ -0,0 +1,3 @@
|
|
+
|
|
+/etc/security/namespace.init -- gen_context(system_u:object_r:namespace_init_exec_t,s0)
|
|
+
|
|
diff --git a/namespace.if b/namespace.if
|
|
new file mode 100644
|
|
index 0000000..8d7c751
|
|
--- /dev/null
|
|
+++ b/namespace.if
|
|
@@ -0,0 +1,48 @@
|
|
+
|
|
+## <summary>policy for namespace</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run namespace_init.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`namespace_init_domtrans',`
|
|
+ gen_require(`
|
|
+ type namespace_init_t, namespace_init_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, namespace_init_exec_t, namespace_init_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute namespace_init in the namespace_init domain, and
|
|
+## allow the specified role the namespace_init domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the namespace_init domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`namespace_init_run',`
|
|
+ gen_require(`
|
|
+ type namespace_init_t;
|
|
+ ')
|
|
+
|
|
+ namespace_init_domtrans($1)
|
|
+ role $2 types namespace_init_t;
|
|
+
|
|
+ seutil_run_setfiles(namespace_init_t, $2)
|
|
+')
|
|
diff --git a/namespace.te b/namespace.te
|
|
new file mode 100644
|
|
index 0000000..c674894
|
|
--- /dev/null
|
|
+++ b/namespace.te
|
|
@@ -0,0 +1,39 @@
|
|
+policy_module(namespace,1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type namespace_init_t;
|
|
+type namespace_init_exec_t;
|
|
+init_system_domain(namespace_init_t, namespace_init_exec_t)
|
|
+role system_r types namespace_init_t;
|
|
+
|
|
+########################################
|
|
+#
|
|
+# namespace_init local policy
|
|
+#
|
|
+
|
|
+allow namespace_init_t self:capability dac_override;
|
|
+
|
|
+allow namespace_init_t self:fifo_file manage_fifo_file_perms;
|
|
+allow namespace_init_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+kernel_read_system_state(namespace_init_t)
|
|
+
|
|
+corecmd_exec_shell(namespace_init_t)
|
|
+
|
|
+domain_use_interactive_fds(namespace_init_t)
|
|
+domain_obj_id_change_exemption(namespace_init_t)
|
|
+
|
|
+files_polyinstantiate_all(namespace_init_t)
|
|
+
|
|
+auth_use_nsswitch(namespace_init_t)
|
|
+
|
|
+term_use_console(namespace_init_t)
|
|
+
|
|
+userdom_manage_user_home_content(namespace_init_t)
|
|
+userdom_relabelto_user_home_dirs(namespace_init_t)
|
|
+userdom_relabelto_user_home_files(namespace_init_t)
|
|
+userdom_filetrans_home_content(namespace_init_t)
|
|
diff --git a/ncftool.if b/ncftool.if
|
|
index db9578f..4309e3d 100644
|
|
--- a/ncftool.if
|
|
+++ b/ncftool.if
|
|
@@ -38,9 +38,11 @@ interface(`ncftool_domtrans',`
|
|
#
|
|
interface(`ncftool_run',`
|
|
gen_require(`
|
|
+ type ncftool_t;
|
|
attribute_role ncftool_roles;
|
|
')
|
|
|
|
ncftool_domtrans($1)
|
|
roleattribute $2 ncftool_roles;
|
|
')
|
|
+
|
|
diff --git a/ncftool.te b/ncftool.te
|
|
index 71f30ba..d20f048 100644
|
|
--- a/ncftool.te
|
|
+++ b/ncftool.te
|
|
@@ -22,6 +22,7 @@ role ncftool_roles types ncftool_t;
|
|
|
|
allow ncftool_t self:capability net_admin;
|
|
allow ncftool_t self:process signal;
|
|
+
|
|
allow ncftool_t self:fifo_file manage_fifo_file_perms;
|
|
allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
|
|
@@ -41,11 +42,11 @@ domain_read_all_domains_state(ncftool_t)
|
|
|
|
dev_read_sysfs(ncftool_t)
|
|
|
|
-files_read_etc_files(ncftool_t)
|
|
+files_manage_system_conf_files(ncftool_t)
|
|
+files_relabelto_system_conf_files(ncftool_t)
|
|
files_read_etc_runtime_files(ncftool_t)
|
|
-files_read_usr_files(ncftool_t)
|
|
|
|
-miscfiles_read_localization(ncftool_t)
|
|
+term_use_all_inherited_terms(ncftool_t)
|
|
|
|
sysnet_delete_dhcpc_pid(ncftool_t)
|
|
sysnet_run_dhcpc(ncftool_t, ncftool_roles)
|
|
@@ -53,6 +54,8 @@ sysnet_run_ifconfig(ncftool_t, ncftool_roles)
|
|
sysnet_etc_filetrans_config(ncftool_t)
|
|
sysnet_manage_config(ncftool_t)
|
|
sysnet_read_dhcpc_state(ncftool_t)
|
|
+sysnet_relabelfrom_net_conf(ncftool_t)
|
|
+sysnet_relabelto_net_conf(ncftool_t)
|
|
sysnet_read_dhcpc_pid(ncftool_t)
|
|
sysnet_signal_dhcpc(ncftool_t)
|
|
|
|
@@ -73,11 +76,14 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
iptables_initrc_domtrans(ncftool_t)
|
|
+ iptables_systemctl(ncftool_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ modutils_list_module_config(ncftool_t)
|
|
modutils_read_module_config(ncftool_t)
|
|
modutils_run_insmod(ncftool_t, ncftool_roles)
|
|
+
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/nessus.te b/nessus.te
|
|
index fe1068b..98166ee 100644
|
|
--- a/nessus.te
|
|
+++ b/nessus.te
|
|
@@ -58,7 +58,6 @@ kernel_read_kernel_sysctls(nessusd_t)
|
|
|
|
corecmd_exec_bin(nessusd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(nessusd_t)
|
|
corenet_all_recvfrom_netlabel(nessusd_t)
|
|
corenet_tcp_sendrecv_generic_if(nessusd_t)
|
|
corenet_udp_sendrecv_generic_if(nessusd_t)
|
|
@@ -82,7 +81,6 @@ dev_read_urand(nessusd_t)
|
|
domain_use_interactive_fds(nessusd_t)
|
|
|
|
files_list_var_lib(nessusd_t)
|
|
-files_read_etc_files(nessusd_t)
|
|
files_read_etc_runtime_files(nessusd_t)
|
|
|
|
fs_getattr_all_fs(nessusd_t)
|
|
@@ -90,8 +88,6 @@ fs_search_auto_mountpoints(nessusd_t)
|
|
|
|
logging_send_syslog_msg(nessusd_t)
|
|
|
|
-miscfiles_read_localization(nessusd_t)
|
|
-
|
|
sysnet_read_config(nessusd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(nessusd_t)
|
|
diff --git a/networkmanager.fc b/networkmanager.fc
|
|
index 94b9734..485f368 100644
|
|
--- a/networkmanager.fc
|
|
+++ b/networkmanager.fc
|
|
@@ -1,44 +1,44 @@
|
|
-/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
|
|
|
|
/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_etc_t,s0)
|
|
/etc/NetworkManager/NetworkManager\.conf gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
|
|
/etc/NetworkManager/system-connections(/.*)? gen_context(system_u:object_r:NetworkManager_etc_rw_t,s0)
|
|
/etc/NetworkManager/dispatcher\.d(/.*)? gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
|
|
|
|
-/etc/dhcp/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
|
|
-/etc/dhcp/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
|
|
-/etc/dhcp/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
|
|
+/etc/dhcp/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
|
|
+/etc/dhcp/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
|
|
+/etc/dhcp/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
|
|
|
|
-/etc/wicd/manager-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
|
|
-/etc/wicd/wireless-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
|
|
-/etc/wicd/wired-settings\.conf -- gen_context(system_u:object_r:NetworkManager_etc_rw_t, s0)
|
|
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
|
|
+/etc/wicd/wireless-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
|
|
+/etc/wicd/wired-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
|
|
|
|
-/usr/lib/NetworkManager/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
|
|
-/usr/libexec/nm-dispatcher\.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
|
|
+/usr/lib/systemd/system/NetworkManager.* -- gen_context(system_u:object_r:NetworkManager_unit_file_t,s0)
|
|
|
|
-/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
|
|
-/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
+/usr/libexec/nm-dispatcher.action -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
|
|
|
|
/usr/bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
/usr/bin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
|
|
/usr/bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
|
|
/usr/sbin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
-/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
-/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
-/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
-/usr/sbin/wpa_cli -- gen_context(system_u:object_r:wpa_cli_exec_t,s0)
|
|
/usr/sbin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
+/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
+/usr/sbin/nm-system-settings -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
+/usr/sbin/wicd -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
|
|
+
|
|
+/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
|
|
+/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
|
|
|
|
-/var/lib/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
|
|
-/var/lib/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t,s0)
|
|
+/var/log/wicd.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
|
|
|
-/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
|
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
|
|
|
|
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
|
-/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
|
-/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
|
+/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
|
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
|
/var/run/nm-dns-dnsmasq\.conf -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
|
-/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
|
+/var/run/nm-xl2tpd.conf.* -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
|
+/var/run/wicd\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
|
+/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
|
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
|
|
diff --git a/networkmanager.if b/networkmanager.if
|
|
index 86dc29d..5b73942 100644
|
|
--- a/networkmanager.if
|
|
+++ b/networkmanager.if
|
|
@@ -2,7 +2,7 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write networkmanager udp sockets.
|
|
+## Read and write NetworkManager UDP sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -10,6 +10,7 @@
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
+# cjp: added for named.
|
|
interface(`networkmanager_rw_udp_sockets',`
|
|
gen_require(`
|
|
type NetworkManager_t;
|
|
@@ -20,7 +21,7 @@ interface(`networkmanager_rw_udp_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write networkmanager packet sockets.
|
|
+## Read and write NetworkManager packet sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -28,6 +29,7 @@ interface(`networkmanager_rw_udp_sockets',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
+# cjp: added for named.
|
|
interface(`networkmanager_rw_packet_sockets',`
|
|
gen_require(`
|
|
type NetworkManager_t;
|
|
@@ -38,12 +40,12 @@ interface(`networkmanager_rw_packet_sockets',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Relabel networkmanager tun socket.
|
|
+## Allow caller to relabel tun_socket
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`networkmanager_attach_tun_iface',`
|
|
@@ -57,7 +59,7 @@ interface(`networkmanager_attach_tun_iface',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write networkmanager netlink
|
|
+## Read and write NetworkManager netlink
|
|
## routing sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -66,6 +68,7 @@ interface(`networkmanager_attach_tun_iface',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
+# cjp: added for named.
|
|
interface(`networkmanager_rw_routing_sockets',`
|
|
gen_require(`
|
|
type NetworkManager_t;
|
|
@@ -76,7 +79,7 @@ interface(`networkmanager_rw_routing_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute networkmanager with a domain transition.
|
|
+## Execute NetworkManager with a domain transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -95,8 +98,7 @@ interface(`networkmanager_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute networkmanager scripts with
|
|
-## an automatic domain transition to initrc.
|
|
+## Execute NetworkManager scripts with an automatic domain transition to NetworkManagerrc.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -104,18 +106,59 @@ interface(`networkmanager_domtrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
+interface(`networkmanager_NetworkManagerrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type NetworkManager_NetworkManagerrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ NetworkManager_labeled_script_domtrans($1, NetworkManager_NetworkManagerrc_exec_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute NetworkManager scripts with an automatic domain transition to initrc.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
interface(`networkmanager_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type NetworkManager_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute NetworkManager server in the NetworkManager domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`networkmanager_systemctl',`
|
|
gen_require(`
|
|
- type NetworkManager_initrc_exec_t;
|
|
+ type NetworkManager_unit_file_t;
|
|
+ type NetworkManager_t;
|
|
')
|
|
|
|
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 NetworkManager_unit_file_t:file read_file_perms;
|
|
+ allow $1 NetworkManager_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, NetworkManager_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
-## networkmanager over dbus.
|
|
+## NetworkManager over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -155,7 +198,29 @@ interface(`networkmanager_read_state',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to networkmanager.
|
|
+## Do not audit attempts to send and
|
|
+## receive messages from NetworkManager
|
|
+## over dbus.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`networkmanager_dontaudit_dbus_chat',`
|
|
+ gen_require(`
|
|
+ type NetworkManager_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 NetworkManager_t:dbus send_msg;
|
|
+ dontaudit NetworkManager_t $1:dbus send_msg;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send a generic signal to NetworkManager
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -211,9 +276,28 @@ interface(`networkmanager_read_lib_files',`
|
|
read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read NetworkManager conf files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`networkmanager_read_conf',`
|
|
+ gen_require(`
|
|
+ type NetworkManager_etc_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 NetworkManager_etc_t:dir list_dir_perms;
|
|
+ read_files_pattern($1,NetworkManager_etc_t,NetworkManager_etc_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Append networkmanager log files.
|
|
+## Read NetworkManager PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -221,19 +305,18 @@ interface(`networkmanager_read_lib_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`networkmanager_append_log_files',`
|
|
+interface(`networkmanager_read_pid_files',`
|
|
gen_require(`
|
|
- type NetworkManager_log_t;
|
|
+ type NetworkManager_var_run_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
- allow $1 NetworkManager_log_t:dir list_dir_perms;
|
|
- append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read networkmanager pid files.
|
|
+## Read NetworkManager PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -241,13 +324,13 @@ interface(`networkmanager_append_log_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`networkmanager_read_pid_files',`
|
|
+interface(`networkmanager_manage_pid_files',`
|
|
gen_require(`
|
|
type NetworkManager_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- allow $1 NetworkManager_var_run_t:file read_file_perms;
|
|
+ manage_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
|
')
|
|
|
|
####################################
|
|
@@ -272,12 +355,12 @@ interface(`networkmanager_stream_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an networkmanager environment.
|
|
+## Execute NetworkManager in the NetworkManager domain, and
|
|
+## allow the specified role the NetworkManager domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
@@ -287,33 +370,113 @@ interface(`networkmanager_stream_connect',`
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
-interface(`networkmanager_admin',`
|
|
+interface(`networkmanager_run',`
|
|
gen_require(`
|
|
- type NetworkManager_t, NetworkManager_initrc_exec_t, NetworkManager_etc_t;
|
|
- type NetworkManager_etc_rw_t, NetworkManager_log_t, NetworkManager_tmp_t;
|
|
- type NetworkManager_var_lib_t, NetworkManager_var_run_t, wpa_cli_t;
|
|
+ type NetworkManager_t, NetworkManager_exec_t;
|
|
')
|
|
|
|
- allow $1 { wpa_cli_t NetworkManager_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { wpa_cli_t NetworkManager_t })
|
|
-
|
|
- init_labeled_script_domtrans($1, NetworkManager_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 NetworkManager_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ networkmanager_domtrans($1)
|
|
+ role $2 types NetworkManager_t;
|
|
+')
|
|
|
|
- logging_search_etc($1)
|
|
- admin_pattern($1, { NetworkManager_etc_t NetworkManager_etc_rw_t })
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to append
|
|
+## to Network Manager log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`networkmanager_append_log',`
|
|
+ gen_require(`
|
|
+ type NetworkManager_log_t;
|
|
+ ')
|
|
|
|
logging_search_logs($1)
|
|
- admin_pattern($1, NetworkManager_log_t)
|
|
+ allow $1 NetworkManager_log_t:dir list_dir_perms;
|
|
+ append_files_pattern($1, NetworkManager_log_t, NetworkManager_log_t)
|
|
+')
|
|
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, NetworkManager_var_lib_t)
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow the specified domain to manage
|
|
+## to Network Manager lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`networkmanager_manage_lib',`
|
|
+ gen_require(`
|
|
+ type NetworkManager_var_lib_t;
|
|
+ ')
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, NetworkManager_var_run_t)
|
|
+ manage_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read the process state (/proc/pid) of NetworkManager.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`NetworkManager_read_state',`
|
|
+ gen_require(`
|
|
+ type NetworkManager_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 NetworkManager_t:dir search_dir_perms;
|
|
+ allow $1 NetworkManager_t:file read_file_perms;
|
|
+ allow $1 NetworkManager_t:lnk_file read_lnk_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to networkmanager named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`networkmanager_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type NetworkManager_var_run_t;
|
|
+ type NetworkManager_var_lib_t;
|
|
+ ')
|
|
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, NetworkManager_tmp_t)
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth0.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth1.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth2.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth3.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth4.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth5.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth6.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth7.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth8.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient.-eth9.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em0.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em1.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em2.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em3.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em4.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em5.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em6.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em7.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "nm-dhclient-em8.conf")
|
|
+ files_pid_filetrans($1, NetworkManager_var_run_t, file, "wicd.pid")
|
|
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "manager-settings.conf")
|
|
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wireless-settings.conf")
|
|
+ files_etc_filetrans($1, NetworkManager_var_lib_t, file, "wired-settings.conf")
|
|
+ logging_log_filetrans($1, NetworkManager_var_lib_t, file, "wpa_supplicant.log")
|
|
')
|
|
diff --git a/networkmanager.te b/networkmanager.te
|
|
index 55f2009..7c661ce 100644
|
|
--- a/networkmanager.te
|
|
+++ b/networkmanager.te
|
|
@@ -9,15 +9,18 @@ type NetworkManager_t;
|
|
type NetworkManager_exec_t;
|
|
init_daemon_domain(NetworkManager_t, NetworkManager_exec_t)
|
|
|
|
+type NetworkManager_initrc_exec_t;
|
|
+init_script_file(NetworkManager_initrc_exec_t)
|
|
+
|
|
+type NetworkManager_unit_file_t;
|
|
+systemd_unit_file(NetworkManager_unit_file_t)
|
|
+
|
|
type NetworkManager_etc_t;
|
|
files_config_file(NetworkManager_etc_t)
|
|
|
|
type NetworkManager_etc_rw_t;
|
|
files_config_file(NetworkManager_etc_rw_t)
|
|
|
|
-type NetworkManager_initrc_exec_t;
|
|
-init_script_file(NetworkManager_initrc_exec_t)
|
|
-
|
|
type NetworkManager_log_t;
|
|
logging_log_file(NetworkManager_log_t)
|
|
|
|
@@ -39,25 +42,47 @@ init_system_domain(wpa_cli_t, wpa_cli_exec_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_nice dac_override net_admin net_raw ipc_lock };
|
|
-dontaudit NetworkManager_t self:capability { sys_tty_config sys_module sys_ptrace };
|
|
-allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
|
|
+# networkmanager will ptrace itself if gdb is installed
|
|
+# and it receives a unexpected signal (rh bug #204161)
|
|
+allow NetworkManager_t self:capability { fowner chown fsetid kill setgid setuid sys_admin sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
|
|
+dontaudit NetworkManager_t self:capability sys_tty_config;
|
|
+
|
|
+ifdef(`hide_broken_symptoms',`
|
|
+ # caused by some bogus kernel code
|
|
+ dontaudit NetworkManager_t self:capability sys_module;
|
|
+')
|
|
+
|
|
+allow NetworkManager_t self:process { getcap setcap setpgid getsched setsched signal_perms };
|
|
+
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow NetworkManager_t self:capability sys_ptrace;
|
|
+ allow NetworkManager_t self:process ptrace;
|
|
+')
|
|
+
|
|
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
|
|
-allow NetworkManager_t self:unix_dgram_socket sendto;
|
|
-allow NetworkManager_t self:unix_stream_socket { accept listen };
|
|
+allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
|
|
+allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow NetworkManager_t self:netlink_route_socket create_netlink_socket_perms;
|
|
+allow NetworkManager_t self:netlink_xfrm_socket create_netlink_socket_perms;
|
|
allow NetworkManager_t self:netlink_socket create_socket_perms;
|
|
allow NetworkManager_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
-allow NetworkManager_t self:tcp_socket { accept listen };
|
|
+allow NetworkManager_t self:tcp_socket create_stream_socket_perms;
|
|
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
|
|
+allow NetworkManager_t self:udp_socket create_socket_perms;
|
|
allow NetworkManager_t self:packet_socket create_socket_perms;
|
|
+allow NetworkManager_t self:rawip_socket create_socket_perms;
|
|
|
|
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
|
|
|
|
-allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms;
|
|
-allow NetworkManager_t NetworkManager_etc_t:file read_file_perms;
|
|
-allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms;
|
|
+can_exec(NetworkManager_t, NetworkManager_exec_t)
|
|
+#wicd
|
|
+can_exec(NetworkManager_t, wpa_cli_exec_t)
|
|
+
|
|
+list_dirs_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
|
+read_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
|
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_t)
|
|
|
|
+read_lnk_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
|
|
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
|
|
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
|
|
filetrans_pattern(NetworkManager_t, NetworkManager_etc_t, NetworkManager_etc_rw_t, { dir file })
|
|
@@ -68,6 +93,7 @@ create_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_
|
|
setattr_files_pattern(NetworkManager_t, NetworkManager_log_t, NetworkManager_log_t)
|
|
logging_log_filetrans(NetworkManager_t, NetworkManager_log_t, file)
|
|
|
|
+can_exec(NetworkManager_t, NetworkManager_tmp_t)
|
|
manage_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
|
manage_sock_files_pattern(NetworkManager_t, NetworkManager_tmp_t, NetworkManager_tmp_t)
|
|
files_tmp_filetrans(NetworkManager_t, NetworkManager_tmp_t, { sock_file file })
|
|
@@ -81,17 +107,14 @@ manage_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_
|
|
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
|
|
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
|
|
|
|
-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
|
|
-
|
|
-kernel_read_crypto_sysctls(NetworkManager_t)
|
|
kernel_read_system_state(NetworkManager_t)
|
|
kernel_read_network_state(NetworkManager_t)
|
|
kernel_read_kernel_sysctls(NetworkManager_t)
|
|
kernel_request_load_module(NetworkManager_t)
|
|
kernel_read_debugfs(NetworkManager_t)
|
|
kernel_rw_net_sysctls(NetworkManager_t)
|
|
+kernel_setsched(NetworkManager_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(NetworkManager_t)
|
|
corenet_all_recvfrom_netlabel(NetworkManager_t)
|
|
corenet_tcp_sendrecv_generic_if(NetworkManager_t)
|
|
corenet_udp_sendrecv_generic_if(NetworkManager_t)
|
|
@@ -102,22 +125,15 @@ corenet_raw_sendrecv_generic_node(NetworkManager_t)
|
|
corenet_tcp_sendrecv_all_ports(NetworkManager_t)
|
|
corenet_udp_sendrecv_all_ports(NetworkManager_t)
|
|
corenet_udp_bind_generic_node(NetworkManager_t)
|
|
-
|
|
-corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
|
|
corenet_udp_bind_isakmp_port(NetworkManager_t)
|
|
-
|
|
-corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
|
|
corenet_udp_bind_dhcpc_port(NetworkManager_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(NetworkManager_t)
|
|
corenet_tcp_connect_all_ports(NetworkManager_t)
|
|
-
|
|
+corenet_sendrecv_isakmp_server_packets(NetworkManager_t)
|
|
+corenet_sendrecv_dhcpc_server_packets(NetworkManager_t)
|
|
+corenet_sendrecv_all_client_packets(NetworkManager_t)
|
|
corenet_rw_tun_tap_dev(NetworkManager_t)
|
|
corenet_getattr_ppp_dev(NetworkManager_t)
|
|
|
|
-corecmd_exec_shell(NetworkManager_t)
|
|
-corecmd_exec_bin(NetworkManager_t)
|
|
-
|
|
dev_rw_sysfs(NetworkManager_t)
|
|
dev_read_rand(NetworkManager_t)
|
|
dev_read_urand(NetworkManager_t)
|
|
@@ -125,13 +141,6 @@ dev_dontaudit_getattr_generic_blk_files(NetworkManager_t)
|
|
dev_getattr_all_chr_files(NetworkManager_t)
|
|
dev_rw_wireless(NetworkManager_t)
|
|
|
|
-domain_use_interactive_fds(NetworkManager_t)
|
|
-domain_read_all_domains_state(NetworkManager_t)
|
|
-
|
|
-files_read_etc_runtime_files(NetworkManager_t)
|
|
-files_read_usr_files(NetworkManager_t)
|
|
-files_read_usr_src_files(NetworkManager_t)
|
|
-
|
|
fs_getattr_all_fs(NetworkManager_t)
|
|
fs_search_auto_mountpoints(NetworkManager_t)
|
|
fs_list_inotifyfs(NetworkManager_t)
|
|
@@ -140,6 +149,17 @@ mls_file_read_all_levels(NetworkManager_t)
|
|
|
|
selinux_dontaudit_search_fs(NetworkManager_t)
|
|
|
|
+corecmd_exec_shell(NetworkManager_t)
|
|
+corecmd_exec_bin(NetworkManager_t)
|
|
+
|
|
+domain_use_interactive_fds(NetworkManager_t)
|
|
+domain_read_all_domains_state(NetworkManager_t)
|
|
+
|
|
+files_read_etc_runtime_files(NetworkManager_t)
|
|
+files_read_system_conf_files(NetworkManager_t)
|
|
+files_read_usr_src_files(NetworkManager_t)
|
|
+files_read_isid_type_files(NetworkManager_t)
|
|
+
|
|
storage_getattr_fixed_disk_dev(NetworkManager_t)
|
|
|
|
init_read_utmp(NetworkManager_t)
|
|
@@ -148,10 +168,11 @@ init_domtrans_script(NetworkManager_t)
|
|
|
|
auth_use_nsswitch(NetworkManager_t)
|
|
|
|
+libs_exec_ldconfig(NetworkManager_t)
|
|
+
|
|
logging_send_syslog_msg(NetworkManager_t)
|
|
|
|
miscfiles_read_generic_certs(NetworkManager_t)
|
|
-miscfiles_read_localization(NetworkManager_t)
|
|
|
|
seutil_read_config(NetworkManager_t)
|
|
|
|
@@ -166,21 +187,32 @@ sysnet_kill_dhcpc(NetworkManager_t)
|
|
sysnet_read_dhcpc_state(NetworkManager_t)
|
|
sysnet_delete_dhcpc_state(NetworkManager_t)
|
|
sysnet_search_dhcp_state(NetworkManager_t)
|
|
+# in /etc created by NetworkManager will be labelled net_conf_t.
|
|
sysnet_manage_config(NetworkManager_t)
|
|
sysnet_etc_filetrans_config(NetworkManager_t)
|
|
|
|
-# certificates in user home directories (cert_home_t in ~/\.pki)
|
|
-userdom_read_user_home_content_files(NetworkManager_t)
|
|
-
|
|
-userdom_write_user_tmp_sockets(NetworkManager_t)
|
|
+userdom_stream_connect(NetworkManager_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
|
|
userdom_dontaudit_use_user_ttys(NetworkManager_t)
|
|
+# Read gnome-keyring
|
|
+userdom_read_home_certs(NetworkManager_t)
|
|
+userdom_read_user_home_content_files(NetworkManager_t)
|
|
+userdom_dgram_send(NetworkManager_t)
|
|
+
|
|
+tunable_policy(`use_nfs_home_dirs',`
|
|
+ fs_read_nfs_files(NetworkManager_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`use_samba_home_dirs',`
|
|
+ fs_read_cifs_files(NetworkManager_t)
|
|
+')
|
|
|
|
optional_policy(`
|
|
avahi_domtrans(NetworkManager_t)
|
|
avahi_kill(NetworkManager_t)
|
|
avahi_signal(NetworkManager_t)
|
|
avahi_signull(NetworkManager_t)
|
|
+ avahi_dbus_chat(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -196,10 +228,6 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- consolekit_read_pid_files(NetworkManager_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
consoletype_exec(NetworkManager_t)
|
|
')
|
|
|
|
@@ -210,16 +238,11 @@ optional_policy(`
|
|
optional_policy(`
|
|
dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
|
|
|
|
- optional_policy(`
|
|
- avahi_dbus_chat(NetworkManager_t)
|
|
- ')
|
|
+ init_dbus_chat(NetworkManager_t)
|
|
|
|
optional_policy(`
|
|
consolekit_dbus_chat(NetworkManager_t)
|
|
- ')
|
|
-
|
|
- optional_policy(`
|
|
- policykit_dbus_chat(NetworkManager_t)
|
|
+ consolekit_read_pid_files(NetworkManager_t)
|
|
')
|
|
')
|
|
|
|
@@ -231,18 +254,19 @@ optional_policy(`
|
|
dnsmasq_kill(NetworkManager_t)
|
|
dnsmasq_signal(NetworkManager_t)
|
|
dnsmasq_signull(NetworkManager_t)
|
|
+ dnsmasq_systemctl(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- gnome_stream_connect_all_gkeyringd(NetworkManager_t)
|
|
+ hal_write_log(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- hal_write_log(NetworkManager_t)
|
|
+ howl_signal(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- howl_signal(NetworkManager_t)
|
|
+ gnome_dontaudit_search_config(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -250,6 +274,10 @@ optional_policy(`
|
|
ipsec_kill_mgmt(NetworkManager_t)
|
|
ipsec_signal_mgmt(NetworkManager_t)
|
|
ipsec_signull_mgmt(NetworkManager_t)
|
|
+ ipsec_domtrans(NetworkManager_t)
|
|
+ ipsec_kill(NetworkManager_t)
|
|
+ ipsec_signal(NetworkManager_t)
|
|
+ ipsec_signull(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -257,11 +285,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- libs_exec_ldconfig(NetworkManager_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- modutils_domtrans_insmod(NetworkManager_t)
|
|
+ l2tpd_domtrans(NetworkManager_t)
|
|
+ l2tpd_sigkill(NetworkManager_t)
|
|
+ l2tpd_signal(NetworkManager_t)
|
|
+ l2tpd_signull(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -274,10 +301,17 @@ optional_policy(`
|
|
nscd_signull(NetworkManager_t)
|
|
nscd_kill(NetworkManager_t)
|
|
nscd_initrc_domtrans(NetworkManager_t)
|
|
+ nscd_systemctl(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # Dispatcher starting and stoping ntp
|
|
ntp_initrc_domtrans(NetworkManager_t)
|
|
+ ntp_systemctl(NetworkManager_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ modutils_domtrans_insmod(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -289,6 +323,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ policykit_dbus_chat(NetworkManager_t)
|
|
policykit_domtrans_auth(NetworkManager_t)
|
|
policykit_read_lib(NetworkManager_t)
|
|
policykit_read_reload(NetworkManager_t)
|
|
@@ -296,7 +331,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- polipo_initrc_domtrans(NetworkManager_t)
|
|
+ polipo_systemctl(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -307,6 +342,7 @@ optional_policy(`
|
|
ppp_signal(NetworkManager_t)
|
|
ppp_signull(NetworkManager_t)
|
|
ppp_read_config(NetworkManager_t)
|
|
+ ppp_systemctl(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -320,14 +356,20 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- udev_exec(NetworkManager_t)
|
|
- udev_read_db(NetworkManager_t)
|
|
- udev_read_pid_files(NetworkManager_t)
|
|
+ systemd_write_inhibit_pipes(NetworkManager_t)
|
|
+ systemd_read_logind_sessions_files(NetworkManager_t)
|
|
+ systemd_dbus_chat_logind(NetworkManager_t)
|
|
+ systemd_hostnamed_read_config(NetworkManager_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_exec(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- # unconfined_dgram_send(NetworkManager_t)
|
|
- unconfined_stream_connect(NetworkManager_t)
|
|
+ udev_exec(NetworkManager_t)
|
|
+ udev_read_db(NetworkManager_t)
|
|
+ udev_read_pid_files(NetworkManager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -357,6 +399,4 @@ rw_sock_files_pattern(wpa_cli_t, NetworkManager_var_run_t, NetworkManager_var_ru
|
|
init_dontaudit_use_fds(wpa_cli_t)
|
|
init_use_script_ptys(wpa_cli_t)
|
|
|
|
-miscfiles_read_localization(wpa_cli_t)
|
|
-
|
|
term_dontaudit_use_console(wpa_cli_t)
|
|
diff --git a/nis.fc b/nis.fc
|
|
index 8aa1bfa..cd0e015 100644
|
|
--- a/nis.fc
|
|
+++ b/nis.fc
|
|
@@ -2,21 +2,26 @@
|
|
/etc/rc\.d/init\.d/yppasswd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
|
|
/etc/rc\.d/init\.d/ypserv -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
|
|
/etc/rc\.d/init\.d/ypxfrd -- gen_context(system_u:object_r:nis_initrc_exec_t,s0)
|
|
-
|
|
/etc/ypserv\.conf -- gen_context(system_u:object_r:ypserv_conf_t,s0)
|
|
|
|
-/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
|
|
+/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
|
|
|
|
/usr/lib/yp/ypxfr -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
|
|
|
-/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
|
|
+/usr/sbin/rpc\.yppasswdd -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
|
|
+/usr/sbin/rpc\.yppasswdd\.env -- gen_context(system_u:object_r:yppasswdd_exec_t,s0)
|
|
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
|
|
/usr/sbin/ypbind -- gen_context(system_u:object_r:ypbind_exec_t,s0)
|
|
/usr/sbin/ypserv -- gen_context(system_u:object_r:ypserv_exec_t,s0)
|
|
|
|
-/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
|
|
+/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
|
|
|
|
/var/run/ypxfrd.* -- gen_context(system_u:object_r:ypxfr_var_run_t,s0)
|
|
/var/run/ypbind.* -- gen_context(system_u:object_r:ypbind_var_run_t,s0)
|
|
/var/run/ypserv.* -- gen_context(system_u:object_r:ypserv_var_run_t,s0)
|
|
/var/run/yppass.* -- gen_context(system_u:object_r:yppasswdd_var_run_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/ypbind.* -- gen_context(system_u:object_r:ypbind_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/ypserv.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/yppasswdd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/ypxfrd.* -- gen_context(system_u:object_r:nis_unit_file_t,s0)
|
|
diff --git a/nis.if b/nis.if
|
|
index 46e55c3..6e4e061 100644
|
|
--- a/nis.if
|
|
+++ b/nis.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Policy for NIS (YP) servers and clients.</summary>
|
|
+## <summary>Policy for NIS (YP) servers and clients</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -27,18 +27,15 @@ interface(`nis_use_ypbind_uncond',`
|
|
gen_require(`
|
|
type var_yp_t;
|
|
')
|
|
-
|
|
- allow $1 self:capability net_bind_service;
|
|
+ dontaudit $1 self:capability net_bind_service;
|
|
|
|
allow $1 self:tcp_socket create_stream_socket_perms;
|
|
allow $1 self:udp_socket create_socket_perms;
|
|
|
|
allow $1 var_yp_t:dir list_dir_perms;
|
|
- allow $1 var_yp_t:file read_file_perms;
|
|
allow $1 var_yp_t:lnk_file read_lnk_file_perms;
|
|
+ allow $1 var_yp_t:file read_file_perms;
|
|
|
|
- corenet_all_recvfrom_unlabeled($1)
|
|
- corenet_all_recvfrom_netlabel($1)
|
|
corenet_tcp_sendrecv_generic_if($1)
|
|
corenet_udp_sendrecv_generic_if($1)
|
|
corenet_tcp_sendrecv_generic_node($1)
|
|
@@ -49,14 +46,11 @@ interface(`nis_use_ypbind_uncond',`
|
|
corenet_udp_bind_generic_node($1)
|
|
corenet_tcp_bind_generic_port($1)
|
|
corenet_udp_bind_generic_port($1)
|
|
- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
|
|
- corenet_dontaudit_udp_bind_all_reserved_ports($1)
|
|
corenet_dontaudit_tcp_bind_all_ports($1)
|
|
corenet_dontaudit_udp_bind_all_ports($1)
|
|
corenet_tcp_connect_portmap_port($1)
|
|
- corenet_tcp_connect_reserved_port($1)
|
|
+ corenet_tcp_connect_all_reserved_ports($1)
|
|
corenet_tcp_connect_generic_port($1)
|
|
- corenet_dontaudit_tcp_connect_all_ports($1)
|
|
corenet_sendrecv_portmap_client_packets($1)
|
|
corenet_sendrecv_generic_client_packets($1)
|
|
corenet_sendrecv_generic_server_packets($1)
|
|
@@ -88,14 +82,14 @@ interface(`nis_use_ypbind_uncond',`
|
|
## <rolecap/>
|
|
#
|
|
interface(`nis_use_ypbind',`
|
|
- tunable_policy(`allow_ypbind',`
|
|
+ tunable_policy(`nis_enabled',`
|
|
nis_use_ypbind_uncond($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Use nis to authenticate passwords.
|
|
+## Use the nis to authenticate passwords
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -105,7 +99,7 @@ interface(`nis_use_ypbind',`
|
|
## <rolecap/>
|
|
#
|
|
interface(`nis_authenticate',`
|
|
- tunable_policy(`allow_ypbind',`
|
|
+ tunable_policy(`nis_enabled',`
|
|
nis_use_ypbind_uncond($1)
|
|
corenet_tcp_bind_all_rpc_ports($1)
|
|
corenet_udp_bind_all_rpc_ports($1)
|
|
@@ -133,20 +127,19 @@ interface(`nis_domtrans_ypbind',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Execute ypbind in the caller domain.
|
|
+## Execute ypbind in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nis_exec_ypbind',`
|
|
- gen_require(`
|
|
- type ypbind_exec_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type ypbind_t, ypbind_exec_t;
|
|
+ ')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, ypbind_exec_t)
|
|
')
|
|
|
|
@@ -169,11 +162,11 @@ interface(`nis_exec_ypbind',`
|
|
#
|
|
interface(`nis_run_ypbind',`
|
|
gen_require(`
|
|
- attribute_role ypbind_roles;
|
|
+ type ypbind_t;
|
|
')
|
|
|
|
nis_domtrans_ypbind($1)
|
|
- roleattribute $2 ypbind_roles;
|
|
+ role $2 types ypbind_t;
|
|
')
|
|
|
|
########################################
|
|
@@ -196,7 +189,7 @@ interface(`nis_signal_ypbind',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## List nis data directories.
|
|
+## List the contents of the NIS data directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -272,10 +265,11 @@ interface(`nis_read_ypbind_pid',`
|
|
#
|
|
interface(`nis_delete_ypbind_pid',`
|
|
gen_require(`
|
|
- type ypbind_var_run_t;
|
|
+ type ypbind_t;
|
|
')
|
|
|
|
- allow $1 ypbind_var_run_t:file delete_file_perms;
|
|
+ # TODO: add delete pid from dir call to files
|
|
+ allow $1 ypbind_t:file unlink;
|
|
')
|
|
|
|
########################################
|
|
@@ -355,8 +349,57 @@ interface(`nis_initrc_domtrans_ypbind',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an nis environment.
|
|
+## Execute ypbind server in the ypbind domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nis_systemctl_ypbind',`
|
|
+ gen_require(`
|
|
+ type ypbind_unit_file_t;
|
|
+ type ypbind_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 ypbind_unit_file_t:file read_file_perms;
|
|
+ allow $1 ypbind_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, ypbind_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute ypbind server in the ypbind domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nis_systemctl',`
|
|
+ gen_require(`
|
|
+ type nis_unit_file_t, ypbind_unit_file_t;
|
|
+ type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 nis_unit_file_t:file read_file_perms;
|
|
+ allow $1 nis_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, ypbind_t)
|
|
+ ps_process_pattern($1, yppasswdd_t)
|
|
+ ps_process_pattern($1, ypserv_t)
|
|
+ ps_process_pattern($1, ypxfr_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an nis environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -372,32 +415,56 @@ interface(`nis_initrc_domtrans_ypbind',`
|
|
#
|
|
interface(`nis_admin',`
|
|
gen_require(`
|
|
- type ypbind_t, yppasswdd_t, ypserv_t, ypxfr_t;
|
|
- type ypbind_tmp_t, ypserv_tmp_t, ypserv_conf_t;
|
|
+ type ypbind_t, yppasswdd_t, ypserv_t;
|
|
+ type ypserv_conf_t;
|
|
type ypbind_var_run_t, yppasswdd_var_run_t, ypserv_var_run_t;
|
|
- type ypbind_initrc_exec_t, nis_initrc_exec_t, var_yp_t;
|
|
+ type ypserv_tmp_t;
|
|
+ type ypbind_initrc_exec_t, nis_initrc_exec_t, ypxfr_t;
|
|
+ type nis_unit_file_t;
|
|
+ type ypbind_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 ypbind_t:process signal_perms;
|
|
+ ps_process_pattern($1, ypbind_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ypbind_t:process ptrace;
|
|
+ allow $1 yppasswdd_t:process ptrace;
|
|
+ allow $1 ypserv_t:process ptrace;
|
|
+ allow $1 ypxfr_t:process ptrace;
|
|
')
|
|
|
|
- allow $1 { ypbind_t yppasswdd_t ypserv_t ypxfr_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { ypbind_t yppasswdd_t ypserv_t ypxfr_t })
|
|
+ allow $1 yppasswdd_t:process signal_perms;
|
|
+ ps_process_pattern($1, yppasswdd_t)
|
|
+
|
|
+ allow $1 ypserv_t:process signal_perms;
|
|
+ ps_process_pattern($1, ypserv_t)
|
|
+
|
|
+ allow $1 ypxfr_t:process signal_perms;
|
|
+ ps_process_pattern($1, ypxfr_t)
|
|
|
|
nis_initrc_domtrans($1)
|
|
nis_initrc_domtrans_ypbind($1)
|
|
domain_system_change_exemption($1)
|
|
- role_transition $2 { nis_initrc_exec_t ypbind_initrc_exec_t } system_r;
|
|
+ role_transition $2 nis_initrc_exec_t system_r;
|
|
+ role_transition $2 ypbind_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_list_tmp($1)
|
|
- admin_pattern($1, { ypserv_tmp_t ypbind_tmp_t })
|
|
-
|
|
files_list_pids($1)
|
|
- admin_pattern($1, { ypserv_var_run_t ypbind_var_run_t yppasswdd_var_run_t })
|
|
+ admin_pattern($1, ypbind_var_run_t)
|
|
+ nis_systemctl_ypbind($1)
|
|
+ admin_pattern($1, ypbind_unit_file_t)
|
|
+ allow $1 ypbind_unit_file_t:service all_service_perms;
|
|
+
|
|
+ admin_pattern($1, yppasswdd_var_run_t)
|
|
|
|
files_list_etc($1)
|
|
admin_pattern($1, ypserv_conf_t)
|
|
|
|
- files_search_var($1)
|
|
- admin_pattern($1, var_yp_t)
|
|
+ admin_pattern($1, ypserv_var_run_t)
|
|
+
|
|
+ admin_pattern($1, ypserv_tmp_t)
|
|
|
|
- nis_run_ypbind($1, $2)
|
|
+ nis_systemctl($1)
|
|
+ admin_pattern($1, nis_unit_file_t)
|
|
+ allow $1 nis_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/nis.te b/nis.te
|
|
index 3a6b035..1a181ad 100644
|
|
--- a/nis.te
|
|
+++ b/nis.te
|
|
@@ -5,8 +5,6 @@ policy_module(nis, 1.12.0)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute_role ypbind_roles;
|
|
-
|
|
type nis_initrc_exec_t;
|
|
init_script_file(nis_initrc_exec_t)
|
|
|
|
@@ -16,16 +14,18 @@ files_type(var_yp_t)
|
|
type ypbind_t;
|
|
type ypbind_exec_t;
|
|
init_daemon_domain(ypbind_t, ypbind_exec_t)
|
|
-role ypbind_roles types ypbind_t;
|
|
|
|
type ypbind_initrc_exec_t;
|
|
init_script_file(ypbind_initrc_exec_t)
|
|
|
|
+type ypbind_var_run_t;
|
|
+files_pid_file(ypbind_var_run_t)
|
|
+
|
|
type ypbind_tmp_t;
|
|
files_tmp_file(ypbind_tmp_t)
|
|
|
|
-type ypbind_var_run_t;
|
|
-files_pid_file(ypbind_var_run_t)
|
|
+type ypbind_unit_file_t;
|
|
+systemd_unit_file(ypbind_unit_file_t)
|
|
|
|
type yppasswdd_t;
|
|
type yppasswdd_exec_t;
|
|
@@ -40,7 +40,7 @@ type ypserv_exec_t;
|
|
init_daemon_domain(ypserv_t, ypserv_exec_t)
|
|
|
|
type ypserv_conf_t;
|
|
-files_type(ypserv_conf_t)
|
|
+files_config_file(ypserv_conf_t)
|
|
|
|
type ypserv_tmp_t;
|
|
files_tmp_file(ypserv_tmp_t)
|
|
@@ -55,6 +55,9 @@ init_daemon_domain(ypxfr_t, ypxfr_exec_t)
|
|
type ypxfr_var_run_t;
|
|
files_pid_file(ypxfr_var_run_t)
|
|
|
|
+type nis_unit_file_t;
|
|
+systemd_unit_file(nis_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# ypbind local policy
|
|
@@ -62,6 +65,7 @@ files_pid_file(ypxfr_var_run_t)
|
|
dontaudit ypbind_t self:capability { net_admin sys_tty_config };
|
|
allow ypbind_t self:fifo_file rw_fifo_file_perms;
|
|
allow ypbind_t self:process signal_perms;
|
|
+allow ypbind_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
|
|
allow ypbind_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow ypbind_t self:tcp_socket create_stream_socket_perms;
|
|
allow ypbind_t self:udp_socket create_socket_perms;
|
|
@@ -78,7 +82,6 @@ manage_files_pattern(ypbind_t, var_yp_t, var_yp_t)
|
|
kernel_read_system_state(ypbind_t)
|
|
kernel_read_kernel_sysctls(ypbind_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ypbind_t)
|
|
corenet_all_recvfrom_netlabel(ypbind_t)
|
|
corenet_tcp_sendrecv_generic_if(ypbind_t)
|
|
corenet_udp_sendrecv_generic_if(ypbind_t)
|
|
@@ -88,7 +91,6 @@ corenet_tcp_sendrecv_all_ports(ypbind_t)
|
|
corenet_udp_sendrecv_all_ports(ypbind_t)
|
|
corenet_tcp_bind_generic_node(ypbind_t)
|
|
corenet_udp_bind_generic_node(ypbind_t)
|
|
-
|
|
corenet_tcp_bind_generic_port(ypbind_t)
|
|
corenet_udp_bind_generic_port(ypbind_t)
|
|
corenet_tcp_bind_reserved_port(ypbind_t)
|
|
@@ -96,11 +98,10 @@ corenet_udp_bind_reserved_port(ypbind_t)
|
|
corenet_tcp_bind_all_rpc_ports(ypbind_t)
|
|
corenet_udp_bind_all_rpc_ports(ypbind_t)
|
|
corenet_tcp_connect_all_ports(ypbind_t)
|
|
-corenet_sendrecv_all_client_packets(ypbind_t)
|
|
-corenet_sendrecv_generic_server_packets(ypbind_t)
|
|
-
|
|
corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
|
|
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
|
|
+corenet_sendrecv_all_client_packets(ypbind_t)
|
|
+corenet_sendrecv_generic_server_packets(ypbind_t)
|
|
|
|
dev_read_sysfs(ypbind_t)
|
|
|
|
@@ -109,12 +110,11 @@ fs_search_auto_mountpoints(ypbind_t)
|
|
|
|
domain_use_interactive_fds(ypbind_t)
|
|
|
|
-files_read_etc_files(ypbind_t)
|
|
files_list_var(ypbind_t)
|
|
|
|
-logging_send_syslog_msg(ypbind_t)
|
|
+init_search_pid_dirs(ypbind_t)
|
|
|
|
-miscfiles_read_localization(ypbind_t)
|
|
+logging_send_syslog_msg(ypbind_t)
|
|
|
|
sysnet_read_config(ypbind_t)
|
|
|
|
@@ -124,7 +124,6 @@ userdom_dontaudit_search_user_home_dirs(ypbind_t)
|
|
optional_policy(`
|
|
dbus_system_bus_client(ypbind_t)
|
|
dbus_connect_system_bus(ypbind_t)
|
|
-
|
|
init_dbus_chat_script(ypbind_t)
|
|
|
|
optional_policy(`
|
|
@@ -149,7 +148,8 @@ allow yppasswdd_t self:capability dac_override;
|
|
dontaudit yppasswdd_t self:capability sys_tty_config;
|
|
allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
|
|
allow yppasswdd_t self:process { getsched setfscreate signal_perms };
|
|
-allow yppasswdd_t self:unix_stream_socket { accept listen };
|
|
+allow yppasswdd_t self:unix_dgram_socket create_socket_perms;
|
|
+allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow yppasswdd_t self:tcp_socket create_stream_socket_perms;
|
|
allow yppasswdd_t self:udp_socket create_socket_perms;
|
|
@@ -160,14 +160,13 @@ files_pid_filetrans(yppasswdd_t, yppasswdd_var_run_t, file)
|
|
manage_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
|
|
manage_lnk_files_pattern(yppasswdd_t, var_yp_t, var_yp_t)
|
|
|
|
-can_exec(yppasswdd_t, yppasswdd_exec_t)
|
|
+can_exec(yppasswdd_t,yppasswdd_exec_t)
|
|
|
|
kernel_list_proc(yppasswdd_t)
|
|
kernel_read_proc_symlinks(yppasswdd_t)
|
|
kernel_getattr_proc_files(yppasswdd_t)
|
|
kernel_read_kernel_sysctls(yppasswdd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(yppasswdd_t)
|
|
corenet_all_recvfrom_netlabel(yppasswdd_t)
|
|
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
|
|
corenet_udp_sendrecv_generic_if(yppasswdd_t)
|
|
@@ -177,23 +176,13 @@ corenet_tcp_sendrecv_all_ports(yppasswdd_t)
|
|
corenet_udp_sendrecv_all_ports(yppasswdd_t)
|
|
corenet_tcp_bind_generic_node(yppasswdd_t)
|
|
corenet_udp_bind_generic_node(yppasswdd_t)
|
|
-
|
|
corenet_tcp_bind_all_rpc_ports(yppasswdd_t)
|
|
corenet_udp_bind_all_rpc_ports(yppasswdd_t)
|
|
-corenet_sendrecv_generic_server_packets(yppasswdd_t)
|
|
-
|
|
corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
|
|
corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
|
|
+corenet_sendrecv_generic_server_packets(yppasswdd_t)
|
|
|
|
-corecmd_exec_bin(yppasswdd_t)
|
|
-corecmd_exec_shell(yppasswdd_t)
|
|
-
|
|
-domain_use_interactive_fds(yppasswdd_t)
|
|
-
|
|
-files_read_etc_files(yppasswdd_t)
|
|
-files_read_etc_runtime_files(yppasswdd_t)
|
|
-files_relabel_etc_files(yppasswdd_t)
|
|
-
|
|
+dev_read_urand(yppasswdd_t)
|
|
dev_read_sysfs(yppasswdd_t)
|
|
|
|
fs_getattr_all_fs(yppasswdd_t)
|
|
@@ -203,11 +192,19 @@ selinux_get_fs_mount(yppasswdd_t)
|
|
|
|
auth_manage_shadow(yppasswdd_t)
|
|
auth_relabel_shadow(yppasswdd_t)
|
|
+auth_read_passwd(yppasswdd_t)
|
|
auth_etc_filetrans_shadow(yppasswdd_t)
|
|
|
|
+corecmd_exec_bin(yppasswdd_t)
|
|
+corecmd_exec_shell(yppasswdd_t)
|
|
+
|
|
+domain_use_interactive_fds(yppasswdd_t)
|
|
+
|
|
+files_read_etc_runtime_files(yppasswdd_t)
|
|
+files_relabel_etc_files(yppasswdd_t)
|
|
+
|
|
logging_send_syslog_msg(yppasswdd_t)
|
|
|
|
-miscfiles_read_localization(yppasswdd_t)
|
|
|
|
sysnet_read_config(yppasswdd_t)
|
|
|
|
@@ -219,6 +216,14 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mta_send_mail(yppasswdd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nis_use_ypbind(yppasswdd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
seutil_sigchld_newrole(yppasswdd_t)
|
|
')
|
|
|
|
@@ -234,7 +239,8 @@ optional_policy(`
|
|
dontaudit ypserv_t self:capability sys_tty_config;
|
|
allow ypserv_t self:fifo_file rw_fifo_file_perms;
|
|
allow ypserv_t self:process signal_perms;
|
|
-allow ypserv_t self:unix_stream_socket { accept listen };
|
|
+allow ypserv_t self:unix_dgram_socket create_socket_perms;
|
|
+allow ypserv_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow ypserv_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow ypserv_t self:tcp_socket connected_stream_socket_perms;
|
|
allow ypserv_t self:udp_socket create_socket_perms;
|
|
@@ -254,7 +260,6 @@ kernel_read_kernel_sysctls(ypserv_t)
|
|
kernel_list_proc(ypserv_t)
|
|
kernel_read_proc_symlinks(ypserv_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ypserv_t)
|
|
corenet_all_recvfrom_netlabel(ypserv_t)
|
|
corenet_tcp_sendrecv_generic_if(ypserv_t)
|
|
corenet_udp_sendrecv_generic_if(ypserv_t)
|
|
@@ -264,31 +269,27 @@ corenet_tcp_sendrecv_all_ports(ypserv_t)
|
|
corenet_udp_sendrecv_all_ports(ypserv_t)
|
|
corenet_tcp_bind_generic_node(ypserv_t)
|
|
corenet_udp_bind_generic_node(ypserv_t)
|
|
-
|
|
corenet_tcp_bind_reserved_port(ypserv_t)
|
|
corenet_udp_bind_reserved_port(ypserv_t)
|
|
corenet_tcp_bind_all_rpc_ports(ypserv_t)
|
|
corenet_udp_bind_all_rpc_ports(ypserv_t)
|
|
-corenet_sendrecv_generic_server_packets(ypserv_t)
|
|
-
|
|
corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
|
|
corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
|
|
+corenet_sendrecv_generic_server_packets(ypserv_t)
|
|
|
|
-corecmd_exec_bin(ypserv_t)
|
|
+dev_read_sysfs(ypserv_t)
|
|
|
|
-files_read_etc_files(ypserv_t)
|
|
-files_read_var_files(ypserv_t)
|
|
+fs_getattr_all_fs(ypserv_t)
|
|
+fs_search_auto_mountpoints(ypserv_t)
|
|
|
|
-dev_read_sysfs(ypserv_t)
|
|
+corecmd_exec_bin(ypserv_t)
|
|
|
|
domain_use_interactive_fds(ypserv_t)
|
|
|
|
-fs_getattr_all_fs(ypserv_t)
|
|
-fs_search_auto_mountpoints(ypserv_t)
|
|
+files_read_var_files(ypserv_t)
|
|
|
|
logging_send_syslog_msg(ypserv_t)
|
|
|
|
-miscfiles_read_localization(ypserv_t)
|
|
|
|
nis_domtrans_ypxfr(ypserv_t)
|
|
|
|
@@ -310,8 +311,8 @@ optional_policy(`
|
|
# ypxfr local policy
|
|
#
|
|
|
|
-allow ypxfr_t self:unix_stream_socket { accept listen };
|
|
-allow ypxfr_t self:unix_dgram_socket { accept listen };
|
|
+allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow ypxfr_t self:unix_dgram_socket create_stream_socket_perms;
|
|
allow ypxfr_t self:tcp_socket create_stream_socket_perms;
|
|
allow ypxfr_t self:udp_socket create_socket_perms;
|
|
allow ypxfr_t self:netlink_route_socket r_netlink_socket_perms;
|
|
@@ -326,7 +327,6 @@ allow ypxfr_t ypserv_conf_t:file read_file_perms;
|
|
manage_files_pattern(ypxfr_t, ypxfr_var_run_t, ypxfr_var_run_t)
|
|
files_pid_filetrans(ypxfr_t, ypxfr_var_run_t, file)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ypxfr_t)
|
|
corenet_all_recvfrom_netlabel(ypxfr_t)
|
|
corenet_tcp_sendrecv_generic_if(ypxfr_t)
|
|
corenet_udp_sendrecv_generic_if(ypxfr_t)
|
|
@@ -336,23 +336,19 @@ corenet_tcp_sendrecv_all_ports(ypxfr_t)
|
|
corenet_udp_sendrecv_all_ports(ypxfr_t)
|
|
corenet_tcp_bind_generic_node(ypxfr_t)
|
|
corenet_udp_bind_generic_node(ypxfr_t)
|
|
-
|
|
corenet_tcp_bind_reserved_port(ypxfr_t)
|
|
corenet_udp_bind_reserved_port(ypxfr_t)
|
|
corenet_tcp_bind_all_rpc_ports(ypxfr_t)
|
|
corenet_udp_bind_all_rpc_ports(ypxfr_t)
|
|
+corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
|
|
+corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
|
|
corenet_tcp_connect_all_ports(ypxfr_t)
|
|
corenet_sendrecv_generic_server_packets(ypxfr_t)
|
|
corenet_sendrecv_all_client_packets(ypxfr_t)
|
|
|
|
-corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
|
|
-corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
|
|
-
|
|
-files_read_etc_files(ypxfr_t)
|
|
files_search_usr(ypxfr_t)
|
|
|
|
logging_send_syslog_msg(ypxfr_t)
|
|
|
|
-miscfiles_read_localization(ypxfr_t)
|
|
|
|
sysnet_read_config(ypxfr_t)
|
|
diff --git a/nova.fc b/nova.fc
|
|
new file mode 100644
|
|
index 0000000..02dc6dc
|
|
--- /dev/null
|
|
+++ b/nova.fc
|
|
@@ -0,0 +1,32 @@
|
|
+
|
|
+/usr/bin/nova-ajax-console-proxy -- gen_context(system_u:object_r:nova_ajax_exec_t,s0)
|
|
+/usr/bin/nova-console.* -- gen_context(system_u:object_r:nova_console_exec_t,s0)
|
|
+/usr/bin/nova-direct-api -- gen_context(system_u:object_r:nova_direct_exec_t,s0)
|
|
+/usr/bin/nova-api -- gen_context(system_u:object_r:nova_api_exec_t,s0)
|
|
+/usr/bin/nova-cert -- gen_context(system_u:object_r:nova_cert_exec_t,s0)
|
|
+/usr//bin/nova-api-metadata -- gen_context(system_u:object_r:nova_api_exec_t,s0)
|
|
+/usr/bin/nova-network -- gen_context(system_u:object_r:nova_network_exec_t,s0)
|
|
+/usr/bin/nova-objectstore -- gen_context(system_u:object_r:nova_objectstore_exec_t,s0)
|
|
+/usr/bin/nova-scheduler -- gen_context(system_u:object_r:nova_scheduler_exec_t,s0)
|
|
+/usr/bin/nova-vncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
|
|
+/usr/bin/nova-volume -- gen_context(system_u:object_r:nova_volume_exec_t,s0)
|
|
+/usr/bin/nova-xvpvncproxy -- gen_context(system_u:object_r:nova_vncproxy_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/openstack-nova-ajax-console-proxy.* -- gen_context(system_u:object_r:nova_ajax_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/openstack-nova-api.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/openstack-nova-cert.* -- gen_context(system_u:object_r:nova_cert_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/openstack-nova-console.* -- gen_context(system_u:object_r:nova_console_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/openstack-nova-direct-api.* -- gen_context(system_u:object_r:nova_direct_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/openstack-nova-metadata-api.service.* -- gen_context(system_u:object_r:nova_api_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/openstack-nova-network.* -- gen_context(system_u:object_r:nova_network_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/openstack-nova-objectstore.* -- gen_context(system_u:object_r:nova_objectstore_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/openstack-nova-scheduler.* -- gen_context(system_u:object_r:nova_scheduler_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/openstack-nova-vncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/openstack-nova-xvpvncproxy.* -- gen_context(system_u:object_r:nova_vncproxy_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/openstack-nova-volume.* -- gen_context(system_u:object_r:nova_volume_unit_file_t,s0)
|
|
+
|
|
+/var/lib/nova(/.*)? gen_context(system_u:object_r:nova_var_lib_t,s0)
|
|
+
|
|
+/var/log/nova(/.*)? gen_context(system_u:object_r:nova_log_t,s0)
|
|
+
|
|
+/var/run/nova(/.*)? gen_context(system_u:object_r:nova_var_run_t,s0)
|
|
diff --git a/nova.if b/nova.if
|
|
new file mode 100644
|
|
index 0000000..28936b4
|
|
--- /dev/null
|
|
+++ b/nova.if
|
|
@@ -0,0 +1,57 @@
|
|
+## <summary>openstack-nova</summary>
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Manage nova lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nova_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type nova_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, nova_var_lib_t, nova_var_lib_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## openstack-nova systemd daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`nova_domain_template',`
|
|
+ gen_require(`
|
|
+ attribute nova_domain;
|
|
+ ')
|
|
+
|
|
+ type nova_$1_t, nova_domain;
|
|
+ type nova_$1_exec_t;
|
|
+ init_daemon_domain(nova_$1_t, nova_$1_exec_t)
|
|
+
|
|
+ type nova_$1_unit_file_t;
|
|
+ systemd_unit_file(nova_$1_unit_file_t)
|
|
+
|
|
+ type nova_$1_tmp_t;
|
|
+ files_tmp_file(nova_$1_tmp_t)
|
|
+
|
|
+ manage_dirs_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
|
|
+ manage_files_pattern(nova_$1_t, nova_$1_tmp_t, nova_$1_tmp_t)
|
|
+ files_tmp_filetrans(nova_$1_t, nova_$1_tmp_t, { file dir })
|
|
+ can_exec(nova_$1_t, nova_$1_tmp_t)
|
|
+
|
|
+ kernel_read_system_state(nova_$1_t)
|
|
+
|
|
+ logging_send_syslog_msg(nova_$1_t)
|
|
+
|
|
+')
|
|
diff --git a/nova.te b/nova.te
|
|
new file mode 100644
|
|
index 0000000..d5b54e5
|
|
--- /dev/null
|
|
+++ b/nova.te
|
|
@@ -0,0 +1,320 @@
|
|
+policy_module(nova, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+#
|
|
+# nova-stack daemons contain security issue with using sudo in the code
|
|
+# we make this policy as unconfined until this issue is fixed
|
|
+#
|
|
+
|
|
+attribute nova_domain;
|
|
+attribute nova_sudo_domain;
|
|
+
|
|
+nova_domain_template(ajax)
|
|
+nova_domain_template(api)
|
|
+nova_domain_template(cert)
|
|
+nova_domain_template(compute)
|
|
+nova_domain_template(console)
|
|
+nova_domain_template(direct)
|
|
+nova_domain_template(network)
|
|
+nova_domain_template(objectstore)
|
|
+nova_domain_template(scheduler)
|
|
+nova_domain_template(vncproxy)
|
|
+nova_domain_template(volume)
|
|
+
|
|
+typeattribute nova_api_t nova_sudo_domain;
|
|
+typeattribute nova_cert_t nova_sudo_domain;
|
|
+typeattribute nova_console_t nova_sudo_domain;
|
|
+typeattribute nova_network_t nova_sudo_domain;
|
|
+typeattribute nova_volume_t nova_sudo_domain;
|
|
+
|
|
+type nova_log_t;
|
|
+logging_log_file(nova_log_t)
|
|
+
|
|
+type nova_var_lib_t;
|
|
+files_type(nova_var_lib_t)
|
|
+
|
|
+type nova_var_run_t;
|
|
+files_pid_file(nova_var_run_t)
|
|
+
|
|
+
|
|
+######################################
|
|
+#
|
|
+# nova general domain local policy
|
|
+#
|
|
+
|
|
+allow nova_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow nova_domain self:tcp_socket create_stream_socket_perms;
|
|
+allow nova_domain self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(nova_domain, nova_log_t, nova_log_t)
|
|
+manage_files_pattern(nova_domain, nova_log_t, nova_log_t)
|
|
+
|
|
+manage_dirs_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
|
|
+manage_files_pattern(nova_domain, nova_var_lib_t, nova_var_lib_t)
|
|
+
|
|
+manage_dirs_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
|
|
+manage_files_pattern(nova_domain, nova_var_run_t, nova_var_run_t)
|
|
+
|
|
+corenet_tcp_connect_amqp_port(nova_domain)
|
|
+corenet_tcp_connect_mysqld_port(nova_domain)
|
|
+
|
|
+kernel_read_network_state(nova_domain)
|
|
+
|
|
+corecmd_exec_bin(nova_domain)
|
|
+corecmd_exec_shell(nova_domain)
|
|
+corenet_tcp_connect_mysqld_port(nova_domain)
|
|
+
|
|
+dev_read_sysfs(nova_domain)
|
|
+dev_read_urand(nova_domain)
|
|
+
|
|
+fs_getattr_xattr_fs(nova_domain)
|
|
+
|
|
+libs_exec_ldconfig(nova_domain)
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_read_config(nova_domain)
|
|
+ sysnet_exec_ifconfig(nova_domain)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# nova ajax local policy
|
|
+#
|
|
+
|
|
+#optional_policy(`
|
|
+# unconfined_domain(nova_ajax_t)
|
|
+#')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# nova api local policy
|
|
+#
|
|
+
|
|
+allow nova_api_t self:process setfscreate;
|
|
+
|
|
+allow nova_api_t self:key write;
|
|
+
|
|
+allow nova_api_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+
|
|
+allow nova_api_t self:udp_socket create_socket_perms;
|
|
+
|
|
+kernel_read_kernel_sysctls(nova_api_t)
|
|
+
|
|
+corenet_tcp_bind_generic_node(nova_api_t)
|
|
+corenet_udp_bind_generic_node(nova_api_t)
|
|
+# should be add to booleans
|
|
+corenet_tcp_connect_all_ports(nova_api_t)
|
|
+corenet_tcp_bind_all_unreserved_ports(nova_api_t)
|
|
+
|
|
+auth_read_passwd(nova_api_t)
|
|
+
|
|
+logging_send_syslog_msg(nova_api_t)
|
|
+
|
|
+miscfiles_read_certs(nova_api_t)
|
|
+
|
|
+optional_policy(`
|
|
+ iptables_domtrans(nova_api_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_exec_keygen(nova_api_t)
|
|
+')
|
|
+
|
|
+#optional_policy(`
|
|
+# unconfined_domain(nova_api_t)
|
|
+#')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# nova cert local policy
|
|
+#
|
|
+
|
|
+allow nova_cert_t self:process setfscreate;
|
|
+
|
|
+allow nova_cert_t self:udp_socket create_socket_perms;
|
|
+
|
|
+auth_use_nsswitch(nova_cert_t)
|
|
+
|
|
+miscfiles_read_certs(nova_cert_t)
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_stream_connect(nova_cert_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ postgresql_stream_connect(nova_cert_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# nova compute local policy
|
|
+#
|
|
+
|
|
+# needs to be re-write since now runs as virtd_t
|
|
+
|
|
+allow nova_compute_t self:udp_socket create_socket_perms;
|
|
+
|
|
+kernel_read_network_state(nova_compute_t)
|
|
+
|
|
+dev_read_rand(nova_compute_t)
|
|
+
|
|
+optional_policy(`
|
|
+ virt_getattr_exec(nova_compute_t)
|
|
+ virt_stream_connect(nova_compute_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# nova console local policy
|
|
+#
|
|
+
|
|
+allow nova_console_t self:udp_socket create_socket_perms;
|
|
+
|
|
+auth_use_nsswitch(nova_console_t)
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_stream_connect(nova_console_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# nova direct local policy
|
|
+#
|
|
+
|
|
+#optional_policy(`
|
|
+# unconfined_domain(nova_direct_t)
|
|
+#')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# nova network local policy
|
|
+#
|
|
+
|
|
+allow nova_network_t self:capability { dac_override net_admin net_bind_service };
|
|
+allow nova_network_t self:process { getcap setcap };
|
|
+
|
|
+allow nova_network_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow nova_network_t self:udp_socket create_socket_perms;
|
|
+
|
|
+kernel_read_network_state(nova_network_t)
|
|
+kernel_read_kernel_sysctls(nova_network_t)
|
|
+
|
|
+# should be added to boolean or fixed in the code
|
|
+# dnsmasq domtrans does not work since then dnsmasq_t wants
|
|
+# to do some stuff with nova_lib, nova_tmp
|
|
+# nova-dhcpbridge runs in dnsmasq domain
|
|
+corenet_all_recvfrom_netlabel(nova_network_t)
|
|
+corenet_tcp_sendrecv_generic_if(nova_network_t)
|
|
+corenet_udp_sendrecv_generic_if(nova_network_t)
|
|
+corenet_raw_sendrecv_generic_if(nova_network_t)
|
|
+corenet_tcp_sendrecv_generic_node(nova_network_t)
|
|
+corenet_udp_sendrecv_generic_node(nova_network_t)
|
|
+corenet_raw_sendrecv_generic_node(nova_network_t)
|
|
+corenet_tcp_sendrecv_all_ports(nova_network_t)
|
|
+corenet_udp_sendrecv_all_ports(nova_network_t)
|
|
+corenet_tcp_bind_generic_node(nova_network_t)
|
|
+corenet_udp_bind_generic_node(nova_network_t)
|
|
+corenet_tcp_bind_dns_port(nova_network_t)
|
|
+corenet_udp_bind_all_ports(nova_network_t)
|
|
+corenet_sendrecv_dns_server_packets(nova_network_t)
|
|
+corenet_sendrecv_dhcpd_server_packets(nova_network_t)
|
|
+
|
|
+libs_exec_ldconfig(nova_network_t)
|
|
+
|
|
+logging_send_syslog_msg(nova_network_t)
|
|
+
|
|
+optional_policy(`
|
|
+ brctl_domtrans(nova_network_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dnsmasq_exec(nova_network_t)
|
|
+# dnsmasq_domtrans(nova_network_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ iptables_domtrans(nova_network_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_domtrans_ifconfig(nova_network_t)
|
|
+')
|
|
+
|
|
+#optional_policy(`
|
|
+# unconfined_domain(nova_network_t)
|
|
+#')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# nova object store local policy
|
|
+#
|
|
+
|
|
+allow nova_objectstore_t self:udp_socket create_socket_perms;
|
|
+
|
|
+corenet_tcp_bind_generic_node(nova_objectstore_t)
|
|
+corenet_udp_bind_generic_node(nova_objectstore_t)
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(nova_objectstore_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# nova scheduler local policy
|
|
+#
|
|
+
|
|
+allow nova_scheduler_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow nova_scheduler_t self:udp_socket create_socket_perms;
|
|
+
|
|
+#optional_policy(`
|
|
+# unconfined_domain(nova_scheduler_t)
|
|
+#')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# nova vncproxy local policy
|
|
+#
|
|
+
|
|
+#optional_policy(`
|
|
+# unconfined_domain(nova_vncproxy_t)
|
|
+#')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# nova volume local policy
|
|
+#
|
|
+
|
|
+allow nova_volume_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+
|
|
+allow nova_volume_t self:udp_socket create_socket_perms;
|
|
+
|
|
+kernel_read_kernel_sysctls(nova_volume_t)
|
|
+
|
|
+logging_send_syslog_msg(nova_volume_t)
|
|
+
|
|
+optional_policy(`
|
|
+ lvm_domtrans(nova_volume_t)
|
|
+')
|
|
+
|
|
+#optional_policy(`
|
|
+# unconfined_domain(nova_volume_t)
|
|
+#')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# nova sudo domain local policy
|
|
+#
|
|
+
|
|
+ifdef(`hide_broken_symptoms',`
|
|
+ optional_policy(`
|
|
+ sudo_exec(nova_sudo_domain)
|
|
+ allow nova_sudo_domain self:capability { setuid sys_resource setgid audit_write };
|
|
+ allow nova_sudo_domain self:process { setsched setrlimit };
|
|
+ logging_send_audit_msgs(nova_sudo_domain)
|
|
+ ')
|
|
+')
|
|
+
|
|
diff --git a/nscd.fc b/nscd.fc
|
|
index ba64485..429bd79 100644
|
|
--- a/nscd.fc
|
|
+++ b/nscd.fc
|
|
@@ -1,13 +1,15 @@
|
|
/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:nscd_initrc_exec_t,s0)
|
|
|
|
-/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
|
|
+/usr/sbin/nscd -- gen_context(system_u:object_r:nscd_exec_t,s0)
|
|
|
|
-/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
|
|
-
|
|
-/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
|
|
+/var/db/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
|
|
+/var/cache/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
|
|
|
|
/var/log/nscd\.log.* -- gen_context(system_u:object_r:nscd_log_t,s0)
|
|
|
|
-/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
|
|
/var/run/nscd\.pid -- gen_context(system_u:object_r:nscd_var_run_t,s0)
|
|
/var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0)
|
|
+
|
|
+/var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/nscd\.service -- gen_context(system_u:object_r:nscd_unit_file_t,s0)
|
|
diff --git a/nscd.if b/nscd.if
|
|
index 8f2ab09..6ab4ea1 100644
|
|
--- a/nscd.if
|
|
+++ b/nscd.if
|
|
@@ -1,8 +1,8 @@
|
|
-## <summary>Name service cache daemon.</summary>
|
|
+## <summary>Name service cache daemon</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to nscd.
|
|
+## Send generic signals to NSCD.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -20,7 +20,7 @@ interface(`nscd_signal',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send kill signals to nscd.
|
|
+## Send NSCD the kill signal.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -38,7 +38,7 @@ interface(`nscd_kill',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send null signals to nscd.
|
|
+## Send signulls to NSCD.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -56,7 +56,7 @@ interface(`nscd_signull',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute nscd in the nscd domain.
|
|
+## Execute NSCD in the nscd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -75,7 +75,8 @@ interface(`nscd_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute nscd in the caller domain.
|
|
+## Allow the specified domain to execute nscd
|
|
+## in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -88,14 +89,13 @@ interface(`nscd_exec',`
|
|
type nscd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, nscd_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Use nscd services by connecting using
|
|
-## a unix domain stream socket.
|
|
+## Use NSCD services by connecting using
|
|
+## a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -112,22 +112,17 @@ interface(`nscd_socket_use',`
|
|
allow $1 self:unix_stream_socket create_socket_perms;
|
|
|
|
allow $1 nscd_t:nscd { getpwd getgrp gethost };
|
|
-
|
|
dontaudit $1 nscd_t:fd use;
|
|
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
|
|
-
|
|
files_search_pids($1)
|
|
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
|
|
dontaudit $1 nscd_var_run_t:file read_file_perms;
|
|
-
|
|
ps_process_pattern(nscd_t, $1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Use nscd services by mapping the
|
|
-## database from an inherited nscd
|
|
-## file descriptor.
|
|
+## Use nscd services
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -135,28 +130,38 @@ interface(`nscd_socket_use',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`nscd_shm_use',`
|
|
+interface(`nscd_use',`
|
|
+ tunable_policy(`nscd_use_shm',`
|
|
+ nscd_shm_use($1)
|
|
+ ',`
|
|
+ nscd_socket_use($1)
|
|
+ ')
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Do not audit attempts to write nscd sock files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nscd_dontaudit_write_sock_file',`
|
|
gen_require(`
|
|
type nscd_t, nscd_var_run_t;
|
|
- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
|
|
')
|
|
|
|
- allow $1 self:unix_stream_socket create_stream_socket_perms;
|
|
-
|
|
- allow $1 nscd_t:nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
|
|
- allow $1 nscd_t:fd use;
|
|
-
|
|
- files_search_pids($1)
|
|
- stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
|
|
- dontaudit $1 nscd_var_run_t:file read_file_perms;
|
|
+ dontaudit $1 nscd_t:sock_file write;
|
|
+ dontaudit $1 nscd_var_run_t:sock_file write;
|
|
|
|
- allow $1 nscd_var_run_t:dir list_dir_perms;
|
|
- allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Use nscd services.
|
|
+## Use NSCD services by mapping the database from
|
|
+## an inherited NSCD file descriptor.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -164,18 +169,34 @@ interface(`nscd_shm_use',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`nscd_use',`
|
|
- tunable_policy(`nscd_use_shm',`
|
|
- nscd_shm_use($1)
|
|
- ',`
|
|
- nscd_socket_use($1)
|
|
+interface(`nscd_shm_use',`
|
|
+ gen_require(`
|
|
+ type nscd_t, nscd_var_run_t;
|
|
+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
|
|
')
|
|
+
|
|
+ allow $1 nscd_var_run_t:dir list_dir_perms;
|
|
+ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost shmemserv };
|
|
+ # Receive fd from nscd and map the backing file with read access.
|
|
+ allow $1 nscd_t:fd use;
|
|
+
|
|
+ # cjp: these were originally inherited from the
|
|
+ # nscd_socket_domain macro. need to investigate
|
|
+ # if they are all actually required
|
|
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+ # dg: This may not be required.
|
|
+ allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
|
|
+
|
|
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
|
|
+ files_search_pids($1)
|
|
+ allow $1 nscd_t:nscd { getpwd getgrp gethost getserv };
|
|
+ dontaudit $1 nscd_var_run_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to search
|
|
-## nscd pid directories.
|
|
+## Do not audit attempts to search the NSCD pid directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -193,7 +214,7 @@ interface(`nscd_dontaudit_search_pid',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read nscd pid files.
|
|
+## Read NSCD pid file.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -212,7 +233,7 @@ interface(`nscd_read_pid',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Unconfined access to nscd services.
|
|
+## Unconfined access to NSCD services.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -244,20 +265,20 @@ interface(`nscd_unconfined',`
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
interface(`nscd_run',`
|
|
gen_require(`
|
|
- attribute_role nscd_roles;
|
|
+ type nscd_t;
|
|
')
|
|
|
|
nscd_domtrans($1)
|
|
- roleattribute $2 nscd_roles;
|
|
+ role $2 types nscd_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the nscd server init
|
|
-## script in the initrc domain.
|
|
+## Execute the nscd server init script.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -275,8 +296,31 @@ interface(`nscd_initrc_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an nscd environment.
|
|
+## Execute nscd server in the nscd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nscd_systemctl',`
|
|
+ gen_require(`
|
|
+ type nscd_unit_file_t;
|
|
+ type nscd_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 nscd_unit_file_t:file read_file_perms;
|
|
+ allow $1 nscd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, nscd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an nscd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -285,7 +329,7 @@ interface(`nscd_initrc_domtrans',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the nscd domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -294,10 +338,14 @@ interface(`nscd_admin',`
|
|
gen_require(`
|
|
type nscd_t, nscd_log_t, nscd_var_run_t;
|
|
type nscd_initrc_exec_t;
|
|
+ type nscd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 nscd_t:process { ptrace signal_perms };
|
|
+ allow $1 nscd_t:process signal_perms;
|
|
ps_process_pattern($1, nscd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 nscd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -310,5 +358,7 @@ interface(`nscd_admin',`
|
|
files_list_pids($1)
|
|
admin_pattern($1, nscd_var_run_t)
|
|
|
|
- nscd_run($1, $2)
|
|
+ nscd_systemctl($1)
|
|
+ admin_pattern($1, nscd_unit_file_t)
|
|
+ allow $1 nscd_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/nscd.te b/nscd.te
|
|
index bcd7d0a..3878d3c 100644
|
|
--- a/nscd.te
|
|
+++ b/nscd.te
|
|
@@ -4,33 +4,34 @@ gen_require(`
|
|
class nscd all_nscd_perms;
|
|
')
|
|
|
|
-########################################
|
|
-#
|
|
-# Declarations
|
|
-#
|
|
-
|
|
## <desc>
|
|
## <p>
|
|
-## Determine whether confined applications
|
|
-## can use nscd shared memory.
|
|
+## Allow confined applications to use nscd shared memory.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(nscd_use_shm, false)
|
|
|
|
-attribute_role nscd_roles;
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
|
|
+# cjp: this is out of order because of an
|
|
+# ordering problem with loadable modules
|
|
type nscd_var_run_t;
|
|
files_pid_file(nscd_var_run_t)
|
|
-init_daemon_run_dir(nscd_var_run_t, "nscd")
|
|
|
|
+# nscd is both the client program and the daemon.
|
|
type nscd_t;
|
|
type nscd_exec_t;
|
|
init_daemon_domain(nscd_t, nscd_exec_t)
|
|
-role nscd_roles types nscd_t;
|
|
|
|
type nscd_initrc_exec_t;
|
|
init_script_file(nscd_initrc_exec_t)
|
|
|
|
+type nscd_unit_file_t;
|
|
+systemd_unit_file(nscd_unit_file_t)
|
|
+
|
|
type nscd_log_t;
|
|
logging_log_file(nscd_log_t)
|
|
|
|
@@ -43,53 +44,54 @@ allow nscd_t self:capability { kill setgid setuid };
|
|
dontaudit nscd_t self:capability sys_tty_config;
|
|
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
|
|
allow nscd_t self:fifo_file read_fifo_file_perms;
|
|
-allow nscd_t self:unix_stream_socket { accept listen };
|
|
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow nscd_t self:unix_dgram_socket create_socket_perms;
|
|
allow nscd_t self:netlink_selinux_socket create_socket_perms;
|
|
+allow nscd_t self:tcp_socket create_socket_perms;
|
|
+allow nscd_t self:udp_socket create_socket_perms;
|
|
|
|
+# For client program operation, invoked from sysadm_t.
|
|
+# Transition occurs to nscd_t due to direct_sysadm_daemon.
|
|
allow nscd_t self:nscd { admin getstat };
|
|
|
|
-allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+allow nscd_t nscd_log_t:file manage_file_perms;
|
|
logging_log_filetrans(nscd_t, nscd_log_t, file)
|
|
|
|
+manage_dirs_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
|
|
manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
|
|
manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
|
|
-files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
|
|
+files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file dir })
|
|
|
|
+corecmd_search_bin(nscd_t)
|
|
can_exec(nscd_t, nscd_exec_t)
|
|
|
|
-kernel_list_proc(nscd_t)
|
|
-kernel_read_kernel_sysctls(nscd_t)
|
|
kernel_read_network_state(nscd_t)
|
|
+kernel_read_kernel_sysctls(nscd_t)
|
|
+kernel_list_proc(nscd_t)
|
|
kernel_read_proc_symlinks(nscd_t)
|
|
|
|
-corecmd_search_bin(nscd_t)
|
|
-
|
|
dev_read_sysfs(nscd_t)
|
|
dev_read_rand(nscd_t)
|
|
dev_read_urand(nscd_t)
|
|
|
|
-domain_search_all_domains_state(nscd_t)
|
|
-domain_use_interactive_fds(nscd_t)
|
|
-
|
|
-files_read_generic_tmp_symlinks(nscd_t)
|
|
-files_read_etc_runtime_files(nscd_t)
|
|
-
|
|
fs_getattr_all_fs(nscd_t)
|
|
fs_search_auto_mountpoints(nscd_t)
|
|
fs_list_inotifyfs(nscd_t)
|
|
|
|
+# for when /etc/passwd has just been updated and has the wrong type
|
|
auth_getattr_shadow(nscd_t)
|
|
auth_use_nsswitch(nscd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(nscd_t)
|
|
corenet_all_recvfrom_netlabel(nscd_t)
|
|
corenet_tcp_sendrecv_generic_if(nscd_t)
|
|
+corenet_udp_sendrecv_generic_if(nscd_t)
|
|
corenet_tcp_sendrecv_generic_node(nscd_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(nscd_t)
|
|
-corenet_tcp_connect_all_ports(nscd_t)
|
|
+corenet_udp_sendrecv_generic_node(nscd_t)
|
|
corenet_tcp_sendrecv_all_ports(nscd_t)
|
|
-
|
|
+corenet_udp_sendrecv_all_ports(nscd_t)
|
|
+corenet_udp_bind_generic_node(nscd_t)
|
|
+corenet_tcp_connect_all_ports(nscd_t)
|
|
+corenet_sendrecv_all_client_packets(nscd_t)
|
|
corenet_rw_tun_tap_dev(nscd_t)
|
|
|
|
selinux_get_fs_mount(nscd_t)
|
|
@@ -98,16 +100,23 @@ selinux_compute_access_vector(nscd_t)
|
|
selinux_compute_create_context(nscd_t)
|
|
selinux_compute_relabel_context(nscd_t)
|
|
selinux_compute_user_contexts(nscd_t)
|
|
+domain_use_interactive_fds(nscd_t)
|
|
+domain_search_all_domains_state(nscd_t)
|
|
+
|
|
+files_read_generic_tmp_symlinks(nscd_t)
|
|
+# Needed to read files created by firstboot "/etc/hesiod.conf"
|
|
+files_read_etc_runtime_files(nscd_t)
|
|
|
|
logging_send_audit_msgs(nscd_t)
|
|
logging_send_syslog_msg(nscd_t)
|
|
|
|
-miscfiles_read_localization(nscd_t)
|
|
|
|
seutil_read_config(nscd_t)
|
|
seutil_read_default_contexts(nscd_t)
|
|
seutil_sigchld_newrole(nscd_t)
|
|
|
|
+sysnet_read_config(nscd_t)
|
|
+
|
|
userdom_dontaudit_use_user_terminals(nscd_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
|
|
userdom_dontaudit_search_user_home_dirs(nscd_t)
|
|
@@ -121,20 +130,31 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ kerberos_use(nscd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ udev_read_db(nscd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ xen_dontaudit_rw_unix_stream_sockets(nscd_t)
|
|
+ xen_append_log(nscd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
tunable_policy(`samba_domain_controller',`
|
|
samba_append_log(nscd_t)
|
|
samba_dontaudit_use_fds(nscd_t)
|
|
')
|
|
-
|
|
- samba_read_config(nscd_t)
|
|
- samba_read_var_files(nscd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- udev_read_db(nscd_t)
|
|
+ samba_read_config(nscd_t)
|
|
+ samba_read_var_files(nscd_t)
|
|
+ samba_stream_connect_nmbd(nscd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- xen_dontaudit_rw_unix_stream_sockets(nscd_t)
|
|
- xen_append_log(nscd_t)
|
|
+ unconfined_dontaudit_rw_packet_sockets(nscd_t)
|
|
')
|
|
diff --git a/nsd.fc b/nsd.fc
|
|
index 4f2b1b6..5348e92 100644
|
|
--- a/nsd.fc
|
|
+++ b/nsd.fc
|
|
@@ -1,16 +1,13 @@
|
|
-/etc/rc\.d/init\.d/nsd -- gen_context(system_u:object_r:nsd_initrc_exec_t,s0)
|
|
|
|
-/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
|
|
-/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
|
|
-/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
|
|
+/etc/nsd(/.*)? gen_context(system_u:object_r:nsd_conf_t,s0)
|
|
+/etc/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_zone_t,s0)
|
|
+/etc/nsd/primary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
|
|
/etc/nsd/secondary(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
|
|
|
|
-/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
|
-/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
|
+/usr/sbin/nsd -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
|
+/usr/sbin/nsdc -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
|
/usr/sbin/nsd-notify -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
|
-/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
|
-
|
|
-/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
|
|
-/var/lib/nsd/nsd\.db -- gen_context(system_u:object_r:nsd_db_t,s0)
|
|
+/usr/sbin/zonec -- gen_context(system_u:object_r:nsd_exec_t,s0)
|
|
|
|
+/var/lib/nsd(/.*)? gen_context(system_u:object_r:nsd_zone_t,s0)
|
|
/var/run/nsd\.pid -- gen_context(system_u:object_r:nsd_var_run_t,s0)
|
|
diff --git a/nsd.if b/nsd.if
|
|
index a9c60ff..ad4f14a 100644
|
|
--- a/nsd.if
|
|
+++ b/nsd.if
|
|
@@ -1,8 +1,8 @@
|
|
-## <summary>Authoritative only name server.</summary>
|
|
+## <summary>Authoritative only name server</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send and receive datagrams from NSD. (Deprecated)
|
|
+## Read NSD pid file.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -10,13 +10,18 @@
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`nsd_udp_chat',`
|
|
- refpolicywarn(`$0($*) has been deprecated.')
|
|
+interface(`nsd_read_pid',`
|
|
+ gen_require(`
|
|
+ type nsd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, nsd_var_run_t, nsd_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to NSD over a TCP socket (Deprecated)
|
|
+## Send and receive datagrams from NSD. (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -24,47 +29,20 @@ interface(`nsd_udp_chat',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`nsd_tcp_connect',`
|
|
+interface(`nsd_udp_chat',`
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an nsd environment.
|
|
+## Connect to NSD over a TCP socket (Deprecated)
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`nsd_admin',`
|
|
- gen_require(`
|
|
- type nsd_t, nsd_conf_t, nsd_var_run_t;
|
|
- type nsd_initrc_exec_t, nsd_db_t, nsd_zone_t;
|
|
- ')
|
|
-
|
|
- allow $1 nsd_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, nsd_t)
|
|
-
|
|
- init_labeled_script_domtrans($1, nsd_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 nsd_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, { nsd_conf_t nsd_db_t })
|
|
-
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, nsd_zone_t)
|
|
-
|
|
- files_list_pids($1)
|
|
- admin_pattern($1, nsd_var_run_t)
|
|
+interface(`nsd_tcp_connect',`
|
|
+ refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
diff --git a/nsd.te b/nsd.te
|
|
index 47bb1d2..a97c60f 100644
|
|
--- a/nsd.te
|
|
+++ b/nsd.te
|
|
@@ -9,9 +9,7 @@ type nsd_t;
|
|
type nsd_exec_t;
|
|
init_daemon_domain(nsd_t, nsd_exec_t)
|
|
|
|
-type nsd_initrc_exec_t;
|
|
-init_script_file(nsd_initrc_exec_t)
|
|
-
|
|
+# A type for configuration files of nsd
|
|
type nsd_conf_t;
|
|
files_type(nsd_conf_t)
|
|
|
|
@@ -20,32 +18,28 @@ domain_type(nsd_crond_t)
|
|
domain_entry_file(nsd_crond_t, nsd_exec_t)
|
|
role system_r types nsd_crond_t;
|
|
|
|
-type nsd_db_t;
|
|
-files_type(nsd_db_t)
|
|
-
|
|
type nsd_var_run_t;
|
|
files_pid_file(nsd_var_run_t)
|
|
|
|
-type nsd_zone_t;
|
|
+# A type for zone files
|
|
+type nsd_zone_t alias nsd_db_t;
|
|
files_type(nsd_zone_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# NSD Local policy
|
|
#
|
|
|
|
allow nsd_t self:capability { chown dac_override kill setgid setuid };
|
|
dontaudit nsd_t self:capability sys_tty_config;
|
|
allow nsd_t self:process signal_perms;
|
|
+allow nsd_t self:tcp_socket create_stream_socket_perms;
|
|
+allow nsd_t self:udp_socket create_socket_perms;
|
|
allow nsd_t self:fifo_file rw_fifo_file_perms;
|
|
-allow nsd_t self:tcp_socket { accept listen };
|
|
|
|
allow nsd_t nsd_conf_t:dir list_dir_perms;
|
|
-allow nsd_t nsd_conf_t:file read_file_perms;
|
|
-allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
-allow nsd_t nsd_db_t:file manage_file_perms;
|
|
-filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
|
|
+read_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
|
|
+read_lnk_files_pattern(nsd_t, nsd_conf_t, nsd_conf_t)
|
|
|
|
manage_files_pattern(nsd_t, nsd_var_run_t, nsd_var_run_t)
|
|
files_pid_filetrans(nsd_t, nsd_var_run_t, file)
|
|
@@ -62,7 +56,6 @@ kernel_read_kernel_sysctls(nsd_t)
|
|
|
|
corecmd_exec_bin(nsd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(nsd_t)
|
|
corenet_all_recvfrom_netlabel(nsd_t)
|
|
corenet_tcp_sendrecv_generic_if(nsd_t)
|
|
corenet_udp_sendrecv_generic_if(nsd_t)
|
|
@@ -72,16 +65,17 @@ corenet_tcp_sendrecv_all_ports(nsd_t)
|
|
corenet_udp_sendrecv_all_ports(nsd_t)
|
|
corenet_tcp_bind_generic_node(nsd_t)
|
|
corenet_udp_bind_generic_node(nsd_t)
|
|
-
|
|
-corenet_sendrecv_dns_server_packets(nsd_t)
|
|
corenet_tcp_bind_dns_port(nsd_t)
|
|
corenet_udp_bind_dns_port(nsd_t)
|
|
+corenet_sendrecv_dns_server_packets(nsd_t)
|
|
|
|
dev_read_sysfs(nsd_t)
|
|
+dev_read_urand(nsd_t)
|
|
|
|
domain_use_interactive_fds(nsd_t)
|
|
|
|
files_read_etc_runtime_files(nsd_t)
|
|
+files_search_var_lib(nsd_t)
|
|
|
|
fs_getattr_all_fs(nsd_t)
|
|
fs_search_auto_mountpoints(nsd_t)
|
|
@@ -90,8 +84,6 @@ auth_use_nsswitch(nsd_t)
|
|
|
|
logging_send_syslog_msg(nsd_t)
|
|
|
|
-miscfiles_read_localization(nsd_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(nsd_t)
|
|
userdom_dontaudit_search_user_home_dirs(nsd_t)
|
|
|
|
@@ -105,23 +97,24 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Cron local policy
|
|
+# Zone update cron job local policy
|
|
#
|
|
|
|
+# kill capability for root cron job and non-root daemon
|
|
allow nsd_crond_t self:capability { dac_override kill };
|
|
dontaudit nsd_crond_t self:capability sys_nice;
|
|
allow nsd_crond_t self:process { setsched signal_perms };
|
|
allow nsd_crond_t self:fifo_file rw_fifo_file_perms;
|
|
+allow nsd_crond_t self:tcp_socket create_socket_perms;
|
|
+allow nsd_crond_t self:udp_socket create_socket_perms;
|
|
|
|
-allow nsd_crond_t nsd_t:process signal;
|
|
-ps_process_pattern(nsd_crond_t, nsd_t)
|
|
-
|
|
-allow nsd_crond_t nsd_conf_t:dir list_dir_perms;
|
|
allow nsd_crond_t nsd_conf_t:file read_file_perms;
|
|
-allow nsd_crond_t nsd_conf_t:lnk_file read_lnk_file_perms;
|
|
|
|
-allow nsd_crond_t nsd_db_t:file manage_file_perms;
|
|
-filetrans_pattern(nsd_crond_t, nsd_zone_t, nsd_db_t, file)
|
|
+files_search_var_lib(nsd_crond_t)
|
|
+
|
|
+allow nsd_crond_t nsd_t:process signal;
|
|
+
|
|
+ps_process_pattern(nsd_crond_t, nsd_t)
|
|
|
|
manage_files_pattern(nsd_crond_t, nsd_zone_t, nsd_zone_t)
|
|
filetrans_pattern(nsd_crond_t, nsd_conf_t, nsd_zone_t, file)
|
|
@@ -133,27 +126,27 @@ kernel_read_system_state(nsd_crond_t)
|
|
corecmd_exec_bin(nsd_crond_t)
|
|
corecmd_exec_shell(nsd_crond_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(nsd_crond_t)
|
|
corenet_all_recvfrom_netlabel(nsd_crond_t)
|
|
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
|
|
+corenet_udp_sendrecv_generic_if(nsd_crond_t)
|
|
corenet_tcp_sendrecv_generic_node(nsd_crond_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(nsd_crond_t)
|
|
-corenet_tcp_connect_all_ports(nsd_crond_t)
|
|
+corenet_udp_sendrecv_generic_node(nsd_crond_t)
|
|
corenet_tcp_sendrecv_all_ports(nsd_crond_t)
|
|
+corenet_udp_sendrecv_all_ports(nsd_crond_t)
|
|
+corenet_tcp_connect_all_ports(nsd_crond_t)
|
|
+corenet_sendrecv_all_client_packets(nsd_crond_t)
|
|
|
|
dev_read_urand(nsd_crond_t)
|
|
|
|
domain_dontaudit_read_all_domains_state(nsd_crond_t)
|
|
|
|
files_read_etc_runtime_files(nsd_crond_t)
|
|
+files_search_var_lib(nsd_t)
|
|
|
|
auth_use_nsswitch(nsd_crond_t)
|
|
|
|
logging_send_syslog_msg(nsd_crond_t)
|
|
|
|
-miscfiles_read_localization(nsd_crond_t)
|
|
-
|
|
userdom_dontaudit_search_user_home_dirs(nsd_crond_t)
|
|
|
|
optional_policy(`
|
|
diff --git a/nslcd.fc b/nslcd.fc
|
|
index 402100e..ce913b2 100644
|
|
--- a/nslcd.fc
|
|
+++ b/nslcd.fc
|
|
@@ -1,7 +1,4 @@
|
|
-/etc/nss-ldapd\.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
|
|
-
|
|
-/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
|
|
-
|
|
-/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
|
|
-
|
|
-/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
|
|
+/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
|
|
+/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
|
|
+/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
|
|
+/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
|
|
diff --git a/nslcd.if b/nslcd.if
|
|
index 97df768..852d1c6 100644
|
|
--- a/nslcd.if
|
|
+++ b/nslcd.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Local LDAP name service daemon.</summary>
|
|
+## <summary>nslcd - local LDAP name service daemon.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,7 +15,6 @@ interface(`nslcd_domtrans',`
|
|
type nslcd_t, nslcd_exec_t;
|
|
')
|
|
|
|
- corecmd_searh_bin($1)
|
|
domtrans_pattern($1, nslcd_exec_t, nslcd_t)
|
|
')
|
|
|
|
@@ -39,7 +38,7 @@ interface(`nslcd_initrc_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read nslcd pid files.
|
|
+## Read nslcd PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -58,8 +57,25 @@ interface(`nslcd_read_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to nslcd over an unix
|
|
-## domain stream socket.
|
|
+## Dontaudit write to nslcd over an unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nslcd_dontaudit_write_ock_file',`
|
|
+ gen_require(`
|
|
+ type nslcd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 nslcd_var_run_t:sock_file write;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to nslcd over an unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -72,14 +88,33 @@ interface(`nslcd_stream_connect',`
|
|
type nslcd_t, nslcd_var_run_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
|
|
+ files_search_pids($1)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Do not audit attempts to write nslcd sock files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nslcd_dontaudit_write_sock_file',`
|
|
+ gen_require(`
|
|
+ type nslcd_t, nslcd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 nslcd_t:sock_file write;
|
|
+ dontaudit $1 nslcd_var_run_t:sock_file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an nslcd environment.
|
|
+## All of the rules required to administrate
|
|
+## an nslcd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -99,17 +134,21 @@ interface(`nslcd_admin',`
|
|
type nslcd_conf_t;
|
|
')
|
|
|
|
- allow $1 nslcd_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, nslcd_t)
|
|
+ allow $1 nslcd_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 nslcd_t:process ptrace;
|
|
+ ')
|
|
|
|
+ # Allow nslcd_t to restart the apache service
|
|
nslcd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 nslcd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_etc($1)
|
|
+ files_list_etc($1)
|
|
admin_pattern($1, nslcd_conf_t)
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, nslcd_var_run_t)
|
|
+ files_list_pids($1)
|
|
+ admin_pattern($1, nslcd_var_run_t, nslcd_var_run_t)
|
|
')
|
|
diff --git a/nslcd.te b/nslcd.te
|
|
index 421bf1a..b80dbe5 100644
|
|
--- a/nslcd.te
|
|
+++ b/nslcd.te
|
|
@@ -20,12 +20,12 @@ files_config_file(nslcd_conf_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# nslcd local policy
|
|
#
|
|
|
|
-allow nslcd_t self:capability { setgid setuid dac_override };
|
|
-allow nslcd_t self:process signal;
|
|
-allow nslcd_t self:unix_stream_socket { accept listen };
|
|
+allow nslcd_t self:capability { dac_override setgid setuid sys_nice };
|
|
+allow nslcd_t self:process { setsched signal signull };
|
|
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow nslcd_t nslcd_conf_t:file read_file_perms;
|
|
|
|
@@ -36,14 +36,12 @@ files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
|
|
|
|
kernel_read_system_state(nslcd_t)
|
|
|
|
+dev_read_sysfs(nslcd_t)
|
|
+
|
|
corenet_all_recvfrom_unlabeled(nslcd_t)
|
|
corenet_all_recvfrom_netlabel(nslcd_t)
|
|
-corenet_tcp_sendrecv_generic_if(nslcd_t)
|
|
-corenet_tcp_sendrecv_generic_node(nslcd_t)
|
|
-
|
|
-corenet_sendrecv_ldap_client_packets(nslcd_t)
|
|
corenet_tcp_connect_ldap_port(nslcd_t)
|
|
-corenet_tcp_sendrecv_ldap_port(nslcd_t)
|
|
+corenet_sendrecv_ldap_client_packets(nslcd_t)
|
|
|
|
dev_read_sysfs(nslcd_t)
|
|
|
|
@@ -54,10 +52,14 @@ auth_use_nsswitch(nslcd_t)
|
|
|
|
logging_send_syslog_msg(nslcd_t)
|
|
|
|
-miscfiles_read_localization(nslcd_t)
|
|
|
|
userdom_read_user_tmp_files(nslcd_t)
|
|
|
|
optional_policy(`
|
|
+ dirsrv_stream_connect(nslcd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
ldap_stream_connect(nslcd_t)
|
|
')
|
|
+
|
|
diff --git a/nsplugin.fc b/nsplugin.fc
|
|
new file mode 100644
|
|
index 0000000..22e6c96
|
|
--- /dev/null
|
|
+++ b/nsplugin.fc
|
|
@@ -0,0 +1,11 @@
|
|
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
|
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
|
+HOME_DIR/\.gnash(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
|
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
|
+HOME_DIR/\.icedteaplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
|
|
+
|
|
+/usr/bin/nspluginscan -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
|
|
+/usr/bin/nspluginviewer -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
|
|
+/usr/lib/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
|
|
+/usr/lib/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
|
|
+/usr/lib/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
|
|
diff --git a/nsplugin.if b/nsplugin.if
|
|
new file mode 100644
|
|
index 0000000..16f4789
|
|
--- /dev/null
|
|
+++ b/nsplugin.if
|
|
@@ -0,0 +1,474 @@
|
|
+
|
|
+## <summary>policy for nsplugin</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## nsplugin rw files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_manage_rw_files',`
|
|
+ gen_require(`
|
|
+ type nsplugin_rw_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 nsplugin_rw_t:file manage_file_perms;
|
|
+ allow $1 nsplugin_rw_t:dir rw_dir_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage nsplugin rw files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_manage_rw',`
|
|
+ gen_require(`
|
|
+ type nsplugin_rw_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
|
+ manage_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
|
+ manage_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## The per role template for the nsplugin module.
|
|
+## </summary>
|
|
+## <param name="user_role">
|
|
+## <summary>
|
|
+## The role associated with the user domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="user_domain">
|
|
+## <summary>
|
|
+## The type of the user domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_role_notrans',`
|
|
+ gen_require(`
|
|
+ type nsplugin_rw_t;
|
|
+ type nsplugin_home_t;
|
|
+ type nsplugin_exec_t;
|
|
+ type nsplugin_config_exec_t;
|
|
+ type nsplugin_t;
|
|
+ type nsplugin_config_t;
|
|
+ class x_drawable all_x_drawable_perms;
|
|
+ class x_resource all_x_resource_perms;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ role $1 types nsplugin_t;
|
|
+ role $1 types nsplugin_config_t;
|
|
+
|
|
+ allow nsplugin_t $2:process signull;
|
|
+ allow nsplugin_t $2:dbus send_msg;
|
|
+ allow $2 nsplugin_t:dbus send_msg;
|
|
+
|
|
+ list_dirs_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
|
|
+ read_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
|
|
+ read_lnk_files_pattern($2, nsplugin_rw_t, nsplugin_rw_t)
|
|
+ can_exec($2, nsplugin_rw_t)
|
|
+
|
|
+ #Leaked File Descriptors
|
|
+ifdef(`hide_broken_symptoms', `
|
|
+ dontaudit nsplugin_t $2:fifo_file rw_inherited_fifo_file_perms;
|
|
+ dontaudit nsplugin_config_t $2:fifo_file rw_inherited_fifo_file_perms;
|
|
+')
|
|
+ allow nsplugin_t $2:unix_stream_socket connectto;
|
|
+ dontaudit nsplugin_t $2:process ptrace;
|
|
+ allow nsplugin_t $2:sem rw_sem_perms;
|
|
+ allow nsplugin_t $2:shm rw_shm_perms;
|
|
+ dontaudit nsplugin_t $2:shm destroy;
|
|
+ allow $2 nsplugin_t:sem rw_sem_perms;
|
|
+
|
|
+ allow $2 nsplugin_t:process { getattr signal_perms };
|
|
+ allow $2 nsplugin_t:unix_stream_socket connectto;
|
|
+
|
|
+ # Connect to pulseaudit server
|
|
+ stream_connect_pattern(nsplugin_t, user_home_t, user_home_t, $2)
|
|
+ optional_policy(`
|
|
+ gnome_stream_connect(nsplugin_t, $2)
|
|
+ ')
|
|
+
|
|
+ userdom_use_inherited_user_terminals(nsplugin_t)
|
|
+ userdom_use_inherited_user_terminals(nsplugin_config_t)
|
|
+ userdom_dontaudit_setattr_user_home_content_files(nsplugin_t)
|
|
+ userdom_manage_tmpfs_role($1, nsplugin_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ pulseaudio_role($1, nsplugin_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Role access for nsplugin
|
|
+## </summary>
|
|
+## <param name="user_role">
|
|
+## <summary>
|
|
+## The role associated with the user domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="user_domain">
|
|
+## <summary>
|
|
+## The type of the user domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_role',`
|
|
+ gen_require(`
|
|
+ type nsplugin_exec_t;
|
|
+ type nsplugin_config_exec_t;
|
|
+ type nsplugin_t;
|
|
+ type nsplugin_config_t;
|
|
+ ')
|
|
+
|
|
+ nsplugin_role_notrans($1, $2)
|
|
+
|
|
+ domtrans_pattern($2, nsplugin_exec_t, nsplugin_t)
|
|
+ domtrans_pattern($2, nsplugin_config_exec_t, nsplugin_config_t)
|
|
+
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## The per role template for the nsplugin module.
|
|
+## </summary>
|
|
+## <param name="user_domain">
|
|
+## <summary>
|
|
+## The type of the user domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_domtrans',`
|
|
+ gen_require(`
|
|
+ type nsplugin_exec_t;
|
|
+ type nsplugin_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, nsplugin_exec_t, nsplugin_t)
|
|
+ allow $1 nsplugin_t:unix_stream_socket connectto;
|
|
+ allow nsplugin_t $1:process signal;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## The per role template for the nsplugin module.
|
|
+## </summary>
|
|
+## <param name="user_domain">
|
|
+## <summary>
|
|
+## The type of the user domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_domtrans_config',`
|
|
+ gen_require(`
|
|
+ type nsplugin_config_exec_t;
|
|
+ type nsplugin_config_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, nsplugin_config_exec_t, nsplugin_config_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search nsplugin rw directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_search_rw_dir',`
|
|
+ gen_require(`
|
|
+ type nsplugin_rw_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 nsplugin_rw_t:dir search_dir_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read nsplugin rw files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_read_rw_files',`
|
|
+ gen_require(`
|
|
+ type nsplugin_rw_t;
|
|
+ ')
|
|
+
|
|
+ list_dirs_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
|
+ read_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
|
+ read_lnk_files_pattern($1, nsplugin_rw_t, nsplugin_rw_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read nsplugin home files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_read_home',`
|
|
+ gen_require(`
|
|
+ type nsplugin_home_t;
|
|
+ ')
|
|
+
|
|
+ list_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
|
|
+ read_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
|
|
+ read_lnk_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Exec nsplugin rw files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_rw_exec',`
|
|
+ gen_require(`
|
|
+ type nsplugin_rw_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, nsplugin_rw_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## nsplugin home files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_manage_home_files',`
|
|
+ gen_require(`
|
|
+ type nsplugin_home_t;
|
|
+ ')
|
|
+
|
|
+ manage_files_pattern($1, nsplugin_home_t, nsplugin_home_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## manage nnsplugin home dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_manage_home_dirs',`
|
|
+ gen_require(`
|
|
+ type nsplugin_home_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, nsplugin_home_t, nsplugin_home_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow attempts to read and write to
|
|
+## nsplugin named pipes.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_rw_pipes',`
|
|
+ gen_require(`
|
|
+ type nsplugin_home_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 nsplugin_home_t:fifo_file rw_fifo_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read and write to nsplugin shared memory.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_rw_shm',`
|
|
+ gen_require(`
|
|
+ type nsplugin_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 nsplugin_t:shm rw_shm_perms;
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow read and write access to nsplugin semaphores.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_rw_semaphores',`
|
|
+ gen_require(`
|
|
+ type nsplugin_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 nsplugin_t:sem rw_sem_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute nsplugin_exec_t
|
|
+## in the specified domain.
|
|
+## </summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## Execute a nsplugin_exec_t
|
|
+## in the specified domain.
|
|
+## </p>
|
|
+## <p>
|
|
+## No interprocess communication (signals, pipes,
|
|
+## etc.) is provided by this interface since
|
|
+## the domains are not owned by this module.
|
|
+## </p>
|
|
+## </desc>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="target_domain">
|
|
+## <summary>
|
|
+## The type of the new process.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_exec_domtrans',`
|
|
+ gen_require(`
|
|
+ type nsplugin_exec_t;
|
|
+ ')
|
|
+
|
|
+ allow $2 nsplugin_exec_t:file entrypoint;
|
|
+ domtrans_pattern($1, nsplugin_exec_t, $2)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send generic signals to user nsplugin processes.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_signal',`
|
|
+ gen_require(`
|
|
+ type nsplugin_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 nsplugin_t:process signal;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create objects in a user home directory
|
|
+## with an automatic type transition to
|
|
+## the nsplugin home file type.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="object_class">
|
|
+## <summary>
|
|
+## The class of the object to be created.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_user_home_dir_filetrans',`
|
|
+ gen_require(`
|
|
+ type nsplugin_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, nsplugin_home_t, $2)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Create objects in a user home directory
|
|
+## with an automatic type transition to
|
|
+## the nsplugin home file type.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="object_class">
|
|
+## <summary>
|
|
+## The class of the object to be created.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_user_home_filetrans',`
|
|
+ gen_require(`
|
|
+ type nsplugin_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_content_filetrans($1, nsplugin_home_t, $2)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send signull signal to nsplugin
|
|
+## processes.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nsplugin_signull',`
|
|
+ gen_require(`
|
|
+ type nsplugin_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 nsplugin_t:process signull;
|
|
+')
|
|
diff --git a/nsplugin.te b/nsplugin.te
|
|
new file mode 100644
|
|
index 0000000..7d839fe
|
|
--- /dev/null
|
|
+++ b/nsplugin.te
|
|
@@ -0,0 +1,318 @@
|
|
+policy_module(nsplugin, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow nsplugin code to execmem/execstack
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(nsplugin_execmem, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow nsplugin code to connect to unreserved ports
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(nsplugin_can_network, true)
|
|
+
|
|
+type nsplugin_exec_t;
|
|
+application_executable_file(nsplugin_exec_t)
|
|
+
|
|
+type nsplugin_config_exec_t;
|
|
+application_executable_file(nsplugin_config_exec_t)
|
|
+
|
|
+type nsplugin_rw_t;
|
|
+files_poly_member(nsplugin_rw_t)
|
|
+files_type(nsplugin_rw_t)
|
|
+
|
|
+type nsplugin_tmp_t;
|
|
+files_tmp_file(nsplugin_tmp_t)
|
|
+
|
|
+type nsplugin_home_t;
|
|
+files_poly_member(nsplugin_home_t)
|
|
+userdom_user_home_content(nsplugin_home_t)
|
|
+typealias nsplugin_home_t alias user_nsplugin_home_t;
|
|
+
|
|
+type nsplugin_t;
|
|
+application_domain(nsplugin_t, nsplugin_exec_t)
|
|
+
|
|
+type nsplugin_config_t;
|
|
+domain_type(nsplugin_config_t)
|
|
+domain_entry_file(nsplugin_config_t, nsplugin_config_exec_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# nsplugin local policy
|
|
+#
|
|
+dontaudit nsplugin_t self:capability { sys_nice sys_tty_config };
|
|
+allow nsplugin_t self:fifo_file rw_file_perms;
|
|
+allow nsplugin_t self:process { setpgid getsched setsched signal_perms };
|
|
+
|
|
+allow nsplugin_t self:sem create_sem_perms;
|
|
+allow nsplugin_t self:shm create_shm_perms;
|
|
+allow nsplugin_t self:msgq create_msgq_perms;
|
|
+allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
|
|
+allow nsplugin_t self:tcp_socket create_stream_socket_perms;
|
|
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
|
|
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
|
|
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
|
|
+
|
|
+tunable_policy(`nsplugin_execmem',`
|
|
+ allow nsplugin_t self:process { execstack execmem };
|
|
+ allow nsplugin_config_t self:process { execstack execmem };
|
|
+')
|
|
+
|
|
+tunable_policy(`nsplugin_can_network',`
|
|
+ corenet_tcp_connect_all_unreserved_ports(nsplugin_t)
|
|
+ corenet_tcp_connect_all_ephemeral_ports(nsplugin_t)
|
|
+')
|
|
+
|
|
+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
|
+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
|
+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
|
+manage_fifo_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
|
+manage_sock_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
|
+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
|
|
+userdom_user_home_dir_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
|
|
+userdom_user_home_content_filetrans(nsplugin_t, nsplugin_home_t, {file dir})
|
|
+userdom_dontaudit_getattr_user_home_content(nsplugin_t)
|
|
+userdom_dontaudit_search_user_bin_dirs(nsplugin_t)
|
|
+userdom_dontaudit_write_user_home_content_files(nsplugin_t)
|
|
+userdom_dontaudit_search_admin_dir(nsplugin_t)
|
|
+
|
|
+corecmd_exec_bin(nsplugin_t)
|
|
+corecmd_exec_shell(nsplugin_t)
|
|
+
|
|
+corenet_all_recvfrom_netlabel(nsplugin_t)
|
|
+corenet_tcp_connect_flash_port(nsplugin_t)
|
|
+corenet_tcp_connect_ms_streaming_port(nsplugin_t)
|
|
+corenet_tcp_connect_rtsp_port(nsplugin_t)
|
|
+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
|
|
+corenet_tcp_connect_http_port(nsplugin_t)
|
|
+corenet_tcp_connect_http_cache_port(nsplugin_t)
|
|
+corenet_tcp_connect_squid_port(nsplugin_t)
|
|
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
|
|
+corenet_tcp_sendrecv_generic_node(nsplugin_t)
|
|
+corenet_tcp_connect_ipp_port(nsplugin_t)
|
|
+corenet_tcp_connect_speech_port(nsplugin_t)
|
|
+
|
|
+domain_dontaudit_read_all_domains_state(nsplugin_t)
|
|
+
|
|
+dev_read_urand(nsplugin_t)
|
|
+dev_read_rand(nsplugin_t)
|
|
+dev_read_sound(nsplugin_t)
|
|
+dev_write_sound(nsplugin_t)
|
|
+dev_read_video_dev(nsplugin_t)
|
|
+dev_write_video_dev(nsplugin_t)
|
|
+dev_getattr_dri_dev(nsplugin_t)
|
|
+dev_getattr_mouse_dev(nsplugin_t)
|
|
+dev_rwx_zero(nsplugin_t)
|
|
+dev_read_sysfs(nsplugin_t)
|
|
+dev_dontaudit_getattr_all(nsplugin_t)
|
|
+
|
|
+kernel_read_kernel_sysctls(nsplugin_t)
|
|
+kernel_read_system_state(nsplugin_t)
|
|
+kernel_read_network_state(nsplugin_t)
|
|
+
|
|
+files_dontaudit_getattr_lost_found_dirs(nsplugin_t)
|
|
+files_dontaudit_list_home(nsplugin_t)
|
|
+files_read_config_files(nsplugin_t)
|
|
+
|
|
+fs_getattr_tmpfs(nsplugin_t)
|
|
+fs_getattr_xattr_fs(nsplugin_t)
|
|
+fs_search_auto_mountpoints(nsplugin_t)
|
|
+fs_rw_anon_inodefs_files(nsplugin_t)
|
|
+fs_list_inotifyfs(nsplugin_t)
|
|
+fs_dontaudit_list_fusefs(nsplugin_t)
|
|
+
|
|
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
|
|
+storage_dontaudit_getattr_removable_dev(nsplugin_t)
|
|
+
|
|
+term_dontaudit_getattr_all_ptys(nsplugin_t)
|
|
+term_dontaudit_getattr_all_ttys(nsplugin_t)
|
|
+
|
|
+auth_use_nsswitch(nsplugin_t)
|
|
+
|
|
+libs_exec_ld_so(nsplugin_t)
|
|
+
|
|
+miscfiles_read_fonts(nsplugin_t)
|
|
+miscfiles_dontaudit_write_fonts(nsplugin_t)
|
|
+miscfiles_setattr_fonts_cache_dirs(nsplugin_t)
|
|
+
|
|
+userdom_manage_user_tmp_dirs(nsplugin_t)
|
|
+userdom_manage_user_tmp_files(nsplugin_t)
|
|
+userdom_manage_user_tmp_sockets(nsplugin_t)
|
|
+userdom_tmp_filetrans_user_tmp(nsplugin_t, { file dir sock_file })
|
|
+userdom_rw_semaphores(nsplugin_t)
|
|
+userdom_dontaudit_rw_user_tmp_pipes(nsplugin_t)
|
|
+
|
|
+userdom_read_user_home_content_symlinks(nsplugin_t)
|
|
+userdom_read_user_home_content_files(nsplugin_t)
|
|
+userdom_read_user_tmp_files(nsplugin_t)
|
|
+userdom_write_user_tmp_sockets(nsplugin_t)
|
|
+userdom_dontaudit_append_user_home_content_files(nsplugin_t)
|
|
+userdom_read_home_audio_files(nsplugin_t)
|
|
+
|
|
+optional_policy(`
|
|
+ alsa_read_rw_config(nsplugin_t)
|
|
+ alsa_read_home_files(nsplugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ chrome_dontaudit_sandbox_leaks(nsplugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ cups_stream_connect(nsplugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_session_bus_client(nsplugin_t)
|
|
+ dbus_connect_session_bus(nsplugin_t)
|
|
+ dbus_system_bus_client(nsplugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_exec_gconf(nsplugin_t)
|
|
+ gnome_manage_config(nsplugin_t)
|
|
+ gnome_read_gconf_home_files(nsplugin_t)
|
|
+ gnome_read_usr_config(nsplugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gpm_getattr_gpmctl(nsplugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mozilla_exec_user_home_files(nsplugin_t)
|
|
+ mozilla_read_user_home_files(nsplugin_t)
|
|
+ mozilla_write_user_home_files(nsplugin_t)
|
|
+ mozilla_plugin_delete_tmpfs_files(nsplugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mplayer_exec(nsplugin_t)
|
|
+ mplayer_read_user_home_files(nsplugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sandbox_read_tmpfs_files(nsplugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gen_require(`
|
|
+ type user_tmpfs_t;
|
|
+ ')
|
|
+ xserver_user_x_domain_template(nsplugin, nsplugin_t, user_tmpfs_t)
|
|
+ xserver_rw_shm(nsplugin_t)
|
|
+ xserver_read_xdm_pid(nsplugin_t)
|
|
+ xserver_read_xdm_tmp_files(nsplugin_t)
|
|
+ xserver_read_user_xauth(nsplugin_t)
|
|
+ xserver_read_user_iceauth(nsplugin_t)
|
|
+ xserver_use_user_fonts(nsplugin_t)
|
|
+ xserver_rw_inherited_user_fonts(nsplugin_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# nsplugin_config local policy
|
|
+#
|
|
+
|
|
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
|
|
+allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
|
|
+#execing pulseaudio
|
|
+dontaudit nsplugin_t self:process { getcap setcap };
|
|
+
|
|
+allow nsplugin_config_t self:fifo_file rw_file_perms;
|
|
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+dev_search_sysfs(nsplugin_config_t)
|
|
+dev_read_urand(nsplugin_config_t)
|
|
+dev_dontaudit_read_rand(nsplugin_config_t)
|
|
+dev_dontaudit_rw_dri(nsplugin_config_t)
|
|
+
|
|
+fs_search_auto_mountpoints(nsplugin_config_t)
|
|
+fs_list_inotifyfs(nsplugin_config_t)
|
|
+
|
|
+can_exec(nsplugin_config_t, nsplugin_rw_t)
|
|
+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
|
+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
|
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
|
|
+
|
|
+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
|
+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
|
+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
|
|
+
|
|
+corecmd_exec_bin(nsplugin_config_t)
|
|
+corecmd_exec_shell(nsplugin_config_t)
|
|
+
|
|
+kernel_read_system_state(nsplugin_config_t)
|
|
+kernel_request_load_module(nsplugin_config_t)
|
|
+
|
|
+domain_use_interactive_fds(nsplugin_config_t)
|
|
+
|
|
+files_dontaudit_search_home(nsplugin_config_t)
|
|
+files_list_tmp(nsplugin_config_t)
|
|
+
|
|
+auth_use_nsswitch(nsplugin_config_t)
|
|
+
|
|
+miscfiles_read_fonts(nsplugin_config_t)
|
|
+
|
|
+userdom_search_user_home_content(nsplugin_config_t)
|
|
+userdom_read_user_home_content_symlinks(nsplugin_config_t)
|
|
+userdom_read_user_home_content_files(nsplugin_config_t)
|
|
+userdom_dontaudit_search_admin_dir(nsplugin_config_t)
|
|
+
|
|
+tunable_policy(`use_nfs_home_dirs',`
|
|
+ fs_getattr_nfs(nsplugin_t)
|
|
+ fs_manage_nfs_dirs(nsplugin_t)
|
|
+ fs_manage_nfs_files(nsplugin_t)
|
|
+ fs_manage_nfs_symlinks(nsplugin_t)
|
|
+ fs_manage_nfs_named_pipes(nsplugin_t)
|
|
+ fs_manage_nfs_dirs(nsplugin_config_t)
|
|
+ fs_manage_nfs_files(nsplugin_config_t)
|
|
+ fs_manage_nfs_named_pipes(nsplugin_config_t)
|
|
+ fs_manage_nfs_symlinks(nsplugin_config_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`use_samba_home_dirs',`
|
|
+ fs_getattr_cifs(nsplugin_t)
|
|
+ fs_manage_cifs_dirs(nsplugin_t)
|
|
+ fs_manage_cifs_files(nsplugin_t)
|
|
+ fs_manage_cifs_symlinks(nsplugin_t)
|
|
+ fs_manage_cifs_named_pipes(nsplugin_t)
|
|
+ fs_manage_cifs_dirs(nsplugin_config_t)
|
|
+ fs_manage_cifs_files(nsplugin_config_t)
|
|
+ fs_manage_cifs_named_pipes(nsplugin_config_t)
|
|
+ fs_manage_cifs_symlinks(nsplugin_config_t)
|
|
+')
|
|
+
|
|
+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, nsplugin_t)
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_use_user_fonts(nsplugin_config_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mozilla_read_user_home_files(nsplugin_config_t)
|
|
+ mozilla_write_user_home_files(nsplugin_config_t)
|
|
+')
|
|
+
|
|
+application_signull(nsplugin_t)
|
|
+
|
|
+optional_policy(`
|
|
+ devicekit_dbus_chat_power(nsplugin_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ pulseaudio_exec(nsplugin_t)
|
|
+ pulseaudio_stream_connect(nsplugin_t)
|
|
+ pulseaudio_manage_home_files(nsplugin_t)
|
|
+ pulseaudio_setattr_home_dir(nsplugin_t)
|
|
+')
|
|
diff --git a/ntop.te b/ntop.te
|
|
index 8ec7859..719cffd 100644
|
|
--- a/ntop.te
|
|
+++ b/ntop.te
|
|
@@ -33,6 +33,7 @@ allow ntop_t self:capability { net_raw setgid setuid sys_admin net_admin };
|
|
dontaudit ntop_t self:capability sys_tty_config;
|
|
allow ntop_t self:process signal_perms;
|
|
allow ntop_t self:fifo_file rw_fifo_file_perms;
|
|
+allow ntop_t self:netlink_socket create_socket_perms;
|
|
allow ntop_t self:tcp_socket { accept listen };
|
|
allow ntop_t self:unix_stream_socket { accept listen };
|
|
allow ntop_t self:packet_socket create_socket_perms;
|
|
@@ -58,7 +59,6 @@ kernel_read_system_state(ntop_t)
|
|
kernel_read_network_state(ntop_t)
|
|
kernel_read_kernel_sysctls(ntop_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ntop_t)
|
|
corenet_all_recvfrom_netlabel(ntop_t)
|
|
corenet_tcp_sendrecv_generic_if(ntop_t)
|
|
corenet_raw_sendrecv_generic_if(ntop_t)
|
|
@@ -78,10 +78,11 @@ corenet_tcp_sendrecv_http_port(ntop_t)
|
|
|
|
dev_read_sysfs(ntop_t)
|
|
dev_rw_generic_usb_dev(ntop_t)
|
|
+dev_read_usbmon_dev(ntop_t)
|
|
+dev_write_usbmon_dev(ntop_t)
|
|
|
|
domain_use_interactive_fds(ntop_t)
|
|
|
|
-files_read_usr_files(ntop_t)
|
|
|
|
fs_getattr_all_fs(ntop_t)
|
|
fs_search_auto_mountpoints(ntop_t)
|
|
diff --git a/ntp.fc b/ntp.fc
|
|
index af3c91e..6882a3f 100644
|
|
--- a/ntp.fc
|
|
+++ b/ntp.fc
|
|
@@ -13,6 +13,8 @@
|
|
/usr/sbin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
|
|
/usr/sbin/sntp -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/ntpd.* -- gen_context(system_u:object_r:ntpd_unit_file_t,s0)
|
|
+
|
|
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
|
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
|
|
|
|
diff --git a/ntp.if b/ntp.if
|
|
index e96a309..c6d1b01 100644
|
|
--- a/ntp.if
|
|
+++ b/ntp.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Network time protocol daemon.</summary>
|
|
+## <summary>Network time protocol daemon</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -37,6 +37,25 @@ interface(`ntp_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute ntp server in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ntp_exec',`
|
|
+ gen_require(`
|
|
+ type ntpd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ can_exec($1, ntpd_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Execute ntp in the ntp domain, and
|
|
## allow the specified role the ntp domain.
|
|
## </summary>
|
|
@@ -54,11 +73,11 @@ interface(`ntp_domtrans',`
|
|
#
|
|
interface(`ntp_run',`
|
|
gen_require(`
|
|
- attribute_role ntpd_roles;
|
|
+ type ntpd_t;
|
|
')
|
|
|
|
ntp_domtrans($1)
|
|
- roleattribute $2 ntpd_roles;
|
|
+ role $2 types ntpd_t;
|
|
')
|
|
|
|
########################################
|
|
@@ -98,6 +117,48 @@ interface(`ntp_initrc_domtrans',`
|
|
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
|
|
')
|
|
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow domain to read ntpd systemd unit files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ntp_read_unit_file',`
|
|
+ gen_require(`
|
|
+ type ntpd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ allow $1 ntpd_unit_file_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute ntpd server in the ntpd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ntp_systemctl',`
|
|
+ gen_require(`
|
|
+ type ntpd_unit_file_t;
|
|
+ type ntpd_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 ntpd_unit_file_t:file read_file_perms;
|
|
+ allow $1 ntpd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, ntpd_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Read ntp drift files.
|
|
@@ -141,8 +202,27 @@ interface(`ntp_rw_shm',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an ntp environment.
|
|
+## Allow the domain to read ntpd state files in /proc.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ntp_read_state',`
|
|
+ gen_require(`
|
|
+ type ntpd_t;
|
|
+ ')
|
|
+
|
|
+ kernel_search_proc($1)
|
|
+ ps_process_pattern($1, ntpd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an ntp environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -151,28 +231,32 @@ interface(`ntp_rw_shm',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the ntp domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`ntp_admin',`
|
|
gen_require(`
|
|
- type ntpd_t, ntpd_tmp_t, ntpd_log_t;
|
|
- type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
|
|
- type ntpd_initrc_exec_t, ntp_drift_t;
|
|
+ type ntpd_t, ntpd_tmp_t, ntpd_log_t, ntp_drift_t;
|
|
+ type ntpd_key_t, ntpd_var_run_t, ntpd_initrc_exec_t;
|
|
+ type ntpd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 ntpd_t:process { ptrace signal_perms };
|
|
+ allow $1 ntpd_t:process signal_perms;
|
|
ps_process_pattern($1, ntpd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ntpd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 ntpd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
files_list_etc($1)
|
|
- admin_pattern($1, { ntpd_key_t ntp_conf_t })
|
|
+ admin_pattern($1, ntpd_key_t)
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, ntpd_log_t)
|
|
@@ -186,5 +270,28 @@ interface(`ntp_admin',`
|
|
files_list_pids($1)
|
|
admin_pattern($1, ntpd_var_run_t)
|
|
|
|
- ntp_run($1, $2)
|
|
+ ntp_systemctl($1)
|
|
+ admin_pattern($1, ntpd_unit_file_t)
|
|
+ allow $1 ntpd_unit_file_t:service all_service_perms;
|
|
+
|
|
+ ntp_filetrans_named_content($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition content labels to ntp named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ntp_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type ntp_conf_t;
|
|
+ ')
|
|
+
|
|
+ files_etc_filetrans($1, ntp_conf_t, file, "ntpd.conf")
|
|
+ files_etc_filetrans($1, ntp_conf_t, dir, "ntp")
|
|
')
|
|
diff --git a/ntp.te b/ntp.te
|
|
index f81b113..8d889d8 100644
|
|
--- a/ntp.te
|
|
+++ b/ntp.te
|
|
@@ -18,6 +18,9 @@ role ntpd_roles types ntpd_t;
|
|
type ntpd_initrc_exec_t;
|
|
init_script_file(ntpd_initrc_exec_t)
|
|
|
|
+type ntpd_unit_file_t;
|
|
+systemd_unit_file(ntpd_unit_file_t)
|
|
+
|
|
type ntp_conf_t;
|
|
files_config_file(ntp_conf_t)
|
|
|
|
@@ -60,9 +63,7 @@ read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
|
|
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
|
|
|
|
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
|
|
-append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
|
|
-create_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
|
|
-setattr_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
|
|
+manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
|
|
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
|
|
@@ -83,21 +84,16 @@ kernel_read_system_state(ntpd_t)
|
|
kernel_read_network_state(ntpd_t)
|
|
kernel_request_load_module(ntpd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ntpd_t)
|
|
corenet_all_recvfrom_netlabel(ntpd_t)
|
|
corenet_tcp_sendrecv_generic_if(ntpd_t)
|
|
corenet_udp_sendrecv_generic_if(ntpd_t)
|
|
corenet_tcp_sendrecv_generic_node(ntpd_t)
|
|
corenet_udp_sendrecv_generic_node(ntpd_t)
|
|
corenet_udp_bind_generic_node(ntpd_t)
|
|
-
|
|
-corenet_sendrecv_ntp_server_packets(ntpd_t)
|
|
corenet_udp_bind_ntp_port(ntpd_t)
|
|
-corenet_udp_sendrecv_ntp_port(ntpd_t)
|
|
-
|
|
-corenet_sendrecv_ntp_client_packets(ntpd_t)
|
|
corenet_tcp_connect_ntp_port(ntpd_t)
|
|
-corenet_tcp_sendrecv_ntp_port(ntpd_t)
|
|
+corenet_sendrecv_ntp_server_packets(ntpd_t)
|
|
+corenet_sendrecv_ntp_client_packets(ntpd_t)
|
|
|
|
corecmd_exec_bin(ntpd_t)
|
|
corecmd_exec_shell(ntpd_t)
|
|
@@ -110,13 +106,15 @@ domain_use_interactive_fds(ntpd_t)
|
|
domain_dontaudit_list_all_domains_state(ntpd_t)
|
|
|
|
files_read_etc_runtime_files(ntpd_t)
|
|
-files_read_usr_files(ntpd_t)
|
|
files_list_var_lib(ntpd_t)
|
|
|
|
fs_getattr_all_fs(ntpd_t)
|
|
fs_search_auto_mountpoints(ntpd_t)
|
|
+# Necessary to communicate with gpsd devices
|
|
+fs_rw_tmpfs_files(ntpd_t)
|
|
|
|
term_use_ptmx(ntpd_t)
|
|
+term_use_unallocated_ttys(ntpd_t)
|
|
|
|
auth_use_nsswitch(ntpd_t)
|
|
|
|
@@ -124,8 +122,6 @@ init_exec_script_files(ntpd_t)
|
|
|
|
logging_send_syslog_msg(ntpd_t)
|
|
|
|
-miscfiles_read_localization(ntpd_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
|
|
userdom_list_user_home_dirs(ntpd_t)
|
|
|
|
diff --git a/numad.fc b/numad.fc
|
|
index 3488bb0..1f97624 100644
|
|
--- a/numad.fc
|
|
+++ b/numad.fc
|
|
@@ -1,7 +1,7 @@
|
|
-/etc/rc\.d/init\.d/numad -- gen_context(system_u:object_r:numad_initrc_exec_t,s0)
|
|
+/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
|
|
|
|
-/usr/bin/numad -- gen_context(system_u:object_r:numad_exec_t,s0)
|
|
+/usr/lib/systemd/system/numad.* -- gen_context(system_u:object_r:numad_unit_file_t,s0)
|
|
|
|
-/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_log_t,s0)
|
|
+/var/log/numad\.log.* -- gen_context(system_u:object_r:numad_var_log_t,s0)
|
|
|
|
-/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
|
|
+/var/run/numad\.pid -- gen_context(system_u:object_r:numad_var_run_t,s0)
|
|
diff --git a/numad.if b/numad.if
|
|
index 0d3c270..709dda1 100644
|
|
--- a/numad.if
|
|
+++ b/numad.if
|
|
@@ -1,39 +1,72 @@
|
|
-## <summary>Non-Uniform Memory Alignment Daemon.</summary>
|
|
|
|
+## <summary>policy for numad</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to numad.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`numad_domtrans',`
|
|
+ gen_require(`
|
|
+ type numad_t, numad_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, numad_exec_t, numad_t)
|
|
+')
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an numad environment.
|
|
+## Execute numad server in the numad domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`numad_systemctl',`
|
|
+ gen_require(`
|
|
+ type numad_t;
|
|
+ type numad_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 numad_unit_file_t:file read_file_perms;
|
|
+ allow $1 numad_unit_file_t:service all_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, numad_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an numad environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`numad_admin',`
|
|
gen_require(`
|
|
- type numad_t, numad_initrc_exec_t, numad_log_t;
|
|
- type numad_var_run_t;
|
|
+ type numad_t;
|
|
+ type numad_unit_file_t;
|
|
')
|
|
|
|
allow $1 numad_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, numad_t)
|
|
|
|
- init_labeled_script_domtrans($1, numad_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 numad_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, numad_log_t)
|
|
-
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, numad_var_run_t)
|
|
+ numad_systemctl($1)
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/numad.te b/numad.te
|
|
index b0a1be4..239f27a 100644
|
|
--- a/numad.te
|
|
+++ b/numad.te
|
|
@@ -8,29 +8,29 @@ policy_module(numad, 1.1.0)
|
|
type numad_t;
|
|
type numad_exec_t;
|
|
init_daemon_domain(numad_t, numad_exec_t)
|
|
-application_executable_file(numad_exec_t)
|
|
|
|
-type numad_initrc_exec_t;
|
|
-init_script_file(numad_initrc_exec_t)
|
|
+type numad_unit_file_t;
|
|
+systemd_unit_file(numad_unit_file_t)
|
|
|
|
-type numad_log_t;
|
|
-logging_log_file(numad_log_t)
|
|
+type numad_var_log_t;
|
|
+logging_log_file(numad_var_log_t)
|
|
|
|
type numad_var_run_t;
|
|
files_pid_file(numad_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# numad local policy
|
|
#
|
|
|
|
+allow numad_t self:capability sys_ptrace;
|
|
allow numad_t self:fifo_file rw_fifo_file_perms;
|
|
-allow numad_t self:msg { send receive };
|
|
allow numad_t self:msgq create_msgq_perms;
|
|
+allow numad_t self:msg { send receive };
|
|
allow numad_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
-allow numad_t numad_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
-logging_log_filetrans(numad_t, numad_log_t, file)
|
|
+manage_files_pattern(numad_t, numad_var_log_t, numad_var_log_t)
|
|
+logging_log_filetrans(numad_t, numad_var_log_t, file)
|
|
|
|
manage_files_pattern(numad_t, numad_var_run_t, numad_var_run_t)
|
|
files_pid_filetrans(numad_t, numad_var_run_t, file)
|
|
@@ -39,6 +39,13 @@ kernel_read_system_state(numad_t)
|
|
|
|
dev_read_sysfs(numad_t)
|
|
|
|
-files_read_etc_files(numad_t)
|
|
+domain_use_interactive_fds(numad_t)
|
|
+domain_read_all_domains_state(numad_t)
|
|
+domain_setpriority_all_domains(numad_t)
|
|
+
|
|
+fs_manage_cgroup_dirs(numad_t)
|
|
+fs_rw_cgroup_files(numad_t)
|
|
|
|
-miscfiles_read_localization(numad_t)
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ virt_ptrace(numad_t)
|
|
+')
|
|
diff --git a/nut.fc b/nut.fc
|
|
index 379af96..41ff159 100644
|
|
--- a/nut.fc
|
|
+++ b/nut.fc
|
|
@@ -1,23 +1,16 @@
|
|
-/etc/nut(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
|
|
-/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
|
|
+/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/nut-driver -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/nut-server -- gen_context(system_u:object_r:nut_initrc_exec_t,s0)
|
|
-
|
|
-/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
|
|
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
|
|
-/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
|
|
|
|
-/usr/lib/cgi-bin/nut/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
-/usr/lib/cgi-bin/nut/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
-/usr/lib/cgi-bin/nut/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
+/usr/lib/systemd/system/nut.* -- gen_context(system_u:object_r:nut_unit_file_t,s0)
|
|
|
|
/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
|
|
/usr/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
|
|
-/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
|
|
+/usr/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
|
|
+/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
|
|
|
|
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
|
|
|
|
-/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
-/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
-/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
+/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
+/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
+/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
|
|
diff --git a/nut.if b/nut.if
|
|
index 57c0161..54bd4d7 100644
|
|
--- a/nut.if
|
|
+++ b/nut.if
|
|
@@ -1,39 +1,24 @@
|
|
-## <summary>Network UPS Tools </summary>
|
|
+## <summary>nut - Network UPS Tools </summary>
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an nut environment.
|
|
+## Execute swift server in the swift domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`nut_admin',`
|
|
- gen_require(`
|
|
- attribute nut_domain;
|
|
- type nut_initrc_exec_t, nut_var_run_t, nut_conf_t;
|
|
- ')
|
|
-
|
|
- allow $1 nut_domain:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, nut_domain_t)
|
|
-
|
|
- init_labeled_script_domtrans($1, nut_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 nut_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+interface(`nut_systemctl',`
|
|
+ gen_require(`
|
|
+ type nut_t;
|
|
+ type nut_unit_file_t;
|
|
+ ')
|
|
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, nut_conf_t)
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 nut_unit_file_t:file read_file_perms;
|
|
+ allow $1 nut_unit_file_t:service manage_service_perms;
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, nut_var_run_t)
|
|
+ ps_process_pattern($1, swift_t)
|
|
')
|
|
diff --git a/nut.te b/nut.te
|
|
index 5b2cb0d..1701352 100644
|
|
--- a/nut.te
|
|
+++ b/nut.te
|
|
@@ -22,116 +22,126 @@ type nut_upsdrvctl_t, nut_domain;
|
|
type nut_upsdrvctl_exec_t;
|
|
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
|
|
|
|
-type nut_initrc_exec_t;
|
|
-init_script_file(nut_initrc_exec_t)
|
|
-
|
|
type nut_var_run_t;
|
|
files_pid_file(nut_var_run_t)
|
|
-init_daemon_run_dir(nut_var_run_t, "nut")
|
|
|
|
-########################################
|
|
+type nut_unit_file_t;
|
|
+systemd_unit_file(nut_unit_file_t)
|
|
+
|
|
+#######################################
|
|
#
|
|
-# Common nut domain local policy
|
|
+# Local policy for upsd
|
|
#
|
|
|
|
-allow nut_domain self:capability { setgid setuid dac_override kill };
|
|
-allow nut_domain self:process signal_perms;
|
|
-allow nut_domain self:fifo_file rw_fifo_file_perms;
|
|
-allow nut_domain self:unix_dgram_socket sendto;
|
|
-
|
|
-allow nut_domain nut_conf_t:dir list_dir_perms;
|
|
-allow nut_domain nut_conf_t:file read_file_perms;
|
|
-allow nut_domain nut_conf_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
-manage_files_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
|
|
-manage_dirs_pattern(nut_domain, nut_var_run_t, nut_var_run_t)
|
|
-files_pid_filetrans(nut_domain, nut_var_run_t, { dir file })
|
|
-
|
|
-kernel_read_kernel_sysctls(nut_domain)
|
|
-
|
|
-logging_send_syslog_msg(nut_domain)
|
|
-
|
|
-miscfiles_read_localization(nut_domain)
|
|
+allow nut_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
########################################
|
|
#
|
|
-# Upsd local policy
|
|
+# Local policy for upsd
|
|
#
|
|
|
|
-allow nut_upsd_t self:tcp_socket { accept listen };
|
|
+allow nut_upsd_t self:capability { setgid setuid dac_override };
|
|
+allow nut_upsd_t self:process signal_perms;
|
|
|
|
-manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
|
|
-files_pid_filetrans(nut_upsd_t, nut_var_run_t, sock_file)
|
|
+allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
+allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
|
|
|
|
-stream_connect_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t, nut_upsdrvctl_t)
|
|
+allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
|
|
|
|
-corenet_all_recvfrom_unlabeled(nut_upsd_t)
|
|
-corenet_all_recvfrom_netlabel(nut_upsd_t)
|
|
-corenet_tcp_sendrecv_generic_if(nut_upsd_t)
|
|
-corenet_tcp_sendrecv_generic_node(nut_upsd_t)
|
|
-corenet_tcp_sendrecv_all_ports(nut_upsd_t)
|
|
-corenet_tcp_bind_generic_node(nut_upsd_t)
|
|
+read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
|
|
|
|
-corenet_sendrecv_ups_server_packets(nut_upsd_t)
|
|
-corenet_tcp_bind_ups_port(nut_upsd_t)
|
|
+# pid file
|
|
+manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
|
|
+manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
|
|
+manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
|
|
+files_pid_filetrans(nut_upsd_t, nut_var_run_t, { dir file sock_file })
|
|
|
|
-corenet_sendrecv_generic_server_packets(nut_upsd_t)
|
|
-corenet_tcp_bind_generic_port(nut_upsd_t)
|
|
+kernel_read_kernel_sysctls(nut_upsd_t)
|
|
|
|
-files_read_usr_files(nut_upsd_t)
|
|
+corenet_tcp_bind_ups_port(nut_upsd_t)
|
|
+corenet_tcp_bind_generic_port(nut_upsd_t)
|
|
+corenet_tcp_bind_all_nodes(nut_upsd_t)
|
|
|
|
auth_use_nsswitch(nut_upsd_t)
|
|
|
|
+logging_send_syslog_msg(nut_upsd_t)
|
|
+
|
|
########################################
|
|
#
|
|
-# Upsmon local policy
|
|
+# Local policy for upsmon
|
|
#
|
|
|
|
-allow nut_upsmon_t self:capability dac_read_search;
|
|
-allow nut_upsmon_t self:unix_stream_socket connectto;
|
|
+allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
|
|
+allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
|
|
+allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
+allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
|
|
+allow nut_upsmon_t self:tcp_socket create_socket_perms;
|
|
+
|
|
+read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
|
|
|
|
+# pid file
|
|
+manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
|
|
+manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
|
|
+files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
|
|
+
|
|
+kernel_read_kernel_sysctls(nut_upsmon_t)
|
|
kernel_read_system_state(nut_upsmon_t)
|
|
|
|
corecmd_exec_bin(nut_upsmon_t)
|
|
corecmd_exec_shell(nut_upsmon_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(nut_upsmon_t)
|
|
-corenet_all_recvfrom_netlabel(nut_upsmon_t)
|
|
-corenet_tcp_sendrecv_generic_if(nut_upsmon_t)
|
|
-corenet_tcp_sendrecv_generic_node(nut_upsmon_t)
|
|
-corenet_tcp_sendrecv_all_ports(nut_upsmon_t)
|
|
-corenet_tcp_bind_generic_node(nut_upsmon_t)
|
|
-
|
|
-corenet_sendrecv_ups_client_packets(nut_upsmon_t)
|
|
corenet_tcp_connect_ups_port(nut_upsmon_t)
|
|
-
|
|
-corenet_sendrecv_generic_client_packets(nut_upsmon_t)
|
|
corenet_tcp_connect_generic_port(nut_upsmon_t)
|
|
|
|
+# Creates /etc/killpower
|
|
files_manage_etc_runtime_files(nut_upsmon_t)
|
|
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
|
|
files_search_usr(nut_upsmon_t)
|
|
|
|
+# /usr/bin/wall
|
|
term_write_all_terms(nut_upsmon_t)
|
|
|
|
+# upsmon runs shutdown, probably need a shutdown domain
|
|
+init_rw_utmp(nut_upsmon_t)
|
|
+init_telinit(nut_upsmon_t)
|
|
+
|
|
+logging_send_syslog_msg(nut_upsmon_t)
|
|
+
|
|
auth_use_nsswitch(nut_upsmon_t)
|
|
|
|
mta_send_mail(nut_upsmon_t)
|
|
|
|
+systemd_start_power_services(nut_upsmon_t)
|
|
+
|
|
optional_policy(`
|
|
shutdown_domtrans(nut_upsmon_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Upsdrvctl local policy
|
|
+# Local policy for upsdrvctl
|
|
#
|
|
|
|
+allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
|
|
+allow nut_upsdrvctl_t self:process { sigchld signal signull };
|
|
allow nut_upsdrvctl_t self:fd use;
|
|
+allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
|
|
+allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
+allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
|
|
+
|
|
+can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
|
|
|
|
+read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
|
|
+
|
|
+# pid file
|
|
+manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
|
|
+manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
|
|
manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
|
|
-files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, sock_file)
|
|
+files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
|
|
+
|
|
+kernel_read_kernel_sysctls(nut_upsdrvctl_t)
|
|
|
|
+# /sbin/upsdrvctl executes other drivers
|
|
corecmd_exec_bin(nut_upsdrvctl_t)
|
|
|
|
dev_read_sysfs(nut_upsdrvctl_t)
|
|
@@ -139,22 +149,34 @@ dev_read_urand(nut_upsdrvctl_t)
|
|
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
|
|
|
|
term_use_unallocated_ttys(nut_upsdrvctl_t)
|
|
+term_use_usb_ttys(nut_upsdrvctl_t)
|
|
|
|
auth_use_nsswitch(nut_upsdrvctl_t)
|
|
|
|
init_sigchld(nut_upsdrvctl_t)
|
|
|
|
+logging_send_syslog_msg(nut_upsdrvctl_t)
|
|
+
|
|
+
|
|
#######################################
|
|
#
|
|
-# Cgi local policy
|
|
+# Local policy for upscgi scripts
|
|
+# requires httpd_enable_cgi and httpd_can_network_connect
|
|
#
|
|
|
|
optional_policy(`
|
|
apache_content_template(nutups_cgi)
|
|
|
|
- allow httpd_nutups_cgi_script_t nut_conf_t:dir list_dir_perms;
|
|
- allow httpd_nutups_cgi_script_t nut_conf_t:file read_file_perms;
|
|
- allow httpd_nutups_cgi_script_t nut_conf_t:lnk_file read_lnk_file_perms;
|
|
+ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
|
|
+
|
|
+ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
|
|
+ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
|
|
+ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
|
|
+ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
|
|
+ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
|
|
+ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
|
|
+ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
|
|
+ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
|
|
|
|
sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
|
|
')
|
|
diff --git a/nx.if b/nx.if
|
|
index 251d681..50ae2a9 100644
|
|
--- a/nx.if
|
|
+++ b/nx.if
|
|
@@ -35,7 +35,9 @@ interface(`nx_read_home_files',`
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
- read_files_pattern($1, { nx_server_var_lib_t nx_server_home_ssh_t }, nx_server_home_ssh_t)
|
|
+ allow $1 nx_server_var_lib_t:dir search_dir_perms;
|
|
+ read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
|
|
+ read_lnk_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -90,3 +92,21 @@ interface(`nx_var_lib_filetrans',`
|
|
|
|
filetrans_pattern($1, nx_server_var_lib_t, $2, $3, $4)
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to nx named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`nx_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type nx_server_home_ssh_t, nx_server_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ filetrans_pattern($1, nx_server_var_lib_t, nx_server_home_ssh_t, dir, ".ssh")
|
|
+')
|
|
diff --git a/nx.te b/nx.te
|
|
index 091f872..62a0b12 100644
|
|
--- a/nx.te
|
|
+++ b/nx.te
|
|
@@ -27,6 +27,9 @@ files_type(nx_server_var_lib_t)
|
|
type nx_server_var_run_t;
|
|
files_pid_file(nx_server_var_run_t)
|
|
|
|
+type nx_server_home_ssh_t;
|
|
+files_type(nx_server_home_ssh_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -50,13 +53,15 @@ files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
|
|
manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
|
|
files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)
|
|
|
|
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
|
|
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
|
|
+
|
|
kernel_read_system_state(nx_server_t)
|
|
kernel_read_kernel_sysctls(nx_server_t)
|
|
|
|
corecmd_exec_shell(nx_server_t)
|
|
corecmd_exec_bin(nx_server_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(nx_server_t)
|
|
corenet_all_recvfrom_netlabel(nx_server_t)
|
|
corenet_tcp_sendrecv_generic_if(nx_server_t)
|
|
corenet_tcp_sendrecv_generic_node(nx_server_t)
|
|
@@ -67,13 +72,7 @@ corenet_sendrecv_all_client_packets(nx_server_t)
|
|
|
|
dev_read_urand(nx_server_t)
|
|
|
|
-files_read_etc_files(nx_server_t)
|
|
files_read_etc_runtime_files(nx_server_t)
|
|
-files_read_usr_files(nx_server_t)
|
|
-
|
|
-miscfiles_read_localization(nx_server_t)
|
|
-
|
|
-seutil_dontaudit_search_config(nx_server_t)
|
|
|
|
sysnet_read_config(nx_server_t)
|
|
|
|
diff --git a/oav.te b/oav.te
|
|
index b09c4c4..995c3f6 100644
|
|
--- a/oav.te
|
|
+++ b/oav.te
|
|
@@ -95,7 +95,6 @@ dev_read_sysfs(scannerdaemon_t)
|
|
domain_use_interactive_fds(scannerdaemon_t)
|
|
|
|
files_exec_etc_files(scannerdaemon_t)
|
|
-files_read_etc_files(scannerdaemon_t)
|
|
files_read_etc_runtime_files(scannerdaemon_t)
|
|
files_search_var_lib(scannerdaemon_t)
|
|
|
|
diff --git a/obex.fc b/obex.fc
|
|
index 03fa560..000c5fe 100644
|
|
--- a/obex.fc
|
|
+++ b/obex.fc
|
|
@@ -1 +1 @@
|
|
-/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
|
|
+/usr/bin/obex-data-server -- gen_context(system_u:object_r:obex_exec_t,s0)
|
|
diff --git a/obex.if b/obex.if
|
|
index 8635ea2..eec20b4 100644
|
|
--- a/obex.if
|
|
+++ b/obex.if
|
|
@@ -1,15 +1,50 @@
|
|
## <summary>D-Bus service providing high-level OBEX client and server side functionality.</summary>
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## The role template for obex.
|
|
+## Transition to obex.
|
|
## </summary>
|
|
-## <param name="role_prefix">
|
|
-## <summary>
|
|
-## The prefix of the user domain (e.g., user
|
|
-## is the prefix for user_t).
|
|
-## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`obex_domtrans',`
|
|
+ gen_require(`
|
|
+ type obex_t, obex_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, obex_exec_t, obex_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send and receive messages from
|
|
+## obex over dbus.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
+#
|
|
+interface(`obex_dbus_chat',`
|
|
+ gen_require(`
|
|
+ type obex_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ allow $1 obex_t:dbus send_msg;
|
|
+ allow obex_t $1:dbus send_msg;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Role access for obex domains
|
|
+## that executes via dbus-session
|
|
+## </summary>
|
|
## <param name="user_role">
|
|
## <summary>
|
|
## The role associated with the user domain.
|
|
@@ -20,69 +55,34 @@
|
|
## The type of the user domain.
|
|
## </summary>
|
|
## </param>
|
|
+## <param name="domain_prefix">
|
|
+## <summary>
|
|
+## User domain prefix to be used.
|
|
+## </summary>
|
|
+## </param>
|
|
#
|
|
-template(`obex_role_template',`
|
|
+template(`obex_role',`
|
|
gen_require(`
|
|
attribute_role obex_roles;
|
|
- type obex_t, obex_exec_exec_t;
|
|
+ type obex_t, obex_exec_t;
|
|
')
|
|
|
|
########################################
|
|
- #
|
|
+ #
|
|
# Declarations
|
|
#
|
|
|
|
- roleattribute $2 obex_roles;
|
|
+ roleattribute $1 obex_roles;
|
|
|
|
########################################
|
|
- #
|
|
+ #
|
|
# Policy
|
|
- #
|
|
-
|
|
- allow $3 obex_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($3, obex_t)
|
|
+ #
|
|
|
|
- dbus_spec_session_domain($1, obex_exec_t, obex_t)
|
|
-
|
|
- obex_dbus_chat($3)
|
|
-')
|
|
+ allow $2 obex_t:process signal_perms;
|
|
+ ps_process_pattern($2, obex_t)
|
|
|
|
-########################################
|
|
-## <summary>
|
|
-## Execute obex in the obex domain.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`obex_domtrans',`
|
|
- gen_require(`
|
|
- type obex_t, obex_exec_t;
|
|
- ')
|
|
-
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, obex_exec_t, obex_t)
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Send and receive messages from
|
|
-## obex over dbus.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`obex_dbus_chat',`
|
|
- gen_require(`
|
|
- type obex_t;
|
|
- class dbus send_msg;
|
|
- ')
|
|
+ dbus_session_domain($3, obex_exec_t, obex_t)
|
|
|
|
- allow $1 obex_t:dbus send_msg;
|
|
- allow obex_t $1:dbus send_msg;
|
|
+ obex_dbus_chat($2)
|
|
')
|
|
diff --git a/obex.te b/obex.te
|
|
index cd29ea8..d01d2c8 100644
|
|
--- a/obex.te
|
|
+++ b/obex.te
|
|
@@ -1,4 +1,4 @@
|
|
-policy_module(obex, 1.0.0)
|
|
+policy_module(obex,1.0.0)
|
|
|
|
########################################
|
|
#
|
|
@@ -14,30 +14,26 @@ role obex_roles types obex_t;
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# obex local policy
|
|
#
|
|
|
|
allow obex_t self:fifo_file rw_fifo_file_perms;
|
|
allow obex_t self:socket create_stream_socket_perms;
|
|
+allow obex_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
-dev_read_urand(obex_t)
|
|
+kernel_request_load_module(obex_t)
|
|
|
|
-files_read_etc_files(obex_t)
|
|
+dev_read_urand(obex_t)
|
|
|
|
logging_send_syslog_msg(obex_t)
|
|
|
|
-miscfiles_read_localization(obex_t)
|
|
-
|
|
userdom_search_user_home_content(obex_t)
|
|
|
|
optional_policy(`
|
|
- bluetooth_stream_connect(obex_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
dbus_system_bus_client(obex_t)
|
|
|
|
optional_policy(`
|
|
+ bluetooth_stream_connect(obex_t)
|
|
bluetooth_dbus_chat(obex_t)
|
|
')
|
|
')
|
|
diff --git a/oddjob.fc b/oddjob.fc
|
|
index dd1d9ef..fbbe3ff 100644
|
|
--- a/oddjob.fc
|
|
+++ b/oddjob.fc
|
|
@@ -1,10 +1,10 @@
|
|
-/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
|
|
|
|
-/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
|
|
+/usr/lib/systemd/system/oddjobd.* -- gen_context(system_u:object_r:oddjob_unit_file_t,s0)
|
|
|
|
+/usr/lib/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
|
|
/usr/libexec/oddjob/mkhomedir -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
|
|
|
|
-/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
|
|
-/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
|
|
+/usr/sbin/mkhomedir_helper -- gen_context(system_u:object_r:oddjob_mkhomedir_exec_t,s0)
|
|
+/usr/sbin/oddjobd -- gen_context(system_u:object_r:oddjob_exec_t,s0)
|
|
|
|
-/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
|
|
+/var/run/oddjobd\.pid gen_context(system_u:object_r:oddjob_var_run_t,s0)
|
|
diff --git a/oddjob.if b/oddjob.if
|
|
index c87bd2a..7de054a 100644
|
|
--- a/oddjob.if
|
|
+++ b/oddjob.if
|
|
@@ -1,4 +1,8 @@
|
|
-## <summary>D-BUS service which runs odd jobs on behalf of client applications.</summary>
|
|
+## <summary>
|
|
+## Oddjob provides a mechanism by which unprivileged applications can
|
|
+## request that specified privileged operations be performed on their
|
|
+## behalf.
|
|
+## </summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,14 +19,32 @@ interface(`oddjob_domtrans',`
|
|
type oddjob_t, oddjob_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, oddjob_exec_t, oddjob_t)
|
|
')
|
|
|
|
+#####################################
|
|
+## <summary>
|
|
+## Do not audit attempts to read and write
|
|
+## oddjob fifo file.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`oddjob_dontaudit_rw_fifo_file',`
|
|
+ gen_require(`
|
|
+ type oddjob_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 oddjob_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Make the specified program domain
|
|
-## accessable from the oddjob.
|
|
+## Make the specified program domain accessable
|
|
+## from the oddjob.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -41,6 +63,7 @@ interface(`oddjob_system_entry',`
|
|
')
|
|
|
|
domtrans_pattern(oddjob_t, $2, $1)
|
|
+ domain_user_exemption_target($1)
|
|
')
|
|
|
|
########################################
|
|
@@ -64,32 +87,45 @@ interface(`oddjob_dbus_chat',`
|
|
allow oddjob_t $1:dbus send_msg;
|
|
')
|
|
|
|
-########################################
|
|
+######################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run oddjob mkhomedir.
|
|
+## Send a SIGCHLD signal to oddjob.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
+interface(`oddjob_sigchld',`
|
|
+ gen_require(`
|
|
+ type oddjob_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 oddjob_t:process sigchld;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run oddjob_mkhomedir.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
interface(`oddjob_domtrans_mkhomedir',`
|
|
gen_require(`
|
|
type oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute oddjob mkhomedir in the
|
|
-## oddjob mkhomedir domain and allow
|
|
-## the specified role the oddjob
|
|
-## mkhomedir domain.
|
|
+## Execute the oddjob_mkhomedir program in the oddjob_mkhomedir domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -105,46 +141,70 @@ interface(`oddjob_domtrans_mkhomedir',`
|
|
#
|
|
interface(`oddjob_run_mkhomedir',`
|
|
gen_require(`
|
|
- attribute_role oddjob_mkhomedir_roles;
|
|
+ type oddjob_mkhomedir_t;
|
|
')
|
|
|
|
oddjob_domtrans_mkhomedir($1)
|
|
- roleattribute $2 oddjob_mkhomedir_roles;
|
|
+ role $2 types oddjob_mkhomedir_t;
|
|
')
|
|
|
|
-#####################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Do not audit attempts to read and write
|
|
-## oddjob fifo files.
|
|
+## Execute oddjob in the oddjob domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain to not audit.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`oddjob_dontaudit_rw_fifo_files',`
|
|
- gen_require(`
|
|
- type oddjob_t;
|
|
- ')
|
|
+interface(`oddjob_systemctl',`
|
|
+ gen_require(`
|
|
+ type oddjob_unit_file_t;
|
|
+ type oddjob_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 oddjob_unit_file_t:file read_file_perms;
|
|
+ allow $1 oddjob_unit_file_t:service manage_service_perms;
|
|
|
|
- dontaudit $1 oddjob_t:fifo_file rw_fifo_file_perms;
|
|
+ ps_process_pattern($1, oddjob_t)
|
|
')
|
|
|
|
-######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Send child terminated signals to oddjob.
|
|
+## Create a domain which can be started by init,
|
|
+## with a range transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Type to be used as a domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="entry_point">
|
|
+## <summary>
|
|
+## Type of the program to be used as an entry point to this domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="range">
|
|
+## <summary>
|
|
+## Range for the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`oddjob_sigchld',`
|
|
+interface(`oddjob_ranged_domain',`
|
|
gen_require(`
|
|
type oddjob_t;
|
|
')
|
|
|
|
- allow $1 oddjob_t:process sigchld;
|
|
+ oddjob_system_entry($1, $2)
|
|
+
|
|
+ ifdef(`enable_mcs',`
|
|
+ range_transition oddjob_t $2:process $3;
|
|
+ ')
|
|
+
|
|
+ ifdef(`enable_mls',`
|
|
+ range_transition oddjob_t $2:process $3;
|
|
+ mls_rangetrans_target($1)
|
|
+ ')
|
|
')
|
|
diff --git a/oddjob.te b/oddjob.te
|
|
index e403097..868981b 100644
|
|
--- a/oddjob.te
|
|
+++ b/oddjob.te
|
|
@@ -5,8 +5,6 @@ policy_module(oddjob, 1.10.0)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute_role oddjob_mkhomedir_roles;
|
|
-
|
|
type oddjob_t;
|
|
type oddjob_exec_t;
|
|
domain_type(oddjob_t)
|
|
@@ -20,18 +18,22 @@ type oddjob_mkhomedir_exec_t;
|
|
domain_type(oddjob_mkhomedir_t)
|
|
domain_obj_id_change_exemption(oddjob_mkhomedir_t)
|
|
init_system_domain(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
|
|
-role oddjob_mkhomedir_roles types oddjob_mkhomedir_t;
|
|
+oddjob_system_entry(oddjob_mkhomedir_t, oddjob_mkhomedir_exec_t)
|
|
|
|
+# pid files
|
|
type oddjob_var_run_t;
|
|
files_pid_file(oddjob_var_run_t)
|
|
|
|
+type oddjob_unit_file_t;
|
|
+systemd_unit_file(oddjob_unit_file_t)
|
|
+
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_daemon_domain(oddjob_t, oddjob_exec_t, s0 - mcs_systemhigh)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# oddjob local policy
|
|
#
|
|
|
|
allow oddjob_t self:capability setgid;
|
|
@@ -43,8 +45,6 @@ manage_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
|
|
manage_sock_files_pattern(oddjob_t, oddjob_var_run_t, oddjob_var_run_t)
|
|
files_pid_filetrans(oddjob_t, oddjob_var_run_t, { file sock_file })
|
|
|
|
-domtrans_pattern(oddjob_t, oddjob_mkhomedir_exec_t, oddjob_mkhomedir_t)
|
|
-
|
|
kernel_read_system_state(oddjob_t)
|
|
|
|
corecmd_exec_bin(oddjob_t)
|
|
@@ -54,9 +54,9 @@ mcs_process_set_categories(oddjob_t)
|
|
|
|
selinux_compute_create_context(oddjob_t)
|
|
|
|
+
|
|
auth_use_nsswitch(oddjob_t)
|
|
|
|
-miscfiles_read_localization(oddjob_t)
|
|
|
|
locallogin_dontaudit_use_fds(oddjob_t)
|
|
|
|
@@ -71,13 +71,13 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Mkhomedir local policy
|
|
+# oddjob_mkhomedir local policy
|
|
#
|
|
|
|
allow oddjob_mkhomedir_t self:capability { chown fowner fsetid dac_override };
|
|
allow oddjob_mkhomedir_t self:process setfscreate;
|
|
allow oddjob_mkhomedir_t self:fifo_file rw_fifo_file_perms;
|
|
-allow oddjob_mkhomedir_t self:unix_stream_socket { accept listen };
|
|
+allow oddjob_mkhomedir_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
kernel_read_system_state(oddjob_mkhomedir_t)
|
|
|
|
@@ -85,7 +85,6 @@ auth_use_nsswitch(oddjob_mkhomedir_t)
|
|
|
|
logging_send_syslog_msg(oddjob_mkhomedir_t)
|
|
|
|
-miscfiles_read_localization(oddjob_mkhomedir_t)
|
|
|
|
selinux_get_fs_mount(oddjob_mkhomedir_t)
|
|
selinux_validate_context(oddjob_mkhomedir_t)
|
|
@@ -98,8 +97,11 @@ seutil_read_config(oddjob_mkhomedir_t)
|
|
seutil_read_file_contexts(oddjob_mkhomedir_t)
|
|
seutil_read_default_contexts(oddjob_mkhomedir_t)
|
|
|
|
+# Add/remove user home directories
|
|
userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
|
|
-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
|
|
-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
|
|
userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
|
|
+userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
|
|
+userdom_manage_user_home_content(oddjob_mkhomedir_t)
|
|
+userdom_home_manager(oddjob_mkhomedir_t)
|
|
+userdom_stream_connect(oddjob_mkhomedir_t)
|
|
+
|
|
diff --git a/openct.te b/openct.te
|
|
index 3b6920e..3e9b17f 100644
|
|
--- a/openct.te
|
|
+++ b/openct.te
|
|
@@ -29,12 +29,12 @@ manage_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
|
|
manage_sock_files_pattern(openct_t, openct_var_run_t, openct_var_run_t)
|
|
files_pid_filetrans(openct_t, openct_var_run_t, { dir file sock_file })
|
|
|
|
-can_exec(openct_t, openct_exec_t)
|
|
-
|
|
kernel_read_kernel_sysctls(openct_t)
|
|
kernel_list_proc(openct_t)
|
|
kernel_read_proc_symlinks(openct_t)
|
|
|
|
+can_exec(openct_t, openct_exec_t)
|
|
+
|
|
dev_read_sysfs(openct_t)
|
|
dev_rw_usbfs(openct_t)
|
|
dev_rw_smartcard(openct_t)
|
|
@@ -42,15 +42,12 @@ dev_rw_generic_usb_dev(openct_t)
|
|
|
|
domain_use_interactive_fds(openct_t)
|
|
|
|
-files_read_etc_files(openct_t)
|
|
|
|
fs_getattr_all_fs(openct_t)
|
|
fs_search_auto_mountpoints(openct_t)
|
|
|
|
logging_send_syslog_msg(openct_t)
|
|
|
|
-miscfiles_read_localization(openct_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(openct_t)
|
|
userdom_dontaudit_search_user_home_dirs(openct_t)
|
|
|
|
diff --git a/openhpi.te b/openhpi.te
|
|
index 8de6191..13fa6d2 100644
|
|
--- a/openhpi.te
|
|
+++ b/openhpi.te
|
|
@@ -50,7 +50,6 @@ corenet_tcp_sendrecv_openhpid_port(openhpid_t)
|
|
|
|
dev_read_urand(openhpid_t)
|
|
|
|
-files_read_etc_files(openhpid_t)
|
|
|
|
logging_send_syslog_msg(openhpid_t)
|
|
|
|
diff --git a/openhpid.fc b/openhpid.fc
|
|
new file mode 100644
|
|
index 0000000..9441fd7
|
|
--- /dev/null
|
|
+++ b/openhpid.fc
|
|
@@ -0,0 +1,8 @@
|
|
+
|
|
+/etc/rc\.d/init\.d/openhpid -- gen_context(system_u:object_r:openhpid_initrc_exec_t,s0)
|
|
+
|
|
+/usr/sbin/openhpid -- gen_context(system_u:object_r:openhpid_exec_t,s0)
|
|
+
|
|
+/var/lib/openhpi(/.*)? gen_context(system_u:object_r:openhpid_var_lib_t,s0)
|
|
+
|
|
+/var/run/openhpid\.pid -- gen_context(system_u:object_r:openhpid_var_run_t,s0)
|
|
diff --git a/openhpid.if b/openhpid.if
|
|
new file mode 100644
|
|
index 0000000..598789a
|
|
--- /dev/null
|
|
+++ b/openhpid.if
|
|
@@ -0,0 +1,159 @@
|
|
+
|
|
+## <summary>policy for openhpid</summary>
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to openhpid.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openhpid_domtrans',`
|
|
+ gen_require(`
|
|
+ type openhpid_t, openhpid_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, openhpid_exec_t, openhpid_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute openhpid server in the openhpid domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openhpid_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type openhpid_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, openhpid_initrc_exec_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search openhpid lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openhpid_search_lib',`
|
|
+ gen_require(`
|
|
+ type openhpid_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 openhpid_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read openhpid lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openhpid_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type openhpid_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage openhpid lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openhpid_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type openhpid_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage openhpid lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openhpid_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type openhpid_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, openhpid_var_lib_t, openhpid_var_lib_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an openhpid environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`openhpid_admin',`
|
|
+ gen_require(`
|
|
+ type openhpid_t;
|
|
+ type openhpid_initrc_exec_t;
|
|
+ type openhpid_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 openhpid_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, openhpid_t)
|
|
+
|
|
+ openhpid_initrc_domtrans($1)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 openhpid_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ admin_pattern($1, openhpid_var_lib_t)
|
|
+
|
|
+
|
|
+
|
|
+')
|
|
+
|
|
diff --git a/openhpid.te b/openhpid.te
|
|
new file mode 100644
|
|
index 0000000..51acfae
|
|
--- /dev/null
|
|
+++ b/openhpid.te
|
|
@@ -0,0 +1,47 @@
|
|
+policy_module(openhpid, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type openhpid_t;
|
|
+type openhpid_exec_t;
|
|
+init_daemon_domain(openhpid_t, openhpid_exec_t)
|
|
+
|
|
+type openhpid_initrc_exec_t;
|
|
+init_script_file(openhpid_initrc_exec_t)
|
|
+
|
|
+type openhpid_var_lib_t;
|
|
+files_type(openhpid_var_lib_t)
|
|
+
|
|
+type openhpid_var_run_t;
|
|
+files_pid_file(openhpid_var_run_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# openhpid local policy
|
|
+#
|
|
+
|
|
+allow openhpid_t self:capability { kill };
|
|
+allow openhpid_t self:process signal_perms;
|
|
+
|
|
+allow openhpid_t self:fifo_file rw_fifo_file_perms;
|
|
+allow openhpid_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow openhpid_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow openhpid_t self:tcp_socket create_stream_socket_perms;
|
|
+allow openhpid_t self:udp_socket create_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
|
|
+manage_files_pattern(openhpid_t, openhpid_var_lib_t, openhpid_var_lib_t)
|
|
+files_var_lib_filetrans(openhpid_t, openhpid_var_lib_t, { dir file })
|
|
+
|
|
+manage_files_pattern(openhpid_t, openhpid_var_run_t, openhpid_var_run_t)
|
|
+files_pid_filetrans(openhpid_t, openhpid_var_run_t, { file })
|
|
+
|
|
+corenet_tcp_bind_generic_node(openhpid_t)
|
|
+corenet_tcp_bind_openhpid_port(openhpid_t)
|
|
+
|
|
+dev_read_urand(openhpid_t)
|
|
+
|
|
+logging_send_syslog_msg(openhpid_t)
|
|
diff --git a/openshift-origin.fc b/openshift-origin.fc
|
|
new file mode 100644
|
|
index 0000000..30ca148
|
|
--- /dev/null
|
|
+++ b/openshift-origin.fc
|
|
@@ -0,0 +1 @@
|
|
+# Left Blank
|
|
diff --git a/openshift-origin.if b/openshift-origin.if
|
|
new file mode 100644
|
|
index 0000000..3eb6a30
|
|
--- /dev/null
|
|
+++ b/openshift-origin.if
|
|
@@ -0,0 +1 @@
|
|
+## <summary></summary>
|
|
diff --git a/openshift-origin.te b/openshift-origin.te
|
|
new file mode 100644
|
|
index 0000000..a437f80
|
|
--- /dev/null
|
|
+++ b/openshift-origin.te
|
|
@@ -0,0 +1,13 @@
|
|
+policy_module(openshift-origin,1.0.0)
|
|
+gen_require(`
|
|
+ attribute openshift_domain;
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# openshift origin standard local policy
|
|
+#
|
|
+allow openshift_domain self:socket_class_set create_socket_perms;
|
|
+corenet_tcp_connect_all_ports(openshift_domain)
|
|
+corenet_tcp_bind_all_ports(openshift_domain)
|
|
+files_read_config_files(openshift_domain)
|
|
diff --git a/openshift.fc b/openshift.fc
|
|
new file mode 100644
|
|
index 0000000..f2d6119
|
|
--- /dev/null
|
|
+++ b/openshift.fc
|
|
@@ -0,0 +1,26 @@
|
|
+/etc/rc\.d/init\.d/libra gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/mcollective gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
|
+
|
|
+/etc/cron.minutely/openshift-facts -- gen_context(system_u:object_r:openshift_cron_exec_t,s0)
|
|
+
|
|
+/var/lib/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
|
|
+/var/lib/stickshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
|
|
+/var/lib/openshift(/.*)? gen_context(system_u:object_r:openshift_var_lib_t,s0)
|
|
+/var/lib/openshift/.*/data(/.*)? gen_context(system_u:object_r:openshift_rw_file_t,s0)
|
|
+
|
|
+/var/lib/stickshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
|
|
+/var/lib/stickshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
|
|
+/var/lib/openshift/.*/\.tmp(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
|
|
+/var/lib/openshift/.*/\.sandbox(/.*)? gen_context(system_u:object_r:openshift_tmp_t,s0)
|
|
+
|
|
+/var/log/mcollective\.log -- gen_context(system_u:object_r:openshift_log_t,s0)
|
|
+
|
|
+/usr/s?bin/(oo|rhc)-cgroup-read -- gen_context(system_u:object_r:openshift_cgroup_read_exec_t,s0)
|
|
+
|
|
+/usr/s?bin/(oo|rhc)-restorer -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
|
+/usr/s?bin/(oo|rhc)-restorer-wrapper.sh -- gen_context(system_u:object_r:httpd_openshift_script_exec_t,s0)
|
|
+/usr/s?bin/oo-admin-ctl-gears -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
|
+/usr/s?bin/mcollectived -- gen_context(system_u:object_r:openshift_initrc_exec_t,s0)
|
|
+
|
|
+/var/run/stickshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
|
|
+/var/run/openshift(/.*)? gen_context(system_u:object_r:openshift_var_run_t,s0)
|
|
diff --git a/openshift.if b/openshift.if
|
|
new file mode 100644
|
|
index 0000000..e03de01
|
|
--- /dev/null
|
|
+++ b/openshift.if
|
|
@@ -0,0 +1,700 @@
|
|
+
|
|
+## <summary> policy for openshift </summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute openshift server in the openshift domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## The type of the process performing this action.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type openshift_initrc_t;
|
|
+ type openshift_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, openshift_initrc_exec_t, openshift_initrc_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute openshift server in the openshift domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## The type of the process performing this action.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role access to this domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_initrc_run',`
|
|
+ gen_require(`
|
|
+ type openshift_initrc_t;
|
|
+ type openshift_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ openshift_initrc_domtrans($1)
|
|
+ role $2 types openshift_initrc_t;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send a null signal to openshift init scripts.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_initrc_signull',`
|
|
+ gen_require(`
|
|
+ type openshift_initrc_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 openshift_initrc_t:process signull;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Send a signal to openshift init scripts.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_initrc_signal',`
|
|
+ gen_require(`
|
|
+ type openshift_initrc_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 openshift_initrc_t:process signal;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search openshift cache directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_search_cache',`
|
|
+ gen_require(`
|
|
+ type openshift_cache_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 openshift_cache_t:dir search_dir_perms;
|
|
+ files_search_var($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read openshift cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_read_cache_files',`
|
|
+ gen_require(`
|
|
+ type openshift_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ read_files_pattern($1, openshift_cache_t, openshift_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## openshift cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_manage_cache_files',`
|
|
+ gen_require(`
|
|
+ type openshift_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_files_pattern($1, openshift_cache_t, openshift_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## openshift cache dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_manage_cache_dirs',`
|
|
+ gen_require(`
|
|
+ type openshift_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_dirs_pattern($1, openshift_cache_t, openshift_cache_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read openshift's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`openshift_read_log',`
|
|
+ gen_require(`
|
|
+ type openshift_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, openshift_log_t, openshift_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to append
|
|
+## openshift log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_append_log',`
|
|
+ gen_require(`
|
|
+ type openshift_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, openshift_log_t, openshift_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow domain to manage openshift log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_manage_log',`
|
|
+ gen_require(`
|
|
+ type openshift_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, openshift_log_t, openshift_log_t)
|
|
+ manage_files_pattern($1, openshift_log_t, openshift_log_t)
|
|
+ manage_lnk_files_pattern($1, openshift_log_t, openshift_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search openshift lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_search_lib',`
|
|
+ gen_require(`
|
|
+ type openshift_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ search_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
|
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Getattr openshift lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_getattr_lib',`
|
|
+ gen_require(`
|
|
+ type openshift_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ getattr_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read openshift lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type openshift_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
|
+ read_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read openshift lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_append_lib_files',`
|
|
+ gen_require(`
|
|
+ type openshift_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ append_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## openshift lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type openshift_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
|
+ manage_lnk_files_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## openshift lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type openshift_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, openshift_var_lib_t, openshift_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage openshift lib content.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_manage_content',`
|
|
+ gen_require(`
|
|
+ attribute openshift_file_type;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, openshift_file_type, openshift_file_type)
|
|
+ manage_files_pattern($1, openshift_file_type, openshift_file_type)
|
|
+ manage_lnk_files_pattern($1, openshift_file_type, openshift_file_type)
|
|
+ manage_sock_files_pattern($1, openshift_file_type, openshift_file_type)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Create private objects in the
|
|
+## mail lib directory.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="private type">
|
|
+## <summary>
|
|
+## The type of the object to be created.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="object">
|
|
+## <summary>
|
|
+## The object class of the object being created.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="name" optional="true">
|
|
+## <summary>
|
|
+## The name of the object being created.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_lib_filetrans',`
|
|
+ gen_require(`
|
|
+ type openshift_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ filetrans_pattern($1, openshift_var_lib_t, $2, $3, $4)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read openshift PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type openshift_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 openshift_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an openshift environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`openshift_admin',`
|
|
+ gen_require(`
|
|
+ attribute openshift_domain;
|
|
+ type openshift_initrc_exec_t;
|
|
+ type openshift_cache_t;
|
|
+ type openshift_log_t;
|
|
+ type openshift_var_lib_t;
|
|
+ type openshift_var_run_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 openshift_domain:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 openshift_domain:process ptrace;
|
|
+ ')
|
|
+ ps_process_pattern($1, openshift_domain)
|
|
+
|
|
+ openshift_initrc_domtrans($1)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 openshift_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
+
|
|
+ files_search_var($1)
|
|
+ admin_pattern($1, openshift_cache_t)
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, openshift_log_t)
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ admin_pattern($1, openshift_var_lib_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, openshift_var_run_t)
|
|
+
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Make the specified type usable as a openshift domain.
|
|
+## </summary>
|
|
+## <param name="openshiftdomain_prefix">
|
|
+## <summary>
|
|
+## The prefix of the domain (e.g., openshift
|
|
+## is the prefix for openshift_t).
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`openshift_service_domain_template',`
|
|
+ gen_require(`
|
|
+ attribute openshift_domain;
|
|
+ attribute openshift_user_domain;
|
|
+ ')
|
|
+
|
|
+ type $1_t;
|
|
+ typeattribute $1_t openshift_domain, openshift_user_domain;
|
|
+ domain_type($1_t)
|
|
+ role system_r types $1_t;
|
|
+ mcs_constrained($1_t)
|
|
+ domain_user_exemption_target($1_t)
|
|
+ auth_use_nsswitch($1_t)
|
|
+ domain_subj_id_change_exemption($1_t)
|
|
+ domain_obj_id_change_exemption($1_t)
|
|
+ domain_dyntrans_type($1_t)
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+
|
|
+ logging_send_syslog_msg($1_t)
|
|
+
|
|
+ type $1_app_t;
|
|
+ typeattribute $1_app_t openshift_domain;
|
|
+ domain_type($1_app_t)
|
|
+ role system_r types $1_app_t;
|
|
+ mcs_constrained($1_app_t)
|
|
+ domain_user_exemption_target($1_app_t)
|
|
+ domain_obj_id_change_exemption($1_app_t)
|
|
+ domain_dyntrans_type($1_app_t)
|
|
+ auth_use_nsswitch($1_app_t)
|
|
+
|
|
+ kernel_read_system_state($1_app_t)
|
|
+
|
|
+ logging_send_syslog_msg($1_app_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Make the specified type usable as a openshift domain.
|
|
+## </summary>
|
|
+## <param name="type">
|
|
+## <summary>
|
|
+## Type to be used as a openshift domain type.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_net_type',`
|
|
+ gen_require(`
|
|
+ attribute openshift_net_domain;
|
|
+ ')
|
|
+
|
|
+ typeattribute $1 openshift_net_domain;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read and write inherited openshift files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_rw_inherited_content',`
|
|
+ gen_require(`
|
|
+ attribute openshift_file_type;
|
|
+ ')
|
|
+
|
|
+ allow $1 openshift_file_type:file rw_inherited_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage openshift tmp files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_manage_tmp_files',`
|
|
+ gen_require(`
|
|
+ type openshift_tmp_t;
|
|
+ ')
|
|
+
|
|
+ manage_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage openshift tmp sockets.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_manage_tmp_sockets',`
|
|
+ gen_require(`
|
|
+ type openshift_tmp_t;
|
|
+ ')
|
|
+
|
|
+ manage_sock_files_pattern($1, openshift_tmp_t, openshift_tmp_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Mounton openshift tmp directory.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_mounton_tmp',`
|
|
+ gen_require(`
|
|
+ type openshift_tmp_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 openshift_tmp_t:dir mounton;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Dontaudit Read and write inherited script fifo files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_dontaudit_rw_inherited_fifo_files',`
|
|
+ gen_require(`
|
|
+ type openshift_initrc_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow calling app to transition to an openshift domain
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`openshift_transition',`
|
|
+ gen_require(`
|
|
+ attribute openshift_user_domain;
|
|
+ ')
|
|
+
|
|
+ allow $1 openshift_user_domain:process transition;
|
|
+ dontaudit $1 openshift_user_domain:process { noatsecure siginh rlimitinh };
|
|
+ allow openshift_user_domain $1:fd use;
|
|
+ allow openshift_user_domain $1:fifo_file rw_inherited_fifo_file_perms;
|
|
+ allow openshift_user_domain $1:process sigchld;
|
|
+ dontaudit $1 openshift_user_domain:socket_class_set { read write };
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow calling app to transition to an openshift domain
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`openshift_dyntransition',`
|
|
+ gen_require(`
|
|
+ attribute openshift_domain;
|
|
+ attribute openshift_user_domain;
|
|
+ ')
|
|
+
|
|
+ allow $1 openshift_user_domain:process dyntransition;
|
|
+ dontaudit openshift_user_domain $1:key view;
|
|
+ allow openshift_user_domain $1:unix_stream_socket { connectto rw_socket_perms };
|
|
+ allow openshift_user_domain $1:unix_dgram_socket rw_socket_perms;
|
|
+ allow $1 openshift_user_domain:process { rlimitinh signal };
|
|
+ dontaudit openshift_domain $1:tcp_socket { read write getattr setopt getopt shutdown };
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute openshift in the openshift domain, and
|
|
+## allow the specified role the openshift domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openshift_run',`
|
|
+ gen_require(`
|
|
+ type openshift_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ openshift_initrc_domtrans($1)
|
|
+ role_transition $2 openshift_initrc_exec_t system_r;
|
|
+ openshift_transition($1)
|
|
+')
|
|
diff --git a/openshift.te b/openshift.te
|
|
new file mode 100644
|
|
index 0000000..cd25e8e
|
|
--- /dev/null
|
|
+++ b/openshift.te
|
|
@@ -0,0 +1,555 @@
|
|
+policy_module(openshift,1.0.0)
|
|
+
|
|
+gen_require(`
|
|
+ role system_r;
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+
|
|
+# openshift applications that can use the network.
|
|
+attribute openshift_net_domain;
|
|
+# Attribute representing all openshift user processes (excludes apache processes)
|
|
+attribute openshift_user_domain;
|
|
+# Attribute representing all openshift processes
|
|
+attribute openshift_domain;
|
|
+
|
|
+# Attribute for all openshift content
|
|
+attribute openshift_file_type;
|
|
+
|
|
+# Type of openshift init script
|
|
+type openshift_initrc_t;
|
|
+type openshift_initrc_exec_t;
|
|
+init_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t)
|
|
+init_ranged_daemon_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
|
|
+domain_obj_id_change_exemption(openshift_initrc_t)
|
|
+optional_policy(`
|
|
+ oddjob_ranged_domain(openshift_initrc_t, openshift_initrc_exec_t, s0 - mcs_systemhigh)
|
|
+')
|
|
+
|
|
+type openshift_initrc_tmp_t;
|
|
+files_tmp_file(openshift_initrc_tmp_t)
|
|
+
|
|
+type openshift_tmpfs_t;
|
|
+files_tmpfs_file(openshift_tmpfs_t)
|
|
+
|
|
+type openshift_tmp_t, openshift_file_type;
|
|
+files_tmp_file(openshift_tmp_t)
|
|
+files_mountpoint(openshift_tmp_t)
|
|
+files_poly(openshift_tmp_t)
|
|
+files_poly_parent(openshift_tmp_t)
|
|
+
|
|
+type openshift_var_run_t;
|
|
+files_pid_file(openshift_var_run_t)
|
|
+
|
|
+type openshift_var_lib_t, openshift_file_type;
|
|
+userdom_user_home_content(openshift_var_lib_t)
|
|
+files_poly(openshift_var_lib_t)
|
|
+files_poly_parent(openshift_var_lib_t)
|
|
+files_mountpoint(openshift_var_lib_t)
|
|
+
|
|
+type openshift_rw_file_t, openshift_file_type;
|
|
+files_poly(openshift_rw_file_t)
|
|
+files_poly_parent(openshift_rw_file_t)
|
|
+
|
|
+type openshift_log_t;
|
|
+logging_log_file(openshift_log_t)
|
|
+
|
|
+type openshift_port_t;
|
|
+corenet_port(openshift_port_t)
|
|
+corenet_reserved_port(openshift_port_t)
|
|
+
|
|
+type openshift_cgroup_read_t;
|
|
+type openshift_cgroup_read_exec_t;
|
|
+application_domain(openshift_cgroup_read_t, openshift_cgroup_read_exec_t)
|
|
+
|
|
+type openshift_cgroup_read_tmp_t, openshift_file_type;
|
|
+files_tmp_file(openshift_cgroup_read_tmp_t)
|
|
+
|
|
+type openshift_cron_t;
|
|
+type openshift_cron_exec_t;
|
|
+domain_type(openshift_cron_t)
|
|
+domain_entry_file(openshift_cron_t, openshift_cron_exec_t)
|
|
+role system_r types openshift_cron_t;
|
|
+
|
|
+optional_policy(`
|
|
+ cron_system_entry(openshift_cron_t, openshift_cron_exec_t)
|
|
+')
|
|
+
|
|
+type openshift_cron_tmp_t, openshift_file_type;
|
|
+files_tmp_file(openshift_cron_tmp_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Template to create openshift_t and openshift_app_t
|
|
+#
|
|
+
|
|
+openshift_service_domain_template(openshift)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# openshift initrc local policy
|
|
+#
|
|
+
|
|
+unconfined_domain_noaudit(openshift_initrc_t)
|
|
+mcs_process_set_categories(openshift_initrc_t)
|
|
+
|
|
+virt_sandbox_domain(openshift_initrc_t)
|
|
+
|
|
+systemd_dbus_chat_logind(openshift_initrc_t)
|
|
+
|
|
+manage_dirs_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
|
|
+manage_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
|
|
+manage_lnk_files_pattern(openshift_initrc_t, openshift_initrc_tmp_t, openshift_initrc_tmp_t)
|
|
+files_tmp_filetrans(openshift_initrc_t, openshift_initrc_tmp_t, { file dir })
|
|
+
|
|
+manage_dirs_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
|
|
+manage_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
|
|
+manage_lnk_files_pattern(openshift_initrc_t, openshift_var_run_t, openshift_var_run_t)
|
|
+files_pid_filetrans(openshift_initrc_t, openshift_var_run_t, { file dir })
|
|
+
|
|
+manage_dirs_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
|
|
+manage_files_pattern(openshift_initrc_t, openshift_log_t, openshift_log_t)
|
|
+logging_log_filetrans(openshift_initrc_t, openshift_log_t, { file dir })
|
|
+
|
|
+allow openshift_initrc_t openshift_domain:process { getattr getsched setsched transition signal signull sigkill };
|
|
+allow openshift_domain openshift_initrc_t:fd use;
|
|
+allow openshift_domain openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+allow openshift_domain openshift_initrc_t:process sigchld;
|
|
+dontaudit openshift_domain openshift_initrc_t:key view;
|
|
+dontaudit openshift_domain openshift_initrc_t:process signull;
|
|
+dontaudit openshift_domain openshift_initrc_t:socket_class_set { read write };
|
|
+
|
|
+init_domtrans_script(openshift_initrc_t)
|
|
+init_initrc_domain(openshift_initrc_t)
|
|
+
|
|
+#######################################################
|
|
+#
|
|
+# Policy for all openshift domains
|
|
+#
|
|
+allow openshift_domain self:process ~ptrace;
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow openshift_domain self:process ptrace;
|
|
+')
|
|
+
|
|
+allow openshift_domain self:msg all_msg_perms;
|
|
+allow openshift_domain self:msgq create_msgq_perms;
|
|
+allow openshift_domain self:shm create_shm_perms;
|
|
+allow openshift_domain self:sem create_sem_perms;
|
|
+dontaudit openshift_domain self:dir write;
|
|
+dontaudit openshift_t self:unix_stream_socket recvfrom;
|
|
+dontaudit openshift_domain self:netlink_tcpdiag_socket create;
|
|
+dontaudit openshift_domain self:netlink_route_socket nlmsg_write;
|
|
+allow openshift_domain self:tcp_socket create_stream_socket_perms;
|
|
+allow openshift_domain self:fifo_file manage_fifo_file_perms;
|
|
+allow openshift_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+allow openshift_domain self:unix_dgram_socket { create_socket_perms sendto };
|
|
+dontaudit openshift_domain self:netlink_audit_socket { create_socket_perms nlmsg_relay };
|
|
+
|
|
+manage_dirs_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
|
|
+manage_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
|
|
+manage_fifo_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
|
|
+manage_sock_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
|
|
+manage_lnk_files_pattern(openshift_domain, openshift_rw_file_t, openshift_rw_file_t)
|
|
+allow openshift_domain openshift_rw_file_t:dir_file_class_set { relabelfrom relabelto };
|
|
+
|
|
+list_dirs_pattern(openshift_domain, openshift_file_type, openshift_file_type)
|
|
+read_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
|
|
+rw_fifo_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
|
|
+rw_sock_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
|
|
+read_lnk_files_pattern(openshift_domain, openshift_file_type, openshift_file_type)
|
|
+allow openshift_domain openshift_file_type:file execmod;
|
|
+can_exec(openshift_domain, openshift_file_type)
|
|
+allow openshift_domain openshift_file_type:file entrypoint;
|
|
+# Allow users to execute files in their home dir
|
|
+allow openshift_domain openshift_file_type:file { execute execute_no_trans };
|
|
+
|
|
+# Dontaudit openshift domains trying to search other openshift domains directories,
|
|
+# this happens just when users are probing the system
|
|
+dontaudit openshift_domain openshift_file_type:dir search_dir_perms
|
|
+;
|
|
+
|
|
+manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
|
|
+manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
|
|
+manage_lnk_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
|
|
+manage_sock_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
|
|
+manage_fifo_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
|
|
+fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file sock_file lnk_file fifo_file })
|
|
+can_exec(openshift_domain, openshift_tmpfs_t)
|
|
+
|
|
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
|
|
+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
|
|
+manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
|
|
+manage_lnk_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
|
|
+manage_sock_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
|
|
+files_tmp_filetrans(openshift_domain, openshift_tmp_t, { lnk_file file dir sock_file fifo_file })
|
|
+allow openshift_domain openshift_tmp_t:dir_file_class_set { relabelfrom relabelto };
|
|
+
|
|
+allow openshift_domain openshift_log_t:file { getattr append lock ioctl };
|
|
+
|
|
+#lsof
|
|
+allow openshift_domain openshift_initrc_t:tcp_socket getattr;
|
|
+
|
|
+dontaudit openshift_domain openshift_initrc_tmp_t:file append;
|
|
+dontaudit openshift_domain openshift_var_run_t:file append;
|
|
+dontaudit openshift_domain openshift_file_type:sock_file execute;
|
|
+
|
|
+kernel_read_network_state(openshift_domain)
|
|
+kernel_dontaudit_list_all_proc(openshift_domain)
|
|
+kernel_dontaudit_list_all_sysctls(openshift_domain)
|
|
+kernel_dontaudit_request_load_module(openshift_domain)
|
|
+kernel_get_sysvipc_info(openshift_domain)
|
|
+
|
|
+corecmd_shell_entry_type(openshift_domain)
|
|
+corecmd_bin_entry_type(openshift_domain)
|
|
+corecmd_exec_all_executables(openshift_domain)
|
|
+
|
|
+dev_read_sysfs(openshift_domain)
|
|
+dev_read_rand(openshift_domain)
|
|
+dev_read_urand(openshift_domain)
|
|
+dev_dontaudit_append_rand(openshift_domain)
|
|
+dev_dontaudit_write_urand(openshift_domain)
|
|
+dev_dontaudit_getattr_all_blk_files(openshift_domain)
|
|
+dev_dontaudit_getattr_all_chr_files(openshift_domain)
|
|
+dev_dontaudit_all_access_check(openshift_domain)
|
|
+
|
|
+domain_use_interactive_fds(openshift_domain)
|
|
+domain_dontaudit_read_all_domains_state(openshift_domain)
|
|
+
|
|
+files_read_var_lib_symlinks(openshift_domain)
|
|
+
|
|
+fs_rw_hugetlbfs_files(openshift_domain)
|
|
+fs_rw_anon_inodefs_files(openshift_domain)
|
|
+fs_search_tmpfs(openshift_domain)
|
|
+fs_getattr_all_fs(openshift_domain)
|
|
+fs_dontaudit_getattr_all_fs(openshift_domain)
|
|
+fs_list_inotifyfs(openshift_domain)
|
|
+fs_dontaudit_list_auto_mountpoints(openshift_domain)
|
|
+fs_dontaudit_list_tmpfs(openshift_domain)
|
|
+storage_dontaudit_getattr_fixed_disk_dev(openshift_domain)
|
|
+storage_getattr_fixed_disk_dev(openshift_domain)
|
|
+fs_get_xattr_fs_quotas(openshift_domain)
|
|
+fs_rw_inherited_tmpfs_files(openshift_domain)
|
|
+fs_dontaudit_rw_anon_inodefs_files(openshift_domain)
|
|
+
|
|
+dontaudit openshift_domain file_type:dir read;
|
|
+files_dontaudit_list_home(openshift_domain)
|
|
+files_dontaudit_search_all_pids(openshift_domain)
|
|
+files_dontaudit_getattr_all_dirs(openshift_domain)
|
|
+files_dontaudit_getattr_all_files(openshift_domain)
|
|
+files_dontaudit_list_mnt(openshift_domain)
|
|
+files_dontaudit_list_var(openshift_domain)
|
|
+files_dontaudit_getattr_lost_found_dirs(openshift_domain)
|
|
+files_dontaudit_search_all_mountpoints(openshift_domain)
|
|
+files_dontaudit_search_spool(openshift_domain)
|
|
+files_dontaudit_search_all_dirs(openshift_domain)
|
|
+files_exec_etc_files(openshift_domain)
|
|
+files_exec_usr_files(openshift_domain)
|
|
+files_dontaudit_getattr_non_security_sockets(openshift_domain)
|
|
+files_dontaudit_setattr_non_security_dirs(openshift_domain)
|
|
+files_dontaudit_setattr_non_security_files(openshift_domain)
|
|
+files_dontaudit_rw_inherited_locks(openshift_domain)
|
|
+
|
|
+libs_exec_lib_files(openshift_domain)
|
|
+libs_exec_ld_so(openshift_domain)
|
|
+
|
|
+selinux_validate_context(openshift_domain)
|
|
+
|
|
+logging_inherit_append_all_logs(openshift_domain)
|
|
+
|
|
+init_dontaudit_read_utmp(openshift_domain)
|
|
+
|
|
+miscfiles_read_fonts(openshift_domain)
|
|
+miscfiles_dontaudit_setattr_fonts_cache_dirs(openshift_domain)
|
|
+
|
|
+mta_dontaudit_read_spool_symlinks(openshift_domain)
|
|
+
|
|
+term_dontaudit_search_ptys(openshift_domain)
|
|
+term_use_generic_ptys(openshift_domain)
|
|
+term_dontaudit_getattr_generic_ptys(openshift_domain)
|
|
+term_use_ptmx(openshift_domain)
|
|
+
|
|
+userdom_use_inherited_user_ptys(openshift_domain)
|
|
+userdom_dontaudit_search_admin_dir(openshift_domain)
|
|
+
|
|
+application_exec(openshift_domain)
|
|
+
|
|
+optional_policy(`
|
|
+ apache_exec_modules(openshift_domain)
|
|
+ apache_list_modules(openshift_domain)
|
|
+ apache_read_config(openshift_domain)
|
|
+ apache_search_config(openshift_domain)
|
|
+ apache_read_sys_content(openshift_domain)
|
|
+ apache_exec_sys_script(openshift_domain)
|
|
+ apache_entrypoint(openshift_domain)
|
|
+ apache_dontaudit_read_log(openshift_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ #############################################
|
|
+ #
|
|
+ # openshift cgi script policy
|
|
+ #
|
|
+ apache_content_template(openshift)
|
|
+ domtrans_pattern(httpd_openshift_script_t, openshift_initrc_exec_t, openshift_initrc_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ dbus_system_bus_client(httpd_openshift_script_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ oddjob_dbus_chat(httpd_openshift_script_t)
|
|
+ oddjob_dontaudit_rw_fifo_file(openshift_domain)
|
|
+ ')
|
|
+ ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ cron_role(system_r, openshift_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gpg_entry_type(openshift_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_search_db(openshift_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ screen_exec(openshift_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_use_ptys(openshift_domain)
|
|
+ ssh_getattr_user_home_dir(openshift_domain)
|
|
+ ssh_dontaudit_search_user_home_dir(openshift_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ udev_read_pid_files(openshift_domain)
|
|
+')
|
|
+
|
|
+#######################################################
|
|
+#
|
|
+# Policy for openshift user domain process
|
|
+#
|
|
+manage_dirs_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
|
|
+manage_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
|
|
+manage_fifo_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
|
|
+manage_sock_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
|
|
+manage_lnk_files_pattern(openshift_user_domain, openshift_file_type, openshift_file_type)
|
|
+allow openshift_user_domain openshift_file_type:dir_file_class_set { relabelfrom relabelto };
|
|
+
|
|
+allow openshift_user_domain openshift_domain:process transition;
|
|
+allow openshift_domain openshift_user_domain:fd use;
|
|
+allow openshift_domain openshift_user_domain:fifo_file rw_inherited_fifo_file_perms;
|
|
+allow openshift_domain openshift_user_domain:process sigchld;
|
|
+dontaudit openshift_domain openshift_user_domain:key view;
|
|
+dontaudit openshift_domain openshift_user_domain:process signull;
|
|
+dontaudit openshift_domain openshift_user_domain:socket_class_set { read write };
|
|
+
|
|
+tunable_policy(`deny_ptrace',`',`
|
|
+ allow openshift_user_domain openshift_domain:process ptrace;
|
|
+')
|
|
+
|
|
+mta_signal_user_agent(openshift_user_domain)
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_rw_tcp_sockets(openshift_user_domain)
|
|
+')
|
|
+
|
|
+############################################################################
|
|
+#
|
|
+# Rules specific to openshift_net_domains
|
|
+#
|
|
+allow openshift_net_domain openshift_port_t:tcp_socket { name_connect name_bind };
|
|
+allow openshift_net_domain openshift_port_t:udp_socket name_bind;
|
|
+
|
|
+corenet_tcp_connect_mssql_port(openshift_net_domain)
|
|
+corenet_tcp_connect_mysqld_port(openshift_net_domain)
|
|
+corenet_tcp_connect_postgresql_port(openshift_net_domain)
|
|
+corenet_tcp_connect_git_port(openshift_net_domain)
|
|
+corenet_tcp_connect_oracle_port(openshift_net_domain)
|
|
+corenet_tcp_connect_flash_port(openshift_net_domain)
|
|
+corenet_tcp_connect_http_port(openshift_net_domain)
|
|
+corenet_tcp_connect_ftp_port(openshift_net_domain)
|
|
+#/* These ports are the ephemeral ports needed for ftp */
|
|
+corenet_tcp_connect_virt_migration_port(openshift_net_domain)
|
|
+corenet_tcp_connect_ssh_port(openshift_net_domain)
|
|
+corenet_tcp_connect_jacorb_port(openshift_net_domain)
|
|
+corenet_tcp_connect_jboss_management_port(openshift_net_domain)
|
|
+corenet_tcp_connect_jboss_debug_port(openshift_net_domain)
|
|
+corenet_tcp_connect_jboss_messaging_port(openshift_net_domain)
|
|
+corenet_tcp_connect_memcache_port(openshift_net_domain)
|
|
+corenet_tcp_connect_http_cache_port(openshift_net_domain)
|
|
+corenet_tcp_connect_amqp_port(openshift_net_domain)
|
|
+corenet_tcp_connect_generic_port(openshift_net_domain)
|
|
+corenet_tcp_connect_mongod_port(openshift_net_domain)
|
|
+corenet_tcp_connect_munin_port(openshift_net_domain)
|
|
+corenet_tcp_connect_pop_port(openshift_net_domain)
|
|
+corenet_tcp_connect_pulseaudio_port(openshift_net_domain)
|
|
+corenet_tcp_connect_smtp_port(openshift_net_domain)
|
|
+corenet_tcp_connect_whois_port(openshift_net_domain)
|
|
+corenet_udp_bind_generic_port(openshift_net_domain)
|
|
+corenet_tcp_bind_http_cache_port(openshift_domain)
|
|
+corenet_tcp_bind_jacorb_port(openshift_net_domain)
|
|
+corenet_tcp_bind_jboss_management_port(openshift_net_domain)
|
|
+corenet_tcp_bind_jboss_messaging_port(openshift_net_domain)
|
|
+corenet_tcp_bind_jboss_debug_port(openshift_net_domain)
|
|
+corenet_tcp_bind_mongod_port(openshift_net_domain)
|
|
+corenet_tcp_bind_mysqld_port(openshift_domain)
|
|
+corenet_tcp_bind_pulseaudio_port(openshift_net_domain)
|
|
+corenet_tcp_bind_postgresql_port(openshift_net_domain)
|
|
+
|
|
+############################################################################
|
|
+#
|
|
+# Rules specific to openshift and openshift_app_t
|
|
+#
|
|
+kernel_read_vm_sysctls(openshift_t)
|
|
+kernel_read_vm_sysctls(openshift_app_t)
|
|
+kernel_search_vm_sysctl(openshift_t)
|
|
+kernel_search_vm_sysctl(openshift_app_t)
|
|
+netutils_domtrans_ping(openshift_t)
|
|
+netutils_kill_ping(openshift_t)
|
|
+netutils_signal_ping(openshift_t)
|
|
+
|
|
+openshift_net_type(openshift_app_t)
|
|
+openshift_net_type(openshift_t)
|
|
+
|
|
+optional_policy(`
|
|
+ postfix_rw_public_pipes(openshift_t)
|
|
+ postfix_manage_spool_maildrop_files(openshift_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# openshift_cgroup_read local policy
|
|
+#
|
|
+
|
|
+allow openshift_cgroup_read_t self:process { getattr signal_perms };
|
|
+allow openshift_cgroup_read_t self:fifo_file rw_fifo_file_perms;
|
|
+allow openshift_cgroup_read_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow openshift_cgroup_read_t openshift_initrc_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+
|
|
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
|
|
+
|
|
+manage_dirs_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
|
|
+manage_files_pattern(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, openshift_cgroup_read_tmp_t)
|
|
+files_tmp_filetrans(openshift_cgroup_read_t, openshift_cgroup_read_tmp_t, { file dir })
|
|
+
|
|
+kernel_read_system_state(openshift_cgroup_read_t)
|
|
+
|
|
+term_dontaudit_use_generic_ptys(openshift_cgroup_read_t)
|
|
+
|
|
+auth_read_passwd(openshift_cgroup_read_t)
|
|
+
|
|
+miscfiles_read_localization(openshift_cgroup_read_t)
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_use_ptys(openshift_cgroup_read_t)
|
|
+')
|
|
+
|
|
+corecmd_exec_bin(openshift_cgroup_read_t)
|
|
+corecmd_exec_shell(openshift_cgroup_read_t)
|
|
+
|
|
+dev_read_urand(openshift_cgroup_read_t)
|
|
+
|
|
+domain_use_interactive_fds(openshift_cgroup_read_t)
|
|
+
|
|
+fs_dontaudit_rw_anon_inodefs_files(openshift_cgroup_read_t)
|
|
+
|
|
+userdom_use_inherited_user_ptys(openshift_cgroup_read_t)
|
|
+
|
|
+miscfiles_read_generic_certs(openshift_cgroup_read_t)
|
|
+
|
|
+domtrans_pattern(openshift_domain, openshift_cgroup_read_exec_t, openshift_cgroup_read_t)
|
|
+role system_r types openshift_cgroup_read_t;
|
|
+
|
|
+allow openshift_domain openshift_cgroup_read_t:process { getattr signal signull sigkill };
|
|
+
|
|
+fs_list_cgroup_dirs(openshift_cgroup_read_t)
|
|
+fs_read_cgroup_files(openshift_cgroup_read_t)
|
|
+
|
|
+allow openshift_cgroup_read_t openshift_var_lib_t:dir list_dir_perms;
|
|
+manage_files_pattern(openshift_cgroup_read_t, openshift_var_lib_t, openshift_var_lib_t)
|
|
+allow openshift_cgroup_read_t openshift_file_type:file rw_inherited_file_perms;
|
|
+
|
|
+########################################
|
|
+#
|
|
+# openshift_cron local policy
|
|
+#
|
|
+allow openshift_cron_t self:capability { dac_override net_admin sys_admin };
|
|
+allow openshift_cron_t self:process signal_perms;
|
|
+allow openshift_cron_t self:tcp_socket create_stream_socket_perms;
|
|
+allow openshift_cron_t self:udp_socket create_socket_perms;
|
|
+allow openshift_cron_t self:unix_dgram_socket create_socket_perms;
|
|
+allow openshift_cron_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
|
|
+manage_fifo_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
|
|
+manage_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
|
|
+manage_lnk_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
|
|
+manage_sock_files_pattern(openshift_cron_t, openshift_cron_tmp_t, openshift_cron_tmp_t)
|
|
+files_tmp_filetrans(openshift_cron_t, openshift_cron_tmp_t, { lnk_file file dir sock_file fifo_file })
|
|
+
|
|
+openshift_manage_lib_dirs(openshift_cron_t)
|
|
+openshift_manage_lib_files(openshift_cron_t)
|
|
+
|
|
+kernel_search_network_sysctl(openshift_cron_t)
|
|
+kernel_read_network_state(openshift_cron_t)
|
|
+kernel_read_system_state(openshift_cron_t)
|
|
+
|
|
+corecmd_exec_bin(openshift_cron_t)
|
|
+corecmd_exec_shell(openshift_cron_t)
|
|
+
|
|
+dev_read_raw_memory(openshift_cron_t)
|
|
+dev_read_urand(openshift_cron_t)
|
|
+
|
|
+corenet_udp_bind_generic_node(openshift_cron_t)
|
|
+corenet_udp_bind_generic_port(openshift_cron_t)
|
|
+
|
|
+dev_getattr_fs(openshift_cron_t)
|
|
+dev_list_sysfs(openshift_cron_t)
|
|
+dev_read_sysfs(openshift_cron_t)
|
|
+
|
|
+files_getattr_home_dir(openshift_cron_t)
|
|
+files_manage_etc_files(openshift_cron_t)
|
|
+
|
|
+fs_getattr_tmpfs_dirs(openshift_cron_t)
|
|
+fs_getattr_all_fs(openshift_cron_t)
|
|
+fs_list_hugetlbfs(openshift_cron_t)
|
|
+fs_search_cgroup_dirs(openshift_cron_t)
|
|
+
|
|
+seutil_domtrans_setfiles(openshift_cron_t)
|
|
+
|
|
+term_getattr_pty_fs(openshift_cron_t)
|
|
+term_search_ptys(openshift_cron_t)
|
|
+
|
|
+auth_use_nsswitch(openshift_cron_t)
|
|
+
|
|
+miscfiles_read_generic_certs(openshift_cron_t)
|
|
+miscfiles_read_hwdata(openshift_cron_t)
|
|
+
|
|
+sysnet_exec_ifconfig(openshift_cron_t)
|
|
+sysnet_read_config(openshift_cron_t)
|
|
+
|
|
+optional_policy(`
|
|
+ dmidecode_exec(openshift_cron_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ hostname_exec(openshift_cron_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ quota_read_db(openshift_cron_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_domtrans_keygen(openshift_cron_t)
|
|
+ ssh_dontaudit_read_server_keys(openshift_cron_t)
|
|
+')
|
|
+
|
|
diff --git a/openvpn.fc b/openvpn.fc
|
|
index 300213f..4cdfe09 100644
|
|
--- a/openvpn.fc
|
|
+++ b/openvpn.fc
|
|
@@ -1,10 +1,13 @@
|
|
/etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0)
|
|
+/etc/openvpn/scripts(/.*)? gen_context(system_u:object_r:openvpn_unconfined_script_exec_t,s0)
|
|
/etc/openvpn/ipp\.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0)
|
|
|
|
/etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0)
|
|
|
|
/usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0)
|
|
|
|
+/var/lib/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_lib_t,s0)
|
|
+
|
|
/var/log/openvpn-status\.log.* -- gen_context(system_u:object_r:openvpn_status_t,s0)
|
|
/var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0)
|
|
|
|
diff --git a/openvpn.if b/openvpn.if
|
|
index 6837e9a..21e6dae 100644
|
|
--- a/openvpn.if
|
|
+++ b/openvpn.if
|
|
@@ -23,6 +23,25 @@ interface(`openvpn_domtrans',`
|
|
########################################
|
|
## <summary>
|
|
## Execute openvpn clients in the
|
|
+## caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openvpn_exec',`
|
|
+ gen_require(`
|
|
+ type openvpn_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, openvpn_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute openvpn clients in the
|
|
## openvpn domain, and allow the
|
|
## specified role the openvpn domain.
|
|
## </summary>
|
|
@@ -147,9 +166,13 @@ interface(`openvpn_admin',`
|
|
type openvpn_status_t;
|
|
')
|
|
|
|
- allow $1 openvpn_t:process { ptrace signal_perms };
|
|
+ allow $1 openvpn_t:process signal_perms;
|
|
ps_process_pattern($1, openvpn_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 openvpn_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, openvpn_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 openvpn_initrc_exec_t system_r;
|
|
diff --git a/openvpn.te b/openvpn.te
|
|
index 63957a3..0e675ab 100644
|
|
--- a/openvpn.te
|
|
+++ b/openvpn.te
|
|
@@ -6,6 +6,13 @@ policy_module(openvpn, 1.12.2)
|
|
#
|
|
|
|
## <desc>
|
|
+## <p>
|
|
+## Allow openvpn to run unconfined scripts
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(openvpn_run_unconfined, false)
|
|
+
|
|
+## <desc>
|
|
## <p>
|
|
## Determine whether openvpn can
|
|
## read generic user home content files.
|
|
@@ -40,6 +47,9 @@ init_script_file(openvpn_initrc_exec_t)
|
|
type openvpn_status_t;
|
|
logging_log_file(openvpn_status_t)
|
|
|
|
+type openvpn_var_lib_t;
|
|
+files_type(openvpn_var_lib_t)
|
|
+
|
|
type openvpn_tmp_t;
|
|
files_tmp_file(openvpn_tmp_t)
|
|
|
|
@@ -54,7 +64,7 @@ files_pid_file(openvpn_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
|
|
+allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice };
|
|
allow openvpn_t self:process { signal getsched setsched };
|
|
allow openvpn_t self:fifo_file rw_fifo_file_perms;
|
|
allow openvpn_t self:unix_dgram_socket sendto;
|
|
@@ -73,13 +83,17 @@ filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file)
|
|
allow openvpn_t openvpn_status_t:file manage_file_perms;
|
|
logging_log_filetrans(openvpn_t, openvpn_status_t, file, "openvpn-status.log")
|
|
|
|
+manage_files_pattern(openvpn_t, openvpn_tmp_t, openvpn_tmp_t)
|
|
+files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
|
|
+
|
|
+manage_files_pattern(openvpn_t, openvpn_var_lib_t, openvpn_var_lib_t)
|
|
+files_var_lib_filetrans(openvpn_t, openvpn_var_lib_t, { dir file })
|
|
+
|
|
allow openvpn_t openvpn_tmp_t:file manage_file_perms;
|
|
files_tmp_filetrans(openvpn_t, openvpn_tmp_t, file)
|
|
|
|
manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
|
-append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
|
-create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
|
-setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
|
+manage_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t)
|
|
logging_log_filetrans(openvpn_t, openvpn_var_log_t, file)
|
|
|
|
manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t)
|
|
@@ -97,7 +111,6 @@ kernel_request_load_module(openvpn_t)
|
|
corecmd_exec_bin(openvpn_t)
|
|
corecmd_exec_shell(openvpn_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(openvpn_t)
|
|
corenet_all_recvfrom_netlabel(openvpn_t)
|
|
corenet_tcp_sendrecv_generic_if(openvpn_t)
|
|
corenet_udp_sendrecv_generic_if(openvpn_t)
|
|
@@ -117,13 +130,15 @@ corenet_udp_sendrecv_openvpn_port(openvpn_t)
|
|
corenet_sendrecv_http_server_packets(openvpn_t)
|
|
corenet_tcp_bind_http_port(openvpn_t)
|
|
corenet_sendrecv_http_client_packets(openvpn_t)
|
|
+corenet_tcp_connect_squid_port(openvpn_t)
|
|
corenet_tcp_connect_http_port(openvpn_t)
|
|
corenet_tcp_sendrecv_http_port(openvpn_t)
|
|
-
|
|
corenet_sendrecv_http_cache_client_packets(openvpn_t)
|
|
corenet_tcp_connect_http_cache_port(openvpn_t)
|
|
corenet_tcp_sendrecv_http_cache_port(openvpn_t)
|
|
|
|
+corenet_tcp_connect_tor_port(openvpn_t)
|
|
+
|
|
corenet_rw_tun_tap_dev(openvpn_t)
|
|
|
|
dev_read_rand(openvpn_t)
|
|
@@ -135,18 +150,24 @@ fs_search_auto_mountpoints(openvpn_t)
|
|
|
|
auth_use_pam(openvpn_t)
|
|
|
|
-miscfiles_read_localization(openvpn_t)
|
|
+logging_send_syslog_msg(openvpn_t)
|
|
+
|
|
miscfiles_read_all_certs(openvpn_t)
|
|
|
|
+sysnet_dns_name_resolve(openvpn_t)
|
|
sysnet_exec_ifconfig(openvpn_t)
|
|
sysnet_manage_config(openvpn_t)
|
|
sysnet_etc_filetrans_config(openvpn_t)
|
|
sysnet_use_ldap(openvpn_t)
|
|
|
|
-userdom_use_user_terminals(openvpn_t)
|
|
+userdom_use_inherited_user_terminals(openvpn_t)
|
|
+userdom_read_home_certs(openvpn_t)
|
|
+userdom_attach_admin_tun_iface(openvpn_t)
|
|
+userdom_read_inherited_user_tmp_files(openvpn_t)
|
|
+userdom_read_inherited_user_home_content_files(openvpn_t)
|
|
|
|
tunable_policy(`openvpn_enable_homedirs',`
|
|
- userdom_read_user_home_content_files(openvpn_t)
|
|
+ userdom_search_user_home_dirs(openvpn_t)
|
|
')
|
|
|
|
tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
|
|
@@ -164,6 +185,10 @@ tunable_policy(`openvpn_can_network_connect',`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ brctl_domtrans(openvpn_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
daemontools_service_domain(openvpn_t, openvpn_exec_t)
|
|
')
|
|
|
|
@@ -175,3 +200,27 @@ optional_policy(`
|
|
networkmanager_dbus_chat(openvpn_t)
|
|
')
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_attach_tun_iface(openvpn_t)
|
|
+')
|
|
+
|
|
+type openvpn_unconfined_script_t;
|
|
+type openvpn_unconfined_script_exec_t;
|
|
+domain_type(openvpn_unconfined_script_t)
|
|
+domain_entry_file(openvpn_unconfined_script_t, openvpn_unconfined_script_exec_t)
|
|
+corecmd_shell_entry_type(openvpn_unconfined_script_t)
|
|
+role system_r types openvpn_unconfined_script_t;
|
|
+
|
|
+allow openvpn_t openvpn_unconfined_script_exec_t:dir search_dir_perms;
|
|
+allow openvpn_t openvpn_unconfined_script_exec_t:file ioctl;
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(openvpn_unconfined_script_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`openvpn_run_unconfined',`
|
|
+ domtrans_pattern(openvpn_t, openvpn_unconfined_script_exec_t, openvpn_unconfined_script_t)
|
|
+',`
|
|
+ can_exec(openvpn_t, openvpn_unconfined_script_exec_t)
|
|
+')
|
|
diff --git a/openvswitch.fc b/openvswitch.fc
|
|
index 45d7cc5..c5b9607 100644
|
|
--- a/openvswitch.fc
|
|
+++ b/openvswitch.fc
|
|
@@ -1,12 +1,16 @@
|
|
-/etc/rc\.d/init\.d/openvswitch -- gen_context(system_u:object_r:openvswitch_initrc_exec_t,s0)
|
|
+/usr/lib/systemd/system/openvswitch.service -- gen_context(system_u:object_r:openvswitch_unit_file_t,s0)
|
|
|
|
-/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_conf_t,s0)
|
|
+/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
|
|
+/usr/bin/ovs-vsctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
|
|
+/usr/sbin/ovsdb-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
|
|
+/usr/sbin/ovsdb-server -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
|
|
+/usr/sbin/ovs-vswitchd -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
|
|
+/usr/bin/ovs-appctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
|
|
|
|
-/usr/share/openvswitch/scripts/ovs-ctl -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
|
|
-/usr/share/openvswitch/scripts/openvswitch\.init -- gen_context(system_u:object_r:openvswitch_exec_t,s0)
|
|
+/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
|
|
|
|
-/var/lib/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_lib_t,s0)
|
|
+/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
|
|
|
|
-/var/log/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_log_t,s0)
|
|
+/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
|
|
|
|
-/var/run/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_var_run_t,s0)
|
|
+/etc/openvswitch(/.*)? gen_context(system_u:object_r:openvswitch_rw_t,s0)
|
|
diff --git a/openvswitch.if b/openvswitch.if
|
|
index 9b15730..eedd136 100644
|
|
--- a/openvswitch.if
|
|
+++ b/openvswitch.if
|
|
@@ -1,13 +1,14 @@
|
|
-## <summary>Multilayer virtual switch.</summary>
|
|
+
|
|
+## <summary>policy for openvswitch</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute openvswitch in the openvswitch domain.
|
|
+## Execute TEMPLATE in the openvswitch domin.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`openvswitch_domtrans',`
|
|
@@ -18,10 +19,145 @@ interface(`openvswitch_domtrans',`
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, openvswitch_exec_t, openvswitch_t)
|
|
')
|
|
+########################################
|
|
+## <summary>
|
|
+## Read openvswitch's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`openvswitch_read_log',`
|
|
+ gen_require(`
|
|
+ type openvswitch_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to openvswitch log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openvswitch_append_log',`
|
|
+ gen_require(`
|
|
+ type openvswitch_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
|
|
+')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read openvswitch pid files.
|
|
+## Manage openvswitch log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openvswitch_manage_log',`
|
|
+ gen_require(`
|
|
+ type openvswitch_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, openvswitch_log_t, openvswitch_log_t)
|
|
+ manage_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
|
|
+ manage_lnk_files_pattern($1, openvswitch_log_t, openvswitch_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search openvswitch lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openvswitch_search_lib',`
|
|
+ gen_require(`
|
|
+ type openvswitch_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 openvswitch_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read openvswitch lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openvswitch_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type openvswitch_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage openvswitch lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openvswitch_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type openvswitch_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage openvswitch lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openvswitch_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type openvswitch_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, openvswitch_var_lib_t, openvswitch_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read openvswitch PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -40,44 +176,86 @@ interface(`openvswitch_read_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an openvswitch environment.
|
|
+## Allow stream connect to openvswitch.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+
|
|
+interface(`openvswitch_stream_connect',`
|
|
+ gen_require(`
|
|
+ type openvswitch_t, openvswitch_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, openvswitch_var_run_t, openvswitch_var_run_t, openvswitch_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute openvswitch server in the openvswitch domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`openvswitch_systemctl',`
|
|
+ gen_require(`
|
|
+ type openvswitch_t;
|
|
+ type openvswitch_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 openvswitch_unit_file_t:file read_file_perms;
|
|
+ allow $1 openvswitch_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, openvswitch_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an openvswitch environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`openvswitch_admin',`
|
|
gen_require(`
|
|
- type openvswitch_t, openvswitch_initrc_exec_t, openvswitch_conf_t;
|
|
- type openvswitch_var_lib_t, openvswitch_log_t, openvswitch_var_run_t;
|
|
+ type openvswitch_t, openvswitch_log_t, openvswitch_var_lib_t;
|
|
+ type openvswitch_rw_t, openvswitch_var_run_t, openvswitch_unit_file_t;
|
|
')
|
|
|
|
allow $1 openvswitch_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, openvswitch_t)
|
|
|
|
- init_labeled_script_domtrans($1, openvswitch_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 openvswitch_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, openvswitch_rw_t)
|
|
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, openvswitch_conf_t)
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, openvswitch_log_t)
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, openvswitch_var_lib_t)
|
|
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, openvswitch_log_t)
|
|
-
|
|
files_search_pids($1)
|
|
admin_pattern($1, openvswitch_var_run_t)
|
|
+
|
|
+ openvswitch_systemctl($1)
|
|
+ admin_pattern($1, openvswitch_unit_file_t)
|
|
+ allow $1 openvswitch_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/openvswitch.te b/openvswitch.te
|
|
index 44dbc99..128ff1f 100644
|
|
--- a/openvswitch.te
|
|
+++ b/openvswitch.te
|
|
@@ -9,11 +9,8 @@ type openvswitch_t;
|
|
type openvswitch_exec_t;
|
|
init_daemon_domain(openvswitch_t, openvswitch_exec_t)
|
|
|
|
-type openvswitch_initrc_exec_t;
|
|
-init_script_file(openvswitch_initrc_exec_t)
|
|
-
|
|
-type openvswitch_conf_t;
|
|
-files_config_file(openvswitch_conf_t)
|
|
+type openvswitch_rw_t;
|
|
+files_config_file(openvswitch_rw_t)
|
|
|
|
type openvswitch_var_lib_t;
|
|
files_type(openvswitch_var_lib_t)
|
|
@@ -27,20 +24,27 @@ files_tmp_file(openvswitch_tmp_t)
|
|
type openvswitch_var_run_t;
|
|
files_pid_file(openvswitch_var_run_t)
|
|
|
|
+type openvswitch_unit_file_t;
|
|
+systemd_unit_file(openvswitch_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# openvswitch local policy
|
|
#
|
|
|
|
-allow openvswitch_t self:capability { net_admin sys_nice sys_resource ipc_lock };
|
|
-allow openvswitch_t self:process { setrlimit setsched signal };
|
|
+allow openvswitch_t self:capability { net_admin ipc_lock sys_module sys_nice sys_resource };
|
|
+allow openvswitch_t self:capability2 block_suspend;
|
|
+allow openvswitch_t self:process { fork setsched setrlimit signal };
|
|
allow openvswitch_t self:fifo_file rw_fifo_file_perms;
|
|
-allow openvswitch_t self:rawip_socket create_socket_perms;
|
|
-allow openvswitch_t self:unix_stream_socket { accept connectto listen };
|
|
+allow openvswitch_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+allow openvswitch_t self:netlink_socket create_socket_perms;
|
|
+allow openvswitch_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
+
|
|
+can_exec(openvswitch_t, openvswitch_exec_t)
|
|
|
|
-manage_dirs_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
|
|
-manage_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
|
|
-manage_lnk_files_pattern(openvswitch_t, openvswitch_conf_t, openvswitch_conf_t)
|
|
+manage_dirs_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
|
|
+manage_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
|
|
+manage_lnk_files_pattern(openvswitch_t, openvswitch_rw_t, openvswitch_rw_t)
|
|
|
|
manage_dirs_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
|
|
manage_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_lib_t)
|
|
@@ -48,9 +52,7 @@ manage_lnk_files_pattern(openvswitch_t, openvswitch_var_lib_t, openvswitch_var_l
|
|
files_var_lib_filetrans(openvswitch_t, openvswitch_var_lib_t, { dir file lnk_file })
|
|
|
|
manage_dirs_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
|
|
-append_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
|
|
-create_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
|
|
-setattr_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
|
|
+manage_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
|
|
manage_lnk_files_pattern(openvswitch_t, openvswitch_log_t, openvswitch_log_t)
|
|
logging_log_filetrans(openvswitch_t, openvswitch_log_t, { dir file lnk_file })
|
|
|
|
@@ -65,33 +67,38 @@ manage_sock_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_
|
|
manage_lnk_files_pattern(openvswitch_t, openvswitch_var_run_t, openvswitch_var_run_t)
|
|
files_pid_filetrans(openvswitch_t, openvswitch_var_run_t, { dir file lnk_file })
|
|
|
|
-can_exec(openvswitch_t, openvswitch_exec_t)
|
|
-
|
|
kernel_read_network_state(openvswitch_t)
|
|
kernel_read_system_state(openvswitch_t)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(openvswitch_t)
|
|
-corenet_all_recvfrom_netlabel(openvswitch_t)
|
|
-corenet_raw_sendrecv_generic_if(openvswitch_t)
|
|
-corenet_raw_sendrecv_generic_node(openvswitch_t)
|
|
+kernel_request_load_module(openvswitch_t)
|
|
|
|
corecmd_exec_bin(openvswitch_t)
|
|
+corecmd_exec_shell(openvswitch_t)
|
|
|
|
+dev_read_rand(openvswitch_t)
|
|
dev_read_urand(openvswitch_t)
|
|
+dev_read_sysfs(openvswitch_t)
|
|
|
|
domain_use_interactive_fds(openvswitch_t)
|
|
|
|
-files_read_etc_files(openvswitch_t)
|
|
+files_read_kernel_modules(openvswitch_t)
|
|
|
|
fs_getattr_all_fs(openvswitch_t)
|
|
fs_search_cgroup_dirs(openvswitch_t)
|
|
|
|
+auth_read_passwd(openvswitch_t)
|
|
+
|
|
logging_send_syslog_msg(openvswitch_t)
|
|
|
|
-miscfiles_read_localization(openvswitch_t)
|
|
+modutils_exec_insmod(openvswitch_t)
|
|
+modutils_list_module_config(openvswitch_t)
|
|
+modutils_read_module_config(openvswitch_t)
|
|
|
|
sysnet_dns_name_resolve(openvswitch_t)
|
|
|
|
optional_policy(`
|
|
iptables_domtrans(openvswitch_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ plymouthd_exec_plymouth(openvswitch_t)
|
|
+')
|
|
diff --git a/oracleasm.fc b/oracleasm.fc
|
|
new file mode 100644
|
|
index 0000000..80fb8c3
|
|
--- /dev/null
|
|
+++ b/oracleasm.fc
|
|
@@ -0,0 +1,4 @@
|
|
+
|
|
+/etc/rc\.d/init\.d/oracleasm -- gen_context(system_u:object_r:oracleasm_initrc_exec_t,s0)
|
|
+
|
|
+/usr/sbin/oracleasm -- gen_context(system_u:object_r:oracleasm_exec_t,s0)
|
|
diff --git a/oracleasm.if b/oracleasm.if
|
|
new file mode 100644
|
|
index 0000000..6ae382c
|
|
--- /dev/null
|
|
+++ b/oracleasm.if
|
|
@@ -0,0 +1,75 @@
|
|
+
|
|
+## <summary>policy for oracleasm</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to oracleasm.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`oracleasm_domtrans',`
|
|
+ gen_require(`
|
|
+ type oracleasm_t, oracleasm_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, oracleasm_exec_t, oracleasm_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute oracleasm server in the oracleasm domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`oracleasm_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type oracleasm_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, oracleasm_initrc_exec_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an oracleasm environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`oracleasm_admin',`
|
|
+ gen_require(`
|
|
+ type oracleasm_t;
|
|
+ type oracleasm_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 oracleasm_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, oracleasm_t)
|
|
+
|
|
+ oracleasm_initrc_domtrans($1)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 oracleasm_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
+
|
|
+')
|
|
+
|
|
diff --git a/oracleasm.te b/oracleasm.te
|
|
new file mode 100644
|
|
index 0000000..0493b99
|
|
--- /dev/null
|
|
+++ b/oracleasm.te
|
|
@@ -0,0 +1,34 @@
|
|
+policy_module(oracleasm, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type oracleasm_t;
|
|
+type oracleasm_exec_t;
|
|
+init_daemon_domain(oracleasm_t, oracleasm_exec_t)
|
|
+
|
|
+type oracleasm_initrc_exec_t;
|
|
+init_script_file(oracleasm_initrc_exec_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# oracleasm local policy
|
|
+#
|
|
+
|
|
+allow oracleasm_t self:fifo_file rw_fifo_file_perms;
|
|
+allow oracleasm_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+domain_use_interactive_fds(oracleasm_t)
|
|
+
|
|
+corecmd_exec_shell(oracleasm_t)
|
|
+corecmd_exec_bin(oracleasm_t)
|
|
+
|
|
+optional_policy(`
|
|
+ mount_domtrans(oracleasm_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ modutils_domtrans_insmod(oracleasm_t)
|
|
+')
|
|
diff --git a/pacemaker.fc b/pacemaker.fc
|
|
index 2f0ad56..d4da0b8 100644
|
|
--- a/pacemaker.fc
|
|
+++ b/pacemaker.fc
|
|
@@ -1,5 +1,7 @@
|
|
/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:pacemaker_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:pacemaker_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/pacemakerd -- gen_context(system_u:object_r:pacemaker_exec_t,s0)
|
|
|
|
/var/lib/heartbeat/crm(/.*)? gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
|
|
diff --git a/pacemaker.if b/pacemaker.if
|
|
index 9682d9a..d47f913 100644
|
|
--- a/pacemaker.if
|
|
+++ b/pacemaker.if
|
|
@@ -1,9 +1,166 @@
|
|
-## <summary>A scalable high-availability cluster resource manager.</summary>
|
|
+## <summary>>A scalable high-availability cluster resource manager.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an pacemaker environment.
|
|
+## Transition to pacemaker.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pacemaker_domtrans',`
|
|
+ gen_require(`
|
|
+ type pacemaker_t, pacemaker_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, pacemaker_exec_t, pacemaker_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute pacemaker server in the pacemaker domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pacemaker_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type pacemaker_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search pacemaker lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pacemaker_search_lib',`
|
|
+ gen_require(`
|
|
+ type pacemaker_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 pacemaker_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read pacemaker lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pacemaker_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type pacemaker_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage pacemaker lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pacemaker_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type pacemaker_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage pacemaker lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pacemaker_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type pacemaker_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, pacemaker_var_lib_t, pacemaker_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read pacemaker PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pacemaker_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type pacemaker_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 pacemaker_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute pacemaker server in the pacemaker domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pacemaker_systemctl',`
|
|
+ gen_require(`
|
|
+ type pacemaker_t;
|
|
+ type pacemaker_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 pacemaker_unit_file_t:file read_file_perms;
|
|
+ allow $1 pacemaker_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, pacemaker_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an pacemaker environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -19,14 +176,17 @@
|
|
#
|
|
interface(`pacemaker_admin',`
|
|
gen_require(`
|
|
- type pacemaker_t, pacemaker_initrc_exec_t, pacemaker_var_lib_t;
|
|
+ type pacemaker_t;
|
|
+ type pacemaker_initrc_exec_t;
|
|
+ type pacemaker_var_lib_t;
|
|
type pacemaker_var_run_t;
|
|
+ type pacemaker_unit_file_t;
|
|
')
|
|
|
|
allow $1 pacemaker_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, pacemaker_t)
|
|
|
|
- init_labeled_script_domtrans($1, pacemaker_initrc_exec_t)
|
|
+ pacemaker_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 pacemaker_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
@@ -36,4 +196,13 @@ interface(`pacemaker_admin',`
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, pacemaker_var_run_t)
|
|
+
|
|
+ pacemaker_systemctl($1)
|
|
+ admin_pattern($1, pacemaker_unit_file_t)
|
|
+ allow $1 pacemaker_unit_file_t:service all_service_perms;
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/pacemaker.te b/pacemaker.te
|
|
index 6e6efb6..3dc917d 100644
|
|
--- a/pacemaker.te
|
|
+++ b/pacemaker.te
|
|
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.1.0)
|
|
# Declarations
|
|
#
|
|
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow pacemaker memcheck-amd64- to use executable memory
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(pacemaker_use_execmem, false)
|
|
+
|
|
type pacemaker_t;
|
|
type pacemaker_exec_t;
|
|
init_daemon_domain(pacemaker_t, pacemaker_exec_t)
|
|
@@ -12,17 +19,20 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
|
|
type pacemaker_initrc_exec_t;
|
|
init_script_file(pacemaker_initrc_exec_t)
|
|
|
|
+type pacemaker_var_lib_t;
|
|
+files_type(pacemaker_var_lib_t)
|
|
+
|
|
+type pacemaker_var_run_t;
|
|
+files_pid_file(pacemaker_var_run_t)
|
|
+
|
|
type pacemaker_tmp_t;
|
|
files_tmp_file(pacemaker_tmp_t)
|
|
|
|
type pacemaker_tmpfs_t;
|
|
files_tmpfs_file(pacemaker_tmpfs_t)
|
|
|
|
-type pacemaker_var_lib_t;
|
|
-files_type(pacemaker_var_lib_t)
|
|
-
|
|
-type pacemaker_var_run_t;
|
|
-files_pid_file(pacemaker_var_run_t)
|
|
+type pacemaker_unit_file_t;
|
|
+systemd_unit_file(pacemaker_unit_file_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -30,13 +40,15 @@ files_pid_file(pacemaker_var_run_t)
|
|
#
|
|
|
|
allow pacemaker_t self:capability { fowner fsetid kill chown dac_override setuid };
|
|
+allow pacemaker_t self:capability2 block_suspend;
|
|
allow pacemaker_t self:process { setrlimit signal setpgid };
|
|
allow pacemaker_t self:fifo_file rw_fifo_file_perms;
|
|
allow pacemaker_t self:unix_stream_socket { connectto accept listen };
|
|
|
|
manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
|
|
manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
|
|
-files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
|
|
+manage_fifo_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
|
|
+files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { fifo_file file dir })
|
|
|
|
manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
|
|
manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
|
|
@@ -60,13 +72,13 @@ kernel_read_system_state(pacemaker_t)
|
|
corecmd_exec_bin(pacemaker_t)
|
|
corecmd_exec_shell(pacemaker_t)
|
|
|
|
+domain_use_interactive_fds(pacemaker_t)
|
|
+domain_read_all_domains_state(pacemaker_t)
|
|
+
|
|
dev_getattr_mtrr_dev(pacemaker_t)
|
|
dev_read_rand(pacemaker_t)
|
|
dev_read_urand(pacemaker_t)
|
|
|
|
-domain_read_all_domains_state(pacemaker_t)
|
|
-domain_use_interactive_fds(pacemaker_t)
|
|
-
|
|
files_read_kernel_symbol_table(pacemaker_t)
|
|
|
|
fs_getattr_all_fs(pacemaker_t)
|
|
@@ -75,9 +87,20 @@ auth_use_nsswitch(pacemaker_t)
|
|
|
|
logging_send_syslog_msg(pacemaker_t)
|
|
|
|
-miscfiles_read_localization(pacemaker_t)
|
|
+sysnet_domtrans_ifconfig(pacemaker_t)
|
|
+
|
|
+tunable_policy(`pacemaker_use_execmem',`
|
|
+ allow pacemaker_t self:process { execmem };
|
|
+')
|
|
|
|
optional_policy(`
|
|
corosync_read_log(pacemaker_t)
|
|
+ corosync_setattr_log(pacemaker_t)
|
|
corosync_stream_connect(pacemaker_t)
|
|
+ corosync_rw_tmpfs(pacemaker_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ #executes heartbeat lib files
|
|
+ rgmanager_execute_lib(pacemaker_t)
|
|
')
|
|
diff --git a/pads.if b/pads.if
|
|
index 6e097c9..503c97a 100644
|
|
--- a/pads.if
|
|
+++ b/pads.if
|
|
@@ -17,15 +17,19 @@
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
-interface(`pads_admin', `
|
|
+interface(`pads_admin',`
|
|
gen_require(`
|
|
type pads_t, pads_config_t, pads_var_run_t;
|
|
type pads_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 pads_t:process { ptrace signal_perms };
|
|
+ allow $1 pads_t:process signal_perms;
|
|
ps_process_pattern($1, pads_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 pads_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, pads_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 pads_initrc_exec_t system_r;
|
|
diff --git a/pads.te b/pads.te
|
|
index 078adc4..77513a4 100644
|
|
--- a/pads.te
|
|
+++ b/pads.te
|
|
@@ -25,8 +25,11 @@ files_pid_file(pads_var_run_t)
|
|
#
|
|
|
|
allow pads_t self:capability { dac_override net_raw };
|
|
+allow pads_t self:netlink_route_socket create_netlink_socket_perms;
|
|
allow pads_t self:packet_socket create_socket_perms;
|
|
allow pads_t self:socket create_socket_perms;
|
|
+allow pads_t self:udp_socket create_socket_perms;
|
|
+allow pads_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
allow pads_t pads_config_t:file manage_file_perms;
|
|
files_etc_filetrans(pads_t, pads_config_t, file)
|
|
@@ -39,7 +42,6 @@ kernel_read_network_state(pads_t)
|
|
|
|
corecmd_search_bin(pads_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(pads_t)
|
|
corenet_all_recvfrom_netlabel(pads_t)
|
|
corenet_tcp_sendrecv_generic_if(pads_t)
|
|
corenet_tcp_sendrecv_generic_node(pads_t)
|
|
@@ -52,11 +54,8 @@ dev_read_rand(pads_t)
|
|
dev_read_urand(pads_t)
|
|
dev_read_sysfs(pads_t)
|
|
|
|
-files_read_etc_files(pads_t)
|
|
files_search_spool(pads_t)
|
|
|
|
-miscfiles_read_localization(pads_t)
|
|
-
|
|
logging_send_syslog_msg(pads_t)
|
|
|
|
sysnet_dns_name_resolve(pads_t)
|
|
diff --git a/passenger.fc b/passenger.fc
|
|
index 2c389ea..9155bd0 100644
|
|
--- a/passenger.fc
|
|
+++ b/passenger.fc
|
|
@@ -1,10 +1,12 @@
|
|
-/usr/.*/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
|
-/usr/.*/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
|
-/usr/.*/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
|
-/usr/.*/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
|
+/usr/share/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
|
+/usr/share/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
|
+/usr/lib/gems/.*/Passenger.* -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
|
+/usr/lib/gems/.*/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
|
|
|
-/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
|
|
+/usr/share/.*/gems/.*/helper-scripts/prespawn -- gen_context(system_u:object_r:passenger_exec_t,s0)
|
|
|
|
-/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
|
|
+/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
|
|
|
|
-/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
|
|
+/var/log/passenger.* gen_context(system_u:object_r:passenger_log_t,s0)
|
|
+
|
|
+/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)
|
|
diff --git a/passenger.if b/passenger.if
|
|
index bf59ef7..0ec51d4 100644
|
|
--- a/passenger.if
|
|
+++ b/passenger.if
|
|
@@ -15,17 +15,16 @@ interface(`passenger_domtrans',`
|
|
type passenger_t, passenger_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, passenger_exec_t, passenger_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Execute passenger in the caller domain.
|
|
+## Execute passenger in the current domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
@@ -34,13 +33,30 @@ interface(`passenger_exec',`
|
|
type passenger_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, passenger_exec_t)
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Getattr passenger log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`passenger_getattr_log_files',`
|
|
+ gen_require(`
|
|
+ type passenger_log_t;
|
|
+ ')
|
|
+
|
|
+ getattr_files_pattern($1, passenger_log_t, passenger_log_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Read passenger lib files.
|
|
+## Read passenger lib files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -53,6 +69,93 @@ interface(`passenger_read_lib_files',`
|
|
type passenger_var_lib_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
|
|
+ read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage passenger lib files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`passenger_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type passenger_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
|
|
+ manage_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
|
|
+ manage_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Manage passenger var_run content.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`passenger_manage_pid_content',`
|
|
+ gen_require(`
|
|
+ type passenger_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ manage_dirs_pattern($1, passenger_var_run_t, passenger_var_run_t)
|
|
+ manage_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
|
|
+ manage_fifo_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
|
|
+ manage_sock_files_pattern($1, passenger_var_run_t, passenger_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to passenger unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`passenger_stream_connect',`
|
|
+ gen_require(`
|
|
+ type passenger_t;
|
|
+ type passenger_tmp_t;
|
|
+ type passenger_var_run_t;
|
|
+ ')
|
|
+
|
|
+
|
|
+
|
|
+ stream_connect_pattern($1, passenger_var_run_t, passenger_var_run_t, passenger_t)
|
|
+ stream_connect_pattern($1, passenger_tmp_t, passenger_tmp_t, passenger_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow to manage passenger tmp files/dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`passenger_manage_tmp_files',`
|
|
+ gen_require(`
|
|
+ type passenger_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_tmp($1)
|
|
+ manage_files_pattern($1, passenger_tmp_t, passenger_tmp_t)
|
|
+ manage_dirs_pattern($1, passenger_tmp_t, passenger_tmp_t)
|
|
')
|
|
diff --git a/passenger.te b/passenger.te
|
|
index 08ec33b..24ce7e8 100644
|
|
--- a/passenger.te
|
|
+++ b/passenger.te
|
|
@@ -14,6 +14,9 @@ role system_r types passenger_t;
|
|
type passenger_log_t;
|
|
logging_log_file(passenger_log_t)
|
|
|
|
+type passenger_tmp_t;
|
|
+files_tmp_file(passenger_tmp_t)
|
|
+
|
|
type passenger_var_lib_t;
|
|
files_type(passenger_var_lib_t)
|
|
|
|
@@ -22,22 +25,24 @@ files_pid_file(passenger_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# passanger local policy
|
|
#
|
|
|
|
allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice sys_ptrace sys_resource };
|
|
-allow passenger_t self:process { setpgid setsched sigkill signal };
|
|
+allow passenger_t self:process { setpgid setsched sigkill signal signull };
|
|
allow passenger_t self:fifo_file rw_fifo_file_perms;
|
|
-allow passenger_t self:unix_stream_socket { accept connectto listen };
|
|
+allow passenger_t self:tcp_socket listen;
|
|
+allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+
|
|
+can_exec(passenger_t, passenger_exec_t)
|
|
|
|
manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
|
|
-append_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
|
|
-create_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
|
|
-setattr_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
|
|
-logging_log_filetrans(passenger_t, passenger_log_t, file)
|
|
+manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
|
|
+logging_log_filetrans(passenger_t, passenger_log_t, { dir file })
|
|
|
|
manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
|
|
manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
|
|
+files_search_var_lib(passenger_t)
|
|
|
|
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
|
|
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
|
|
@@ -45,7 +50,11 @@ manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
|
|
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
|
|
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
|
|
|
|
-can_exec(passenger_t, passenger_exec_t)
|
|
+#needed by puppet
|
|
+manage_dirs_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
|
|
+manage_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
|
|
+manage_sock_files_pattern(passenger_t, passenger_tmp_t, passenger_tmp_t)
|
|
+files_tmp_filetrans(passenger_t, passenger_tmp_t, { file dir sock_file })
|
|
|
|
kernel_read_system_state(passenger_t)
|
|
kernel_read_kernel_sysctls(passenger_t)
|
|
@@ -53,13 +62,10 @@ kernel_read_network_state(passenger_t)
|
|
kernel_read_net_sysctls(passenger_t)
|
|
|
|
corenet_all_recvfrom_netlabel(passenger_t)
|
|
-corenet_all_recvfrom_unlabeled(passenger_t)
|
|
corenet_tcp_sendrecv_generic_if(passenger_t)
|
|
corenet_tcp_sendrecv_generic_node(passenger_t)
|
|
-
|
|
-corenet_sendrecv_http_client_packets(passenger_t)
|
|
corenet_tcp_connect_http_port(passenger_t)
|
|
-corenet_tcp_sendrecv_http_port(passenger_t)
|
|
+corenet_tcp_connect_postgresql_port(passenger_t)
|
|
|
|
corecmd_exec_bin(passenger_t)
|
|
corecmd_exec_shell(passenger_t)
|
|
@@ -68,8 +74,6 @@ dev_read_urand(passenger_t)
|
|
|
|
domain_read_all_domains_state(passenger_t)
|
|
|
|
-files_read_etc_files(passenger_t)
|
|
-
|
|
auth_use_nsswitch(passenger_t)
|
|
|
|
logging_send_syslog_msg(passenger_t)
|
|
@@ -94,14 +98,21 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- puppet_manage_lib_files(passenger_t)
|
|
+ mysql_stream_connect(passenger_t)
|
|
+ mysql_list_db(passenger_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ puppet_domtrans_master(passenger_t)
|
|
+ puppet_manage_lib(passenger_t)
|
|
puppet_read_config(passenger_t)
|
|
- puppet_append_log_files(passenger_t)
|
|
- puppet_create_log_files(passenger_t)
|
|
- puppet_read_log_files(passenger_t)
|
|
+ puppet_append_log(passenger_t)
|
|
+ puppet_create_log(passenger_t)
|
|
+ puppet_read_log(passenger_t)
|
|
+ puppet_search_pid(passenger_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- rpm_exec(passenger_t)
|
|
- rpm_read_db(passenger_t)
|
|
+ rpm_exec(passenger_t)
|
|
+ rpm_read_db(passenger_t)
|
|
')
|
|
diff --git a/pcmcia.te b/pcmcia.te
|
|
index 8176e4a..2df1789 100644
|
|
--- a/pcmcia.te
|
|
+++ b/pcmcia.te
|
|
@@ -88,20 +88,17 @@ libs_exec_lib_files(cardmgr_t)
|
|
|
|
logging_send_syslog_msg(cardmgr_t)
|
|
|
|
-miscfiles_read_localization(cardmgr_t)
|
|
-
|
|
modutils_domtrans_insmod(cardmgr_t)
|
|
|
|
sysnet_domtrans_ifconfig(cardmgr_t)
|
|
sysnet_etc_filetrans_config(cardmgr_t)
|
|
sysnet_manage_config(cardmgr_t)
|
|
|
|
-userdom_use_user_terminals(cardmgr_t)
|
|
+userdom_use_inherited_user_terminals(cardmgr_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(cardmgr_t)
|
|
userdom_dontaudit_search_user_home_dirs(cardmgr_t)
|
|
|
|
optional_policy(`
|
|
- seutil_dontaudit_read_config(cardmgr_t)
|
|
seutil_sigchld_newrole(cardmgr_t)
|
|
')
|
|
|
|
diff --git a/pcscd.if b/pcscd.if
|
|
index 43d50f9..7f77d32 100644
|
|
--- a/pcscd.if
|
|
+++ b/pcscd.if
|
|
@@ -50,7 +50,7 @@ interface(`pcscd_read_pid_files',`
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- allow $1 pcscd_var_run_t:file read_file_perms;
|
|
+ read_files_pattern($1, pcscd_var_run_t, pcscd_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
diff --git a/pcscd.te b/pcscd.te
|
|
index 1fb1964..f92c71a 100644
|
|
--- a/pcscd.te
|
|
+++ b/pcscd.te
|
|
@@ -24,8 +24,9 @@ init_daemon_run_dir(pcscd_var_run_t, "pcscd")
|
|
allow pcscd_t self:capability { dac_override dac_read_search fsetid };
|
|
allow pcscd_t self:process signal;
|
|
allow pcscd_t self:fifo_file rw_fifo_file_perms;
|
|
-allow pcscd_t self:unix_stream_socket { accept listen };
|
|
-allow pcscd_t self:tcp_socket { accept listen };
|
|
+allow pcscd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow pcscd_t self:unix_dgram_socket create_socket_perms;
|
|
+allow pcscd_t self:tcp_socket create_stream_socket_perms;
|
|
allow pcscd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(pcscd_t, pcscd_var_run_t, pcscd_var_run_t)
|
|
@@ -36,7 +37,6 @@ files_pid_filetrans(pcscd_t, pcscd_var_run_t, { file sock_file dir })
|
|
|
|
kernel_read_system_state(pcscd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(pcscd_t)
|
|
corenet_all_recvfrom_netlabel(pcscd_t)
|
|
corenet_tcp_sendrecv_generic_if(pcscd_t)
|
|
corenet_tcp_sendrecv_generic_node(pcscd_t)
|
|
@@ -50,7 +50,6 @@ dev_rw_smartcard(pcscd_t)
|
|
dev_rw_usbfs(pcscd_t)
|
|
dev_read_sysfs(pcscd_t)
|
|
|
|
-files_read_etc_files(pcscd_t)
|
|
files_read_etc_runtime_files(pcscd_t)
|
|
|
|
term_use_unallocated_ttys(pcscd_t)
|
|
@@ -60,8 +59,6 @@ locallogin_use_fds(pcscd_t)
|
|
|
|
logging_send_syslog_msg(pcscd_t)
|
|
|
|
-miscfiles_read_localization(pcscd_t)
|
|
-
|
|
sysnet_dns_name_resolve(pcscd_t)
|
|
|
|
optional_policy(`
|
|
@@ -85,3 +82,7 @@ optional_policy(`
|
|
optional_policy(`
|
|
udev_read_db(pcscd_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ virt_rw_svirt_dev(pcscd_t)
|
|
+')
|
|
diff --git a/pegasus.fc b/pegasus.fc
|
|
index dfd46e4..31122bd 100644
|
|
--- a/pegasus.fc
|
|
+++ b/pegasus.fc
|
|
@@ -1,15 +1,26 @@
|
|
-/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
|
+
|
|
+/etc/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_conf_t,s0)
|
|
/etc/Pegasus/pegasus_current\.conf gen_context(system_u:object_r:pegasus_data_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/tog-pegasus -- gen_context(system_u:object_r:pegasus_initrc_exec_t,s0)
|
|
+/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
|
+/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
|
|
|
-/usr/sbin/cimserver -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
|
-/usr/sbin/init_repository -- gen_context(system_u:object_r:pegasus_exec_t,s0)
|
|
+/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
|
|
|
|
-/var/cache/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_cache_t,s0)
|
|
+/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
|
|
|
|
-/var/lib/Pegasus(/.*)? gen_context(system_u:object_r:pegasus_data_t,s0)
|
|
+/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
|
|
|
|
-/var/run/tog-pegasus(/.*)? gen_context(system_u:object_r:pegasus_var_run_t,s0)
|
|
+/var/lib/openlmi-storage(/.*)? gen_context(system_u:object_r:pegasus_openlmi_storage_lib_t,s0)
|
|
|
|
-/usr/share/Pegasus/mof(/.*)?/.*\.mof gen_context(system_u:object_r:pegasus_mof_t,s0)
|
|
+#openlmi agents
|
|
+/usr/libexec/pegasus/cmpiLMI_Account-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_account_exec_t,s0)
|
|
+/usr/libexec/pegasus/cmpiLMI_Fan-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
|
+/usr/libexec/pegasus/cmpiLMI_LogicalFile-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_logicalfile_exec_t,s0)
|
|
+/usr/libexec/pegasus/cmpiLMI_Networking-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
|
+/usr/libexec/pegasus/cmpiLMI_PowerManagement-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_system_exec_t,s0)
|
|
+/usr/libexec/pegasus/cmpiLMI_Realmd-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_services_exec_t,s0)
|
|
+/usr/libexec/pegasus/cmpiLMI_Service-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_admin_exec_t,s0)
|
|
+
|
|
+
|
|
+/usr/libexec/pegasus/pycmpiLMI_Storage-cimprovagt -- gen_context(system_u:object_r:pegasus_openlmi_storage_exec_t,s0)
|
|
diff --git a/pegasus.if b/pegasus.if
|
|
index d2fc677..ded726f 100644
|
|
--- a/pegasus.if
|
|
+++ b/pegasus.if
|
|
@@ -1,52 +1,59 @@
|
|
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
|
|
|
|
+######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## openlmi init daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`pegasus_openlmi_domain_template',`
|
|
+ gen_require(`
|
|
+ attribute pegasus_openlmi_domain;
|
|
+ type pegasus_t;
|
|
+ ')
|
|
+
|
|
+ ##############################
|
|
+ #
|
|
+ # Declarations
|
|
+ #
|
|
+
|
|
+ type pegasus_openlmi_$1_t, pegasus_openlmi_domain;
|
|
+ type pegasus_openlmi_$1_exec_t;
|
|
+ init_daemon_domain(pegasus_openlmi_$1_t, pegasus_openlmi_$1_exec_t)
|
|
+
|
|
+ ##############################
|
|
+ #
|
|
+ # Local policy
|
|
+ #
|
|
+
|
|
+ domtrans_pattern(pegasus_t, pegasus_openlmi_$1_exec_t, pegasus_openlmi_$1_t)
|
|
+
|
|
+ kernel_read_system_state(pegasus_openlmi_$1_t)
|
|
+ logging_send_syslog_msg(pegasus_openlmi_$1_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an pegasus environment.
|
|
+## Connect to pegasus over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`pegasus_admin',`
|
|
+interface(`pegasus_stream_connect',`
|
|
gen_require(`
|
|
- type pegasus_t, pegasus_initrc_exec_t, pegasus_tmp_t;
|
|
- type pegasus_cache_t, pegasus_data_t, pegasus_conf_t;
|
|
- type pegasus_mof_t, pegasus_var_run_t;
|
|
+ type pegasus_t, pegasus_var_run_t, pegasus_tmp_t;
|
|
')
|
|
|
|
- allow $1 pegasus_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, pegasus_t)
|
|
-
|
|
- init_labeled_script_domtrans($1, pegasus_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 pegasus_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, pegasus_conf_t)
|
|
-
|
|
- files_search_usr($1)
|
|
- admin_pattern($1, pegasus_mof_t)
|
|
-
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, pegasus_tmp_t)
|
|
-
|
|
- files_search_var($1)
|
|
- admin_pattern($1, pegasus_cache_t)
|
|
-
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, pegasus_data_t)
|
|
-
|
|
files_search_pids($1)
|
|
- admin_pattern($1, pegasus_var_run_t)
|
|
+ stream_connect_pattern($1, pegasus_var_run_t, pegasus_var_run_t, pegasus_t)
|
|
+ stream_connect_pattern($1, pegasus_tmp_t, pegasus_tmp_t, pegasus_t)
|
|
')
|
|
+
|
|
diff --git a/pegasus.te b/pegasus.te
|
|
index 608f454..1e7f218 100644
|
|
--- a/pegasus.te
|
|
+++ b/pegasus.te
|
|
@@ -5,13 +5,12 @@ policy_module(pegasus, 1.9.0)
|
|
# Declarations
|
|
#
|
|
|
|
+attribute pegasus_openlmi_domain;
|
|
+
|
|
type pegasus_t;
|
|
type pegasus_exec_t;
|
|
init_daemon_domain(pegasus_t, pegasus_exec_t)
|
|
|
|
-type pegasus_initrc_exec_t;
|
|
-init_script_file(pegasus_initrc_exec_t)
|
|
-
|
|
type pegasus_cache_t;
|
|
files_type(pegasus_cache_t)
|
|
|
|
@@ -30,20 +29,269 @@ files_type(pegasus_mof_t)
|
|
type pegasus_var_run_t;
|
|
files_pid_file(pegasus_var_run_t)
|
|
|
|
+# pegasus openlmi providers
|
|
+pegasus_openlmi_domain_template(admin)
|
|
+typealias pegasus_openlmi_admin_t alias pegasus_openlmi_service_t;
|
|
+
|
|
+pegasus_openlmi_domain_template(account)
|
|
+domain_obj_id_change_exemption(pegasus_openlmi_account_t)
|
|
+domain_system_change_exemption(pegasus_openlmi_account_t)
|
|
+
|
|
+pegasus_openlmi_domain_template(logicalfile)
|
|
+pegasus_openlmi_domain_template(services)
|
|
+
|
|
+pegasus_openlmi_domain_template(storage)
|
|
+type pegasus_openlmi_storage_tmp_t;
|
|
+files_tmp_file(pegasus_openlmi_storage_tmp_t)
|
|
+
|
|
+type pegasus_openlmi_storage_lib_t;
|
|
+files_type(pegasus_openlmi_storage_lib_t)
|
|
+
|
|
+pegasus_openlmi_domain_template(system)
|
|
+typealias pegasus_openlmi_system_t alias pegasus_openlmi_networking_t;
|
|
+pegasus_openlmi_domain_template(unconfined)
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# pegasus openlmi providers local policy
|
|
+#
|
|
+
|
|
+allow pegasus_openlmi_domain self:capability { setuid setgid };
|
|
+
|
|
+allow pegasus_openlmi_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow pegasus_openlmi_domain self:udp_socket create_socket_perms;
|
|
+
|
|
+manage_files_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
|
|
+manage_dirs_pattern(pegasus_openlmi_domain, pegasus_data_t, pegasus_data_t)
|
|
+
|
|
+corecmd_exec_bin(pegasus_openlmi_domain)
|
|
+corecmd_exec_shell(pegasus_openlmi_domain)
|
|
+
|
|
+dev_read_sysfs(pegasus_openlmi_domain)
|
|
+
|
|
+auth_read_passwd(pegasus_openlmi_domain)
|
|
+
|
|
+sysnet_read_config(pegasus_openlmi_domain)
|
|
+
|
|
+optional_policy(`
|
|
+ pegasus_stream_connect(pegasus_openlmi_domain)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# pegasus openlmi account local policy
|
|
+#
|
|
+
|
|
+allow pegasus_openlmi_account_t self:capability { chown dac_override fowner fsetid };
|
|
+allow pegasus_openlmi_account_t self:process setfscreate;
|
|
+
|
|
+auth_manage_passwd(pegasus_openlmi_account_t)
|
|
+auth_manage_shadow(pegasus_openlmi_account_t)
|
|
+auth_relabel_shadow(pegasus_openlmi_account_t)
|
|
+auth_read_login_records(pegasus_openlmi_account_t)
|
|
+auth_etc_filetrans_shadow(pegasus_openlmi_account_t)
|
|
+
|
|
+logging_send_audit_msgs(pegasus_openlmi_account_t)
|
|
+logging_send_syslog_msg(pegasus_openlmi_account_t)
|
|
+
|
|
+init_rw_utmp(pegasus_openlmi_account_t)
|
|
+
|
|
+seutil_semanage_policy(pegasus_openlmi_account_t)
|
|
+
|
|
+logging_send_syslog_msg(pegasus_openlmi_account_t)
|
|
+
|
|
+seutil_read_config(pegasus_openlmi_account_t)
|
|
+seutil_read_file_contexts(pegasus_openlmi_account_t)
|
|
+seutil_read_default_contexts(pegasus_openlmi_account_t)
|
|
+
|
|
+# Add/remove user home directories
|
|
+userdom_home_filetrans_user_home_dir(pegasus_openlmi_account_t)
|
|
+userdom_manage_home_role(system_r, pegasus_openlmi_account_t)
|
|
+userdom_delete_all_user_home_content(pegasus_openlmi_account_t)
|
|
+
|
|
+optional_policy(`
|
|
+ # run userdel
|
|
+ usermanage_domtrans_useradd(pegasus_openlmi_account_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# pegasus openlmi logicalfile local policy
|
|
+#
|
|
+
|
|
+allow pegasus_openlmi_logicalfile_t self:capability { dac_override };
|
|
+files_manage_non_security_dirs(pegasus_openlmi_logicalfile_t)
|
|
+files_manage_non_security_files(pegasus_openlmi_logicalfile_t)
|
|
+
|
|
+dev_getattr_all_blk_files(pegasus_openlmi_logicalfile_t)
|
|
+dev_getattr_all_chr_files(pegasus_openlmi_logicalfile_t)
|
|
+
|
|
+files_list_all(pegasus_openlmi_logicalfile_t)
|
|
+files_read_all_files(pegasus_openlmi_logicalfile_t)
|
|
+files_read_all_symlinks(pegasus_openlmi_logicalfile_t)
|
|
+files_read_all_blk_files(pegasus_openlmi_logicalfile_t)
|
|
+files_read_all_chr_files(pegasus_openlmi_logicalfile_t)
|
|
+files_getattr_all_pipes(pegasus_openlmi_logicalfile_t)
|
|
+files_getattr_all_sockets(pegasus_openlmi_logicalfile_t)
|
|
+
|
|
+# Add/remove user home directories
|
|
+userdom_home_filetrans_user_home_dir(pegasus_openlmi_logicalfile_t)
|
|
+userdom_manage_home_role(system_r, pegasus_openlmi_logicalfile_t)
|
|
+userdom_delete_all_user_home_content(pegasus_openlmi_logicalfile_t)
|
|
+
|
|
+optional_policy(`
|
|
+ # it can delete/create empty dirs
|
|
+ # so we want to have unconfined_domain attribute for filename rules
|
|
+ unconfined_domain(pegasus_openlmi_logicalfile_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# pegasus openlmi services local policy
|
|
+#
|
|
+
|
|
+allow pegasus_openlmi_services_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+
|
|
+kernel_read_network_state(pegasus_openlmi_services_t)
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(pegasus_openlmi_services_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ realmd_dbus_chat(pegasus_openlmi_services_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sssd_stream_connect(pegasus_openlmi_services_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# pegasus openlmi system (networking) local policy
|
|
+#
|
|
+
|
|
+allow pegasus_openlmi_system_t self:capability { net_admin };
|
|
+
|
|
+allow pegasus_openlmi_system_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+
|
|
+kernel_read_network_state(pegasus_openlmi_system_t)
|
|
+
|
|
+dev_rw_sysfs(pegasus_openlmi_system_t)
|
|
+dev_read_urand(pegasus_openlmi_system_t)
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(pegasus_openlmi_system_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ networkmanager_dbus_chat(pegasus_openlmi_system_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# pegasus openlmi service local policy
|
|
+#
|
|
+
|
|
+init_disable_services(pegasus_openlmi_admin_t)
|
|
+init_enable_services(pegasus_openlmi_admin_t)
|
|
+init_reload_services(pegasus_openlmi_admin_t)
|
|
+init_exec(pegasus_openlmi_admin_t)
|
|
+
|
|
+systemd_config_all_services(pegasus_openlmi_admin_t)
|
|
+systemd_manage_all_unit_files(pegasus_openlmi_admin_t)
|
|
+systemd_manage_all_unit_lnk_files(pegasus_openlmi_admin_t)
|
|
+
|
|
+allow pegasus_openlmi_service_t self:udp_socket create_socket_perms;
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(pegasus_openlmi_admin_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# pegasus openlmi storage local policy
|
|
+#
|
|
+
|
|
+allow pegasus_openlmi_storage_t self:capability { sys_admin sys_rawio };
|
|
+
|
|
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
|
|
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, pegasus_openlmi_storage_lib_t)
|
|
+files_var_lib_filetrans(pegasus_openlmi_storage_t, pegasus_openlmi_storage_lib_t, file)
|
|
+
|
|
+manage_files_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
|
|
+manage_dirs_pattern(pegasus_openlmi_storage_t, pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t)
|
|
+files_tmp_filetrans(pegasus_openlmi_storage_tmp_t, pegasus_openlmi_storage_tmp_t, { file dir})
|
|
+
|
|
+kernel_read_all_sysctls(pegasus_openlmi_storage_t)
|
|
+kernel_get_sysvipc_info(pegasus_openlmi_storage_t)
|
|
+
|
|
+dev_read_rand(pegasus_openlmi_storage_t)
|
|
+dev_read_urand(pegasus_openlmi_storage_t)
|
|
+
|
|
+dev_rw_lvm_control(pegasus_openlmi_storage_t)
|
|
+dev_rw_sysfs(pegasus_openlmi_storage_t)
|
|
+
|
|
+selinux_validate_context(pegasus_openlmi_storage_t)
|
|
+
|
|
+seutil_read_file_contexts(pegasus_openlmi_storage_t)
|
|
+
|
|
+storage_raw_read_fixed_disk(pegasus_openlmi_storage_t)
|
|
+storage_raw_write_fixed_disk(pegasus_openlmi_storage_t)
|
|
+
|
|
+fs_getattr_all_fs(pegasus_openlmi_storage_t)
|
|
+
|
|
+modutils_domtrans_insmod(pegasus_openlmi_storage_t)
|
|
+
|
|
+udev_domtrans(pegasus_openlmi_storage_t)
|
|
+udev_read_pid_files(pegasus_openlmi_storage_t)
|
|
+
|
|
+optional_policy(`
|
|
+ dmidecode_domtrans(pegasus_openlmi_storage_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ fstools_domtrans(pegasus_openlmi_storage_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ lvm_domtrans(pegasus_openlmi_storage_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mount_domtrans(pegasus_openlmi_storage_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ raid_domtrans_mdadm(pegasus_openlmi_storage_t)
|
|
+ raid_filetrans_named_content(pegasus_openlmi_storage_t)
|
|
+ raid_manage_conf_files(pegasus_openlmi_storage_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# pegasus openlmi unconfined local policy
|
|
+#
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(pegasus_openlmi_unconfined_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# pegasus local policy
|
|
#
|
|
|
|
allow pegasus_t self:capability { chown kill ipc_lock sys_nice setuid setgid dac_override net_admin net_bind_service };
|
|
dontaudit pegasus_t self:capability sys_tty_config;
|
|
-allow pegasus_t self:process signal;
|
|
+allow pegasus_t self:process { setsched signal };
|
|
allow pegasus_t self:fifo_file rw_fifo_file_perms;
|
|
-allow pegasus_t self:unix_stream_socket { connectto accept listen };
|
|
-allow pegasus_t self:tcp_socket { accept listen };
|
|
+allow pegasus_t self:unix_dgram_socket create_socket_perms;
|
|
+allow pegasus_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
+allow pegasus_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
|
|
-allow pegasus_t pegasus_conf_t:file { read_file_perms delete_file_perms rename_file_perms };
|
|
+allow pegasus_t pegasus_conf_t:file { read_file_perms link delete_file_perms rename_file_perms };
|
|
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
|
|
|
manage_dirs_pattern(pegasus_t, pegasus_cache_t, pegasus_cache_t)
|
|
@@ -54,22 +302,22 @@ files_var_filetrans(pegasus_t, pegasus_cache_t, { dir file lnk_file })
|
|
manage_dirs_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
|
manage_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
|
manage_lnk_files_pattern(pegasus_t, pegasus_data_t, pegasus_data_t)
|
|
-filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { dir file })
|
|
+filetrans_pattern(pegasus_t, pegasus_conf_t, pegasus_data_t, { file dir })
|
|
+
|
|
+can_exec(pegasus_t, pegasus_exec_t)
|
|
|
|
allow pegasus_t pegasus_mof_t:dir list_dir_perms;
|
|
-allow pegasus_t pegasus_mof_t:file read_file_perms;
|
|
-allow pegasus_t pegasus_mof_t:lnk_file read_lnk_file_perms;
|
|
+read_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
|
|
+read_lnk_files_pattern(pegasus_t, pegasus_mof_t, pegasus_mof_t)
|
|
|
|
manage_dirs_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
|
|
manage_files_pattern(pegasus_t, pegasus_tmp_t, pegasus_tmp_t)
|
|
-files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { dir file })
|
|
+files_tmp_filetrans(pegasus_t, pegasus_tmp_t, { file dir })
|
|
|
|
+manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
|
|
manage_dirs_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
|
|
manage_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
|
|
-manage_sock_files_pattern(pegasus_t, pegasus_var_run_t, pegasus_var_run_t)
|
|
-files_pid_filetrans(pegasus_t, pegasus_var_run_t, { dir file sock_file })
|
|
-
|
|
-can_exec(pegasus_t, pegasus_exec_t)
|
|
+files_pid_filetrans(pegasus_t, pegasus_var_run_t, { file dir })
|
|
|
|
kernel_read_network_state(pegasus_t)
|
|
kernel_read_kernel_sysctls(pegasus_t)
|
|
@@ -80,27 +328,21 @@ kernel_read_net_sysctls(pegasus_t)
|
|
kernel_read_xen_state(pegasus_t)
|
|
kernel_write_xen_state(pegasus_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(pegasus_t)
|
|
corenet_all_recvfrom_netlabel(pegasus_t)
|
|
corenet_tcp_sendrecv_generic_if(pegasus_t)
|
|
corenet_tcp_sendrecv_generic_node(pegasus_t)
|
|
corenet_tcp_sendrecv_all_ports(pegasus_t)
|
|
corenet_tcp_bind_generic_node(pegasus_t)
|
|
-
|
|
-corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
|
|
corenet_tcp_bind_pegasus_http_port(pegasus_t)
|
|
-
|
|
-corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
|
|
corenet_tcp_bind_pegasus_https_port(pegasus_t)
|
|
-
|
|
-corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
|
|
corenet_tcp_connect_pegasus_http_port(pegasus_t)
|
|
-
|
|
-corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
|
|
corenet_tcp_connect_pegasus_https_port(pegasus_t)
|
|
-
|
|
-corenet_sendrecv_generic_client_packets(pegasus_t)
|
|
corenet_tcp_connect_generic_port(pegasus_t)
|
|
+corenet_sendrecv_generic_client_packets(pegasus_t)
|
|
+corenet_sendrecv_pegasus_http_client_packets(pegasus_t)
|
|
+corenet_sendrecv_pegasus_http_server_packets(pegasus_t)
|
|
+corenet_sendrecv_pegasus_https_client_packets(pegasus_t)
|
|
+corenet_sendrecv_pegasus_https_server_packets(pegasus_t)
|
|
|
|
corecmd_exec_bin(pegasus_t)
|
|
corecmd_exec_shell(pegasus_t)
|
|
@@ -114,6 +356,7 @@ files_getattr_all_dirs(pegasus_t)
|
|
|
|
auth_use_nsswitch(pegasus_t)
|
|
auth_domtrans_chk_passwd(pegasus_t)
|
|
+auth_read_shadow(pegasus_t)
|
|
|
|
domain_use_interactive_fds(pegasus_t)
|
|
domain_read_all_domains_state(pegasus_t)
|
|
@@ -128,18 +371,25 @@ init_stream_connect_script(pegasus_t)
|
|
logging_send_audit_msgs(pegasus_t)
|
|
logging_send_syslog_msg(pegasus_t)
|
|
|
|
-miscfiles_read_localization(pegasus_t)
|
|
+mount_domtrans(pegasus_t)
|
|
+
|
|
+sysnet_read_config(pegasus_t)
|
|
+sysnet_domtrans_ifconfig(pegasus_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
|
|
userdom_dontaudit_search_user_home_dirs(pegasus_t)
|
|
|
|
optional_policy(`
|
|
- dbus_system_bus_client(pegasus_t)
|
|
- dbus_connect_system_bus(pegasus_t)
|
|
+ dbus_system_bus_client(pegasus_t)
|
|
+ dbus_connect_system_bus(pegasus_t)
|
|
|
|
- optional_policy(`
|
|
- networkmanager_dbus_chat(pegasus_t)
|
|
- ')
|
|
+ optional_policy(`
|
|
+ networkmanager_dbus_chat(pegasus_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rhcs_stream_connect_cluster(pegasus_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -151,16 +401,24 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- rpm_exec(pegasus_t)
|
|
+ ricci_stream_connect_modclusterd(pegasus_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- samba_manage_config(pegasus_t)
|
|
+ realmd_dbus_chat(pegasus_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- seutil_sigchld_newrole(pegasus_t)
|
|
- seutil_dontaudit_read_config(pegasus_t)
|
|
+ rpc_read_exports(pegasus_t)
|
|
+ rpc_read_nfs_state_data(pegasus_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rpm_domtrans(pegasus_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ samba_manage_config(pegasus_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -168,7 +426,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- sysnet_domtrans_ifconfig(pegasus_t)
|
|
+ seutil_sigchld_newrole(pegasus_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/pesign.fc b/pesign.fc
|
|
new file mode 100644
|
|
index 0000000..7b54c39
|
|
--- /dev/null
|
|
+++ b/pesign.fc
|
|
@@ -0,0 +1,6 @@
|
|
+/usr/bin/pesign -- gen_context(system_u:object_r:pesign_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/pesign.service -- gen_context(system_u:object_r:pesign_unit_file_t,s0)
|
|
+
|
|
+/var/run/pesign(/.*)? gen_context(system_u:object_r:pesign_var_run_t,s0)
|
|
+/var/run/pesign\.pid -- gen_context(system_u:object_r:pesign_var_run_t,s0)
|
|
diff --git a/pesign.if b/pesign.if
|
|
new file mode 100644
|
|
index 0000000..abd5dd8
|
|
--- /dev/null
|
|
+++ b/pesign.if
|
|
@@ -0,0 +1,98 @@
|
|
+
|
|
+## <summary>pesign utility for signing UEFI binaries as well as other associated tools</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the pesign domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pesign_domtrans',`
|
|
+ gen_require(`
|
|
+ type pesign_t, pesign_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, pesign_exec_t, pesign_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Read pesign PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pesign_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type pesign_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, pesign_var_run_t, pesign_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute pesign server in the pesign domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pesign_systemctl',`
|
|
+ gen_require(`
|
|
+ type pesign_t;
|
|
+ type pesign_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 pesign_unit_file_t:file read_file_perms;
|
|
+ allow $1 pesign_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, pesign_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an pesign environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`pesign_admin',`
|
|
+ gen_require(`
|
|
+ type pesign_t;
|
|
+ type pesign_var_run_t;
|
|
+ type pesign_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 pesign_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, pesign_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, pesign_var_run_t)
|
|
+
|
|
+ pesign_systemctl($1)
|
|
+ admin_pattern($1, pesign_unit_file_t)
|
|
+ allow $1 pesign_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/pesign.te b/pesign.te
|
|
new file mode 100644
|
|
index 0000000..513887d
|
|
--- /dev/null
|
|
+++ b/pesign.te
|
|
@@ -0,0 +1,43 @@
|
|
+policy_module(pesign, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type pesign_t;
|
|
+type pesign_exec_t;
|
|
+init_daemon_domain(pesign_t, pesign_exec_t)
|
|
+
|
|
+type pesign_var_run_t;
|
|
+files_pid_file(pesign_var_run_t)
|
|
+
|
|
+type pesign_unit_file_t;
|
|
+systemd_unit_file(pesign_unit_file_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# pesign local policy
|
|
+#
|
|
+
|
|
+allow pesign_t self:capability { setgid setuid };
|
|
+allow pesign_t self:process setsched;
|
|
+allow pesign_t self:fifo_file rw_fifo_file_perms;
|
|
+allow pesign_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
|
|
+manage_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
|
|
+manage_lnk_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
|
|
+manage_sock_files_pattern(pesign_t, pesign_var_run_t, pesign_var_run_t)
|
|
+files_pid_filetrans(pesign_t, pesign_var_run_t, { file dir })
|
|
+
|
|
+dev_read_urand(pesign_t)
|
|
+
|
|
+files_dontaudit_list_tmp(pesign_t)
|
|
+
|
|
+auth_use_nsswitch(pesign_t)
|
|
+
|
|
+logging_send_syslog_msg(pesign_t)
|
|
+
|
|
+miscfiles_read_certs(pesign_t)
|
|
+miscfiles_read_localization(pesign_t)
|
|
diff --git a/pingd.if b/pingd.if
|
|
index 21a6ecb..b99e4cb 100644
|
|
--- a/pingd.if
|
|
+++ b/pingd.if
|
|
@@ -55,7 +55,8 @@ interface(`pingd_manage_config',`
|
|
')
|
|
|
|
files_search_etc($1)
|
|
- allow $1 pingd_etc_t:file manage_file_perms;
|
|
+ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
|
|
+ manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
|
|
')
|
|
|
|
#######################################
|
|
@@ -81,9 +82,13 @@ interface(`pingd_admin',`
|
|
type pingd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 pingd_t:process { ptrace signal_perms };
|
|
+ allow $1 pingd_t:process signal_perms;
|
|
ps_process_pattern($1, pingd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 pingd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, pingd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 pingd_initrc_exec_t system_r;
|
|
diff --git a/pingd.te b/pingd.te
|
|
index ab01060..3817823 100644
|
|
--- a/pingd.te
|
|
+++ b/pingd.te
|
|
@@ -10,7 +10,7 @@ type pingd_exec_t;
|
|
init_daemon_domain(pingd_t, pingd_exec_t)
|
|
|
|
type pingd_etc_t;
|
|
-files_type(pingd_etc_t)
|
|
+files_config_file(pingd_etc_t)
|
|
|
|
type pingd_initrc_exec_t;
|
|
init_script_file(pingd_initrc_exec_t)
|
|
@@ -50,5 +50,3 @@ auth_use_nsswitch(pingd_t)
|
|
files_search_usr(pingd_t)
|
|
|
|
logging_send_syslog_msg(pingd_t)
|
|
-
|
|
-miscfiles_read_localization(pingd_t)
|
|
diff --git a/piranha.fc b/piranha.fc
|
|
new file mode 100644
|
|
index 0000000..20ea9f5
|
|
--- /dev/null
|
|
+++ b/piranha.fc
|
|
@@ -0,0 +1,24 @@
|
|
+
|
|
+/etc/rc\.d/init\.d/pulse -- gen_context(system_u:object_r:piranha_pulse_initrc_exec_t,s0)
|
|
+
|
|
+# RHEL6
|
|
+#/etc/sysconfig/ha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
|
|
+
|
|
+/etc/piranha/lvs\.cf -- gen_context(system_u:object_r:piranha_etc_rw_t,s0)
|
|
+
|
|
+/usr/sbin/fos -- gen_context(system_u:object_r:piranha_fos_exec_t,s0)
|
|
+/usr/sbin/lvsd -- gen_context(system_u:object_r:piranha_lvs_exec_t,s0)
|
|
+/usr/sbin/piranha_gui -- gen_context(system_u:object_r:piranha_web_exec_t,s0)
|
|
+/usr/sbin/pulse -- gen_context(system_u:object_r:piranha_pulse_exec_t,s0)
|
|
+
|
|
+/var/lib/luci(/.*)? gen_context(system_u:object_r:piranha_web_data_t,s0)
|
|
+/var/lib/luci/cert(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
|
|
+/var/lib/luci/etc(/.*)? gen_context(system_u:object_r:piranha_web_conf_t,s0)
|
|
+
|
|
+/var/log/piranha(/.*)? gen_context(system_u:object_r:piranha_log_t,s0)
|
|
+
|
|
+/var/run/fos\.pid -- gen_context(system_u:object_r:piranha_fos_var_run_t,s0)
|
|
+/var/run/lvs\.pid -- gen_context(system_u:object_r:piranha_lvs_var_run_t,s0)
|
|
+/var/run/piranha-httpd\.pid -- gen_context(system_u:object_r:piranha_web_var_run_t,s0)
|
|
+/var/run/pulse\.pid -- gen_context(system_u:object_r:piranha_pulse_var_run_t,s0)
|
|
+
|
|
diff --git a/piranha.if b/piranha.if
|
|
new file mode 100644
|
|
index 0000000..cf54103
|
|
--- /dev/null
|
|
+++ b/piranha.if
|
|
@@ -0,0 +1,187 @@
|
|
+## <summary>policy for piranha</summary>
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## cluster init daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`piranha_domain_template',`
|
|
+ gen_require(`
|
|
+ attribute piranha_domain;
|
|
+ ')
|
|
+
|
|
+ ##############################
|
|
+ #
|
|
+ # piranha_$1_t declarations
|
|
+ #
|
|
+
|
|
+ type piranha_$1_t, piranha_domain;
|
|
+ type piranha_$1_exec_t;
|
|
+ init_daemon_domain(piranha_$1_t, piranha_$1_exec_t)
|
|
+
|
|
+ # tmpfs files
|
|
+ type piranha_$1_tmpfs_t, piranha_tmpfs;
|
|
+ files_tmpfs_file(piranha_$1_tmpfs_t)
|
|
+
|
|
+ # pid files
|
|
+ type piranha_$1_var_run_t;
|
|
+ files_pid_file(piranha_$1_var_run_t)
|
|
+
|
|
+ ##############################
|
|
+ #
|
|
+ # piranha_$1_t local policy
|
|
+ #
|
|
+
|
|
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
|
|
+ manage_files_pattern(piranha_$1_t, piranha_$1_tmpfs_t, piranha_$1_tmpfs_t)
|
|
+ fs_tmpfs_filetrans(piranha_$1_t, piranha_$1_tmpfs_t, { dir file })
|
|
+
|
|
+ manage_files_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
|
|
+ manage_dirs_pattern(piranha_$1_t, piranha_$1_var_run_t, piranha_$1_var_run_t)
|
|
+ files_pid_filetrans(piranha_$1_t, piranha_$1_var_run_t, { dir file })
|
|
+
|
|
+ kernel_read_system_state(piranha_$1_t)
|
|
+
|
|
+ auth_use_nsswitch(piranha_$1_t)
|
|
+
|
|
+ logging_send_syslog_msg(piranha_$1_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run fos.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`piranha_domtrans_fos',`
|
|
+ gen_require(`
|
|
+ type piranha_fos_t, piranha_fos_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, piranha_fos_exec_t, piranha_fos_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run lvsd.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`piranha_domtrans_lvs',`
|
|
+ gen_require(`
|
|
+ type piranha_lvs_t, piranha_lvs_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, piranha_lvs_exec_t, piranha_lvs_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run pulse.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`piranha_domtrans_pulse',`
|
|
+ gen_require(`
|
|
+ type piranha_pulse_t, piranha_pulse_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, piranha_pulse_exec_t, piranha_pulse_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute pulse server in the pulse domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`piranha_pulse_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type piranha_pulse_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, piranha_pulse_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read piranha's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`piranha_read_log',`
|
|
+ gen_require(`
|
|
+ type piranha_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, piranha_log_t, piranha_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to append
|
|
+## piranha log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`piranha_append_log',`
|
|
+ gen_require(`
|
|
+ type piranha_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, piranha_log_t, piranha_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow domain to manage piranha log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`piranha_manage_log',`
|
|
+ gen_require(`
|
|
+ type piranha_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, piranha_log_t, piranha_log_t)
|
|
+ manage_files_pattern($1, piranha_log_t, piranha_log_t)
|
|
+ manage_lnk_files_pattern($1, piranha_log_t, piranha_log_t)
|
|
+')
|
|
diff --git a/piranha.te b/piranha.te
|
|
new file mode 100644
|
|
index 0000000..a989aea
|
|
--- /dev/null
|
|
+++ b/piranha.te
|
|
@@ -0,0 +1,292 @@
|
|
+policy_module(piranha, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow piranha-lvs domain to connect to the network using TCP.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(piranha_lvs_can_network_connect, false)
|
|
+
|
|
+attribute piranha_domain;
|
|
+attribute piranha_tmpfs;
|
|
+
|
|
+piranha_domain_template(fos)
|
|
+
|
|
+piranha_domain_template(lvs)
|
|
+
|
|
+piranha_domain_template(pulse)
|
|
+
|
|
+type piranha_pulse_initrc_exec_t;
|
|
+init_script_file(piranha_pulse_initrc_exec_t)
|
|
+
|
|
+piranha_domain_template(web)
|
|
+
|
|
+type piranha_web_conf_t;
|
|
+files_config_file(piranha_web_conf_t)
|
|
+
|
|
+type piranha_web_data_t;
|
|
+files_type(piranha_web_data_t)
|
|
+
|
|
+type piranha_web_tmp_t;
|
|
+files_tmp_file(piranha_web_tmp_t)
|
|
+
|
|
+type piranha_etc_rw_t;
|
|
+files_config_file(piranha_etc_rw_t)
|
|
+
|
|
+type piranha_log_t;
|
|
+logging_log_file(piranha_log_t)
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# piranha-fos local policy
|
|
+#
|
|
+
|
|
+kernel_read_kernel_sysctls(piranha_fos_t)
|
|
+
|
|
+domain_read_all_domains_state(piranha_fos_t)
|
|
+
|
|
+optional_policy(`
|
|
+ consoletype_exec(piranha_fos_t)
|
|
+')
|
|
+
|
|
+# start and stop services
|
|
+init_domtrans_script(piranha_fos_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# piranha-gui local policy
|
|
+#
|
|
+
|
|
+allow piranha_web_t self:capability { setuid sys_nice kill setgid };
|
|
+allow piranha_web_t self:process { getsched setsched signal signull };
|
|
+
|
|
+allow piranha_web_t self:rawip_socket create_socket_perms;
|
|
+allow piranha_web_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow piranha_web_t self:sem create_sem_perms;
|
|
+allow piranha_web_t self:shm create_shm_perms;
|
|
+
|
|
+manage_files_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
|
|
+manage_dirs_pattern(piranha_web_t, piranha_web_data_t, piranha_web_data_t)
|
|
+files_var_lib_filetrans(piranha_web_t, piranha_web_data_t, file)
|
|
+
|
|
+read_files_pattern(piranha_web_t, piranha_web_conf_t, piranha_web_conf_t)
|
|
+
|
|
+rw_files_pattern(piranha_web_t, piranha_etc_rw_t, piranha_etc_rw_t)
|
|
+
|
|
+manage_dirs_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
|
|
+manage_files_pattern(piranha_web_t, piranha_log_t, piranha_log_t)
|
|
+logging_log_filetrans(piranha_web_t, piranha_log_t, { dir file })
|
|
+
|
|
+can_exec(piranha_web_t, piranha_web_tmp_t)
|
|
+manage_dirs_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
|
|
+manage_files_pattern(piranha_web_t, piranha_web_tmp_t, piranha_web_tmp_t)
|
|
+files_tmp_filetrans(piranha_web_t, piranha_web_tmp_t, { file dir })
|
|
+
|
|
+piranha_pulse_initrc_domtrans(piranha_web_t)
|
|
+
|
|
+kernel_read_kernel_sysctls(piranha_web_t)
|
|
+
|
|
+corenet_tcp_bind_http_cache_port(piranha_web_t)
|
|
+corenet_tcp_bind_luci_port(piranha_web_t)
|
|
+corenet_tcp_bind_servistaitsm_port(piranha_web_t)
|
|
+corenet_tcp_connect_ricci_port(piranha_web_t)
|
|
+
|
|
+dev_read_rand(piranha_web_t)
|
|
+dev_read_urand(piranha_web_t)
|
|
+
|
|
+domain_read_all_domains_state(piranha_web_t)
|
|
+
|
|
+
|
|
+optional_policy(`
|
|
+ consoletype_exec(piranha_web_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ apache_read_config(piranha_web_t)
|
|
+ apache_exec_modules(piranha_web_t)
|
|
+ apache_exec(piranha_web_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_dontaudit_search_config(piranha_web_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sasl_connect(piranha_web_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ snmp_dontaudit_read_snmp_var_lib_files(piranha_web_t)
|
|
+ snmp_dontaudit_write_snmp_var_lib_files(piranha_web_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# piranha-lvs local policy
|
|
+#
|
|
+
|
|
+# neede by nanny
|
|
+allow piranha_lvs_t self:capability { net_raw sys_nice };
|
|
+allow piranha_lvs_t self:process signal;
|
|
+allow piranha_lvs_t self:unix_dgram_socket create_socket_perms;
|
|
+allow piranha_lvs_t self:rawip_socket create_socket_perms;
|
|
+
|
|
+manage_files_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
|
|
+manage_dirs_pattern(piranha_lvs_t, piranha_pulse_tmpfs_t,piranha_pulse_tmpfs_t)
|
|
+
|
|
+kernel_read_kernel_sysctls(piranha_lvs_t)
|
|
+
|
|
+# needed by nanny
|
|
+corenet_tcp_connect_ftp_port(piranha_lvs_t)
|
|
+corenet_tcp_connect_http_port(piranha_lvs_t)
|
|
+corenet_tcp_connect_smtp_port(piranha_lvs_t)
|
|
+
|
|
+sysnet_dns_name_resolve(piranha_lvs_t)
|
|
+
|
|
+# needed by nanny
|
|
+tunable_policy(`piranha_lvs_can_network_connect',`
|
|
+ corenet_tcp_connect_all_ports(piranha_lvs_t)
|
|
+')
|
|
+
|
|
+# needed by ipvsadm
|
|
+optional_policy(`
|
|
+ iptables_domtrans(piranha_lvs_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# piranha-pulse local policy
|
|
+#
|
|
+
|
|
+allow piranha_pulse_t self:capability net_admin;
|
|
+
|
|
+allow piranha_pulse_t self:packet_socket create_socket_perms;
|
|
+
|
|
+# pulse starts fos and lvs daemon
|
|
+domtrans_pattern(piranha_pulse_t, piranha_fos_exec_t, piranha_fos_t)
|
|
+allow piranha_pulse_t piranha_fos_t:process signal;
|
|
+
|
|
+domtrans_pattern(piranha_pulse_t, piranha_lvs_exec_t, piranha_lvs_t)
|
|
+allow piranha_pulse_t piranha_lvs_t:process signal;
|
|
+
|
|
+kernel_read_kernel_sysctls(piranha_pulse_t)
|
|
+kernel_read_rpc_sysctls(piranha_pulse_t)
|
|
+kernel_rw_rpc_sysctls(piranha_pulse_t)
|
|
+kernel_search_debugfs(piranha_pulse_t)
|
|
+kernel_search_network_state(piranha_pulse_t)
|
|
+
|
|
+corecmd_exec_bin(piranha_pulse_t)
|
|
+corecmd_exec_shell(piranha_pulse_t)
|
|
+optional_policy(`
|
|
+ consoletype_exec(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+corenet_udp_bind_apertus_ldp_port(piranha_pulse_t)
|
|
+corenet_udp_bind_cma_port(piranha_pulse_t)
|
|
+
|
|
+domain_read_all_domains_state(piranha_pulse_t)
|
|
+domain_getattr_all_domains(piranha_pulse_t)
|
|
+
|
|
+fs_getattr_all_fs(piranha_pulse_t)
|
|
+
|
|
+init_initrc_domain(piranha_pulse_t)
|
|
+
|
|
+logging_send_syslog_msg(piranha_pulse_t)
|
|
+
|
|
+# various services to failover
|
|
+
|
|
+optional_policy(`
|
|
+ apache_domtrans(piranha_pulse_t)
|
|
+ apache_signal(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ftp_domtrans(piranha_pulse_t)
|
|
+ ftp_initrc_domtrans(piranha_pulse_t)
|
|
+ ftp_systemctl(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ hostname_exec(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ iptables_domtrans(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ldap_systemctl(piranha_pulse_t)
|
|
+ ldap_initrc_domtrans(piranha_pulse_t)
|
|
+ ldap_domtrans(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_domtrans_mysql_safe(piranha_pulse_t)
|
|
+ mysql_stream_connect(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ netutils_domtrans(piranha_pulse_t)
|
|
+ netutils_domtrans_ping(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ postgresql_domtrans(piranha_pulse_t)
|
|
+ postgresql_signal(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ samba_initrc_domtrans(piranha_pulse_t)
|
|
+ samba_systemctl(piranha_pulse_t)
|
|
+ samba_domtrans_smbd(piranha_pulse_t)
|
|
+ samba_domtrans_nmbd(piranha_pulse_t)
|
|
+ samba_manage_var_files(piranha_pulse_t)
|
|
+ samba_rw_config(piranha_pulse_t)
|
|
+ samba_signal_smbd(piranha_pulse_t)
|
|
+ samba_signal_nmbd(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_domtrans_ifconfig(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ udev_read_db(piranha_pulse_t)
|
|
+')
|
|
+
|
|
+####################################
|
|
+#
|
|
+# piranha domains common policy
|
|
+#
|
|
+
|
|
+allow piranha_domain self:process signal_perms;
|
|
+allow piranha_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow piranha_domain self:tcp_socket create_stream_socket_perms;
|
|
+allow piranha_domain self:udp_socket create_socket_perms;
|
|
+allow piranha_domain self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+read_files_pattern(piranha_domain, piranha_etc_rw_t, piranha_etc_rw_t)
|
|
+
|
|
+manage_files_pattern(piranha_pulse_t, piranha_tmpfs,piranha_tmpfs)
|
|
+manage_dirs_pattern(piranha_pulse_t, piranha_tmpfs ,piranha_tmpfs)
|
|
+
|
|
+kernel_read_network_state(piranha_domain)
|
|
+
|
|
+corenet_tcp_sendrecv_generic_if(piranha_domain)
|
|
+corenet_udp_sendrecv_generic_if(piranha_domain)
|
|
+corenet_tcp_sendrecv_generic_node(piranha_domain)
|
|
+corenet_udp_sendrecv_generic_node(piranha_domain)
|
|
+corenet_tcp_sendrecv_all_ports(piranha_domain)
|
|
+corenet_udp_sendrecv_all_ports(piranha_domain)
|
|
+corenet_tcp_bind_generic_node(piranha_domain)
|
|
+corenet_udp_bind_generic_node(piranha_domain)
|
|
+
|
|
+corecmd_exec_bin(piranha_domain)
|
|
+corecmd_exec_shell(piranha_domain)
|
|
+
|
|
+sysnet_read_config(piranha_domain)
|
|
diff --git a/pkcs.te b/pkcs.te
|
|
index 8eb3f7b..7c08f64 100644
|
|
--- a/pkcs.te
|
|
+++ b/pkcs.te
|
|
@@ -7,21 +7,27 @@ policy_module(pkcs, 1.0.1)
|
|
|
|
type pkcs_slotd_t;
|
|
type pkcs_slotd_exec_t;
|
|
+typealias pkcs_slotd_t alias pkcsslotd_t;
|
|
+typealias pkcs_slotd_exec_t alias pkcsslotd_exec_t;
|
|
init_daemon_domain(pkcs_slotd_t, pkcs_slotd_exec_t)
|
|
|
|
type pkcs_slotd_initrc_exec_t;
|
|
init_script_file(pkcs_slotd_initrc_exec_t)
|
|
|
|
type pkcs_slotd_var_lib_t;
|
|
+typealias pkcs_slotd_var_lib_t alias pkcsslotd_var_lib_t;
|
|
files_type(pkcs_slotd_var_lib_t)
|
|
|
|
type pkcs_slotd_var_run_t;
|
|
+typealias pkcs_slotd_var_run_t alias pkcsslotd_var_run_t;
|
|
files_pid_file(pkcs_slotd_var_run_t)
|
|
|
|
type pkcs_slotd_tmp_t;
|
|
+typealias pkcs_slotd_tmp_t alias pkcsslotd_tmp_t;
|
|
files_tmp_file(pkcs_slotd_tmp_t)
|
|
|
|
type pkcs_slotd_tmpfs_t;
|
|
+typealias pkcs_slotd_tmpfs_t alias pkcsslotd_tmpfs_t;
|
|
files_tmpfs_file(pkcs_slotd_tmpfs_t)
|
|
|
|
########################################
|
|
@@ -53,8 +59,5 @@ manage_dirs_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
|
|
manage_files_pattern(pkcs_slotd_t, pkcs_slotd_tmpfs_t, pkcs_slotd_tmpfs_t)
|
|
fs_tmpfs_filetrans(pkcs_slotd_t, pkcs_slotd_tmpfs_t, dir)
|
|
|
|
-files_read_etc_files(pkcs_slotd_t)
|
|
-
|
|
logging_send_syslog_msg(pkcs_slotd_t)
|
|
|
|
-miscfiles_read_localization(pkcs_slotd_t)
|
|
diff --git a/pki.fc b/pki.fc
|
|
new file mode 100644
|
|
index 0000000..726d992
|
|
--- /dev/null
|
|
+++ b/pki.fc
|
|
@@ -0,0 +1,56 @@
|
|
+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
|
|
+/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
|
|
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
|
|
+/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
|
|
+/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
|
|
+/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
|
|
+/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
|
|
+/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
|
|
+
|
|
+/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
|
|
+/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
|
|
+/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
|
|
+/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
|
|
+/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
|
|
+/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0)
|
|
+
|
|
+/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
|
|
+/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
|
|
+/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
|
|
+/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
|
|
+/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
|
|
+/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0)
|
|
+
|
|
+# default labeling for nCipher
|
|
+/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0)
|
|
+/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0)
|
|
+/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0)
|
|
+/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0)
|
|
+
|
|
+# old paths (for migration)
|
|
+/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
|
|
+/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
|
|
+/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
|
|
+/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
|
|
+/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
|
|
+/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
|
|
+/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
|
|
+/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
|
|
+/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
|
|
+/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
|
|
+/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
|
|
+/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
|
|
+/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
|
|
+/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
|
|
+/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
|
|
+/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
|
|
+/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
|
|
+/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
|
|
+/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
|
|
+/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
|
|
+/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
|
|
+
|
|
+/var/lock/subsys/pkidaemon -- gen_context(system_u:object_r:pki_tomcat_lock_t,s0)
|
|
+
|
|
+#/etc/systemd/system/pki-tomcatd\.target\.wants(/.*)? gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/pki-tomcat.* gen_context(system_u:object_r:pki_tomcat_unit_file_t,s0)
|
|
diff --git a/pki.if b/pki.if
|
|
new file mode 100644
|
|
index 0000000..b975b85
|
|
--- /dev/null
|
|
+++ b/pki.if
|
|
@@ -0,0 +1,294 @@
|
|
+
|
|
+## <summary>policy for pki</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow read and write pki cert files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pki_rw_tomcat_cert',`
|
|
+ gen_require(`
|
|
+ type pki_tomcat_cert_t;
|
|
+ type pki_tomcat_etc_rw_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
|
|
+ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
+ create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow domain to read pki cert files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pki_read_tomcat_cert',`
|
|
+ gen_require(`
|
|
+ type pki_tomcat_cert_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
+ read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create a set of derived types for apache
|
|
+## web content.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## The prefix to be used for deriving type names.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`pki_apache_template',`
|
|
+ gen_require(`
|
|
+ attribute pki_apache_domain;
|
|
+ attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run;
|
|
+ attribute pki_apache_executable, pki_apache_script, pki_apache_var_log;
|
|
+ ')
|
|
+
|
|
+ ########################################
|
|
+ #
|
|
+ # Declarations
|
|
+ #
|
|
+
|
|
+ type $1_t, pki_apache_domain;
|
|
+ type $1_exec_t, pki_apache_executable;
|
|
+ domain_type($1_t)
|
|
+ init_daemon_domain($1_t, $1_exec_t)
|
|
+
|
|
+ type $1_script_exec_t, pki_apache_script;
|
|
+ init_script_file($1_script_exec_t)
|
|
+
|
|
+ type $1_etc_rw_t, pki_apache_config;
|
|
+ files_type($1_etc_rw_t)
|
|
+
|
|
+ type $1_var_run_t, pki_apache_var_run;
|
|
+ files_pid_file($1_var_run_t)
|
|
+
|
|
+ type $1_var_lib_t, pki_apache_var_lib;
|
|
+ files_type($1_var_lib_t)
|
|
+
|
|
+ type $1_log_t, pki_apache_var_log;
|
|
+ logging_log_file($1_log_t)
|
|
+
|
|
+ type $1_lock_t;
|
|
+ files_lock_file($1_lock_t)
|
|
+
|
|
+ type $1_tmp_t;
|
|
+ files_tmpfs_file($1_tmp_t)
|
|
+
|
|
+ ########################################
|
|
+ #
|
|
+ # $1 local policy
|
|
+ #
|
|
+
|
|
+ files_read_etc_files($1_t)
|
|
+ allow $1_t $1_etc_rw_t:lnk_file read;
|
|
+
|
|
+ manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
|
|
+ manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
|
|
+ files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
|
|
+
|
|
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
|
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
|
+ files_pid_filetrans($1_t,$1_var_run_t, { file dir })
|
|
+
|
|
+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
|
|
+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
|
|
+ read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
|
|
+ files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
|
|
+
|
|
+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
|
|
+ manage_files_pattern($1_t, $1_log_t, $1_log_t)
|
|
+ logging_log_filetrans($1_t, $1_log_t, { file dir } )
|
|
+
|
|
+ manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t)
|
|
+ manage_files_pattern($1_t, $1_lock_t, $1_lock_t)
|
|
+ manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
|
|
+ files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
|
|
+
|
|
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
|
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
|
+ files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
|
|
+
|
|
+ #talk to lunasa hsm
|
|
+ logging_send_syslog_msg($1_t)
|
|
+
|
|
+ kernel_read_kernel_sysctls($1_t)
|
|
+ kernel_read_system_state($1_t)
|
|
+
|
|
+ corenet_all_recvfrom_unlabeled($1_t)
|
|
+
|
|
+ # need to resolve addresses?
|
|
+ auth_use_nsswitch($1_t)
|
|
+
|
|
+ #pki_apache_domain_signal(httpd_t)
|
|
+ #pki_apache_domain_signal(httpd_t)
|
|
+ #pki_manage_apache_run(httpd_t)
|
|
+ #pki_manage_apache_config_files(httpd_t)
|
|
+ #pki_manage_apache_log_files(httpd_t)
|
|
+ #pki_manage_apache_lib(httpd_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Send a null signal to pki apache domains.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pki_apache_domain_signal',`
|
|
+ gen_require(`
|
|
+ attribute pki_apache_domain;
|
|
+ ')
|
|
+
|
|
+ allow $1 pki_apache_domain:process signal;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Send a null signal to pki apache domains.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pki_apache_domain_signull',`
|
|
+ gen_require(`
|
|
+ attribute pki_apache_domain;
|
|
+ ')
|
|
+
|
|
+ allow $1 pki_apache_domain:process signull;
|
|
+')
|
|
+
|
|
+###################################
|
|
+## <summary>
|
|
+## Allow domain to read pki apache subsystem pid files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pki_manage_apache_run',`
|
|
+ gen_require(`
|
|
+ attribute pki_apache_var_run;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, pki_apache_var_run, pki_apache_var_run)
|
|
+')
|
|
+
|
|
+####################################
|
|
+## <summary>
|
|
+## Allow domain to manage pki apache subsystem lib files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pki_manage_apache_lib',`
|
|
+ gen_require(`
|
|
+ attribute pki_apache_var_lib;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
|
|
+ manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
|
|
+')
|
|
+
|
|
+##################################
|
|
+## <summary>
|
|
+## Dontaudit domain to write pki log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pki_dontaudit_write_log',`
|
|
+ gen_require(`
|
|
+ type pki_log_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 pki_log_t:file write;
|
|
+')
|
|
+
|
|
+###################################
|
|
+## <summary>
|
|
+## Allow domain to manage pki apache subsystem log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pki_manage_apache_log_files',`
|
|
+ gen_require(`
|
|
+ attribute pki_apache_var_log;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log)
|
|
+')
|
|
+
|
|
+##################################
|
|
+## <summary>
|
|
+## Allow domain to manage pki apache subsystem config files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pki_manage_apache_config_files',`
|
|
+ gen_require(`
|
|
+ attribute pki_apache_config;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, pki_apache_config, pki_apache_config)
|
|
+')
|
|
+
|
|
+#################################
|
|
+## <summary>
|
|
+## Allow domain to read pki tomcat lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pki_read_tomcat_lib_files',`
|
|
+ gen_require(`
|
|
+ type pki_tomcat_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
|
|
+ read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
|
|
+')
|
|
diff --git a/pki.te b/pki.te
|
|
new file mode 100644
|
|
index 0000000..17f5d18
|
|
--- /dev/null
|
|
+++ b/pki.te
|
|
@@ -0,0 +1,284 @@
|
|
+policy_module(pki,10.0.11)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+attribute pki_apache_domain;
|
|
+attribute pki_apache_config;
|
|
+attribute pki_apache_executable;
|
|
+attribute pki_apache_var_lib;
|
|
+attribute pki_apache_var_log;
|
|
+attribute pki_apache_var_run;
|
|
+attribute pki_apache_pidfiles;
|
|
+attribute pki_apache_script;
|
|
+
|
|
+type pki_log_t;
|
|
+files_type(pki_log_t)
|
|
+
|
|
+type pki_common_t;
|
|
+files_type(pki_common_t)
|
|
+
|
|
+type pki_common_dev_t;
|
|
+files_type(pki_common_dev_t)
|
|
+
|
|
+type pki_tomcat_etc_rw_t;
|
|
+files_type(pki_tomcat_etc_rw_t)
|
|
+
|
|
+type pki_tomcat_cert_t;
|
|
+files_type(pki_tomcat_cert_t)
|
|
+
|
|
+tomcat_domain_template(pki_tomcat)
|
|
+
|
|
+type pki_tomcat_unit_file_t;
|
|
+systemd_unit_file(pki_tomcat_unit_file_t)
|
|
+
|
|
+type pki_tomcat_lock_t;
|
|
+files_lock_file(pki_tomcat_lock_t)
|
|
+
|
|
+# old type aliases for migration
|
|
+typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
|
|
+typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
|
|
+typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
|
|
+typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
|
|
+typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
|
|
+# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
|
|
+
|
|
+
|
|
+# pki policy types
|
|
+type pki_tps_tomcat_exec_t;
|
|
+files_type(pki_tps_tomcat_exec_t)
|
|
+
|
|
+pki_apache_template(pki_tps)
|
|
+
|
|
+# ra policy types
|
|
+type pki_ra_tomcat_exec_t;
|
|
+files_type(pki_ra_tomcat_exec_t)
|
|
+
|
|
+pki_apache_template(pki_ra)
|
|
+
|
|
+# needed for dogtag 9 style instances
|
|
+type pki_tomcat_script_t;
|
|
+domain_type(pki_tomcat_script_t)
|
|
+role system_r types pki_tomcat_script_t;
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(pki_tomcat_script_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# pki-tomcat local policy
|
|
+#
|
|
+
|
|
+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
|
|
+allow pki_tomcat_t self:process { signal setsched signull execmem };
|
|
+
|
|
+allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
|
|
+allow pki_tomcat_t self:tcp_socket { accept listen };
|
|
+
|
|
+# allow writing to the kernel keyring
|
|
+allow pki_tomcat_t self:key { write read };
|
|
+
|
|
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
|
|
+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
|
|
+
|
|
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
+
|
|
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
|
|
+manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
|
|
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
|
|
+files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
|
|
+
|
|
+read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
|
|
+read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
|
|
+allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
|
|
+allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
|
|
+systemd_search_unit_dirs(pki_tomcat_t)
|
|
+
|
|
+# allow java subsystems to talk to the ncipher hsm
|
|
+allow pki_tomcat_t pki_common_dev_t:sock_file write;
|
|
+allow pki_tomcat_t pki_common_dev_t:dir search;
|
|
+allow pki_tomcat_t pki_common_t:dir create_dir_perms;
|
|
+manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
|
|
+can_exec(pki_tomcat_t, pki_common_t)
|
|
+init_stream_connect_script(pki_tomcat_t)
|
|
+
|
|
+search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
|
|
+
|
|
+kernel_read_kernel_sysctls(pki_tomcat_t)
|
|
+
|
|
+corenet_tcp_connect_http_cache_port(pki_tomcat_t)
|
|
+corenet_tcp_connect_ldap_port(pki_tomcat_t)
|
|
+corenet_tcp_connect_smtp_port(pki_tomcat_t)
|
|
+corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
|
|
+
|
|
+selinux_get_enforce_mode(pki_tomcat_t)
|
|
+
|
|
+logging_send_audit_msgs(pki_tomcat_t)
|
|
+
|
|
+miscfiles_read_hwdata(pki_tomcat_t)
|
|
+
|
|
+# is this really needed?
|
|
+userdom_manage_user_tmp_dirs(pki_tomcat_t)
|
|
+userdom_manage_user_tmp_files(pki_tomcat_t)
|
|
+
|
|
+# forward proxy
|
|
+# need to define ports to fix this
|
|
+#corenet_tcp_connect_pki_tomcat_port(httpd_t)
|
|
+
|
|
+# for crl publishing
|
|
+allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
|
|
+
|
|
+# for ECC
|
|
+auth_getattr_shadow(pki_tomcat_t)
|
|
+
|
|
+optional_policy(`
|
|
+ consoletype_exec(pki_tomcat_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dirsrv_manage_var_lib(pki_tomcat_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ hostname_exec(pki_tomcat_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# tps local policy
|
|
+#
|
|
+
|
|
+# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
|
|
+allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
|
|
+
|
|
+corenet_tcp_bind_pki_tps_port(pki_tps_t)
|
|
+# customer may run an ldap server on 389
|
|
+corenet_tcp_connect_ldap_port(pki_tps_t)
|
|
+# connect to other subsystems
|
|
+corenet_tcp_connect_pki_ca_port(pki_tps_t)
|
|
+corenet_tcp_connect_pki_kra_port(pki_tps_t)
|
|
+corenet_tcp_connect_pki_tks_port(pki_tps_t)
|
|
+
|
|
+files_exec_usr_files(pki_tps_t)
|
|
+
|
|
+# why do I need to add this?
|
|
+#allow httpd_t httpd_config_t:file execute;
|
|
+
|
|
+######################################
|
|
+#
|
|
+# ra local policy
|
|
+#
|
|
+
|
|
+# RA specific? talking to mysql?
|
|
+allow pki_ra_t self:udp_socket { write read create connect };
|
|
+allow pki_ra_t self:unix_dgram_socket { write create connect };
|
|
+
|
|
+corenet_tcp_bind_pki_ra_port(pki_ra_t)
|
|
+# talk to other subsystems
|
|
+corenet_tcp_connect_pki_ca_port(pki_ra_t)
|
|
+corenet_tcp_connect_smtp_port(pki_ra_t)
|
|
+
|
|
+fs_getattr_xattr_fs(pki_ra_t)
|
|
+
|
|
+files_search_spool(pki_ra_t)
|
|
+files_exec_usr_files(pki_ra_t)
|
|
+
|
|
+optional_policy(`
|
|
+ mta_send_mail(pki_ra_t)
|
|
+ mta_manage_spool(pki_ra_t)
|
|
+ mta_manage_queue(pki_ra_t)
|
|
+ mta_read_config(pki_ra_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+#
|
|
+# pki_apache_domain local policy
|
|
+#
|
|
+
|
|
+
|
|
+allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
|
|
+allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};
|
|
+
|
|
+allow pki_apache_domain self:sem all_sem_perms;
|
|
+allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
|
|
+allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };
|
|
+
|
|
+# allow writing to the kernel keyring
|
|
+allow pki_apache_domain self:key { write read };
|
|
+
|
|
+## internal communication is often done using fifo and unix sockets.
|
|
+allow pki_apache_domain self:fifo_file rw_file_perms;
|
|
+allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+# talk to the hsm
|
|
+allow pki_apache_domain pki_common_dev_t:sock_file write;
|
|
+allow pki_apache_domain pki_common_dev_t:dir search;
|
|
+allow pki_apache_domain pki_common_t:dir create_dir_perms;
|
|
+manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
|
|
+can_exec(pki_apache_domain, pki_common_t)
|
|
+init_stream_connect_script(pki_apache_domain)
|
|
+
|
|
+corenet_sendrecv_unlabeled_packets(pki_apache_domain)
|
|
+corenet_tcp_bind_all_nodes(pki_apache_domain)
|
|
+corenet_tcp_sendrecv_all_if(pki_apache_domain)
|
|
+corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
|
|
+corenet_tcp_sendrecv_all_ports(pki_apache_domain)
|
|
+#corenet_all_recvfrom_unlabeled(pki_apache_domain)
|
|
+corenet_tcp_connect_generic_port(pki_apache_domain)
|
|
+
|
|
+# Init script handling
|
|
+domain_use_interactive_fds(pki_apache_domain)
|
|
+
|
|
+seutil_exec_setfiles(pki_apache_domain)
|
|
+
|
|
+init_dontaudit_write_utmp(pki_apache_domain)
|
|
+
|
|
+libs_use_ld_so(pki_apache_domain)
|
|
+libs_use_shared_libs(pki_apache_domain)
|
|
+libs_exec_ld_so(pki_apache_domain)
|
|
+libs_exec_lib_files(pki_apache_domain)
|
|
+
|
|
+fs_search_cgroup_dirs(pki_apache_domain)
|
|
+
|
|
+corecmd_exec_bin(pki_apache_domain)
|
|
+corecmd_exec_shell(pki_apache_domain)
|
|
+
|
|
+dev_read_urand(pki_apache_domain)
|
|
+dev_read_rand(pki_apache_domain)
|
|
+
|
|
+# shutdown script uses ps
|
|
+domain_dontaudit_read_all_domains_state(pki_apache_domain)
|
|
+ps_process_pattern(pki_apache_domain, pki_apache_domain)
|
|
+
|
|
+sysnet_read_config(pki_apache_domain)
|
|
+
|
|
+ifdef(`targeted_policy',`
|
|
+ term_dontaudit_use_unallocated_ttys(pki_apache_domain)
|
|
+ term_dontaudit_use_generic_ptys(pki_apache_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ # apache permissions
|
|
+ apache_exec_modules(pki_apache_domain)
|
|
+ apache_list_modules(pki_apache_domain)
|
|
+ apache_read_config(pki_apache_domain)
|
|
+ apache_exec(pki_apache_domain)
|
|
+ apache_exec_suexec(pki_apache_domain)
|
|
+ apache_entrypoint(pki_apache_domain)
|
|
+
|
|
+ # should be started using a script which will execute httpd
|
|
+ # start up httpd in pki_apache_domain mode
|
|
+ #can_exec(pki_apache_domain, httpd_config_t)
|
|
+ #can_exec(pki_apache_domain, httpd_suexec_exec_t)
|
|
+')
|
|
+
|
|
+# allow rpm -q in init scripts
|
|
+optional_policy(`
|
|
+ rpm_exec(pki_apache_domain)
|
|
+')
|
|
+
|
|
diff --git a/plymouthd.fc b/plymouthd.fc
|
|
index 735500f..ef1dd7a 100644
|
|
--- a/plymouthd.fc
|
|
+++ b/plymouthd.fc
|
|
@@ -1,15 +1,15 @@
|
|
-/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
|
|
+/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
|
|
|
|
-/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
|
|
+/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
|
|
|
|
-/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
|
|
+/usr/bin/plymouth -- gen_context(system_u:object_r:plymouth_exec_t,s0)
|
|
|
|
-/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
|
|
+/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
|
|
|
|
-/var/lib/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_lib_t,s0)
|
|
+/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
|
|
+/var/log/boot\.log gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
|
|
|
|
-/var/log/boot\.log.* -- gen_context(system_u:object_r:plymouthd_var_log_t,mls_systemhigh)
|
|
+/usr/sbin/plymouthd -- gen_context(system_u:object_r:plymouthd_exec_t,s0)
|
|
|
|
-/var/run/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_var_run_t,s0)
|
|
+/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
|
|
|
|
-/var/spool/plymouth(/.*)? gen_context(system_u:object_r:plymouthd_spool_t,s0)
|
|
diff --git a/plymouthd.if b/plymouthd.if
|
|
index 30e751f..3985ff9 100644
|
|
--- a/plymouthd.if
|
|
+++ b/plymouthd.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Plymouth graphical boot.</summary>
|
|
+## <summary>Plymouth graphical boot</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -10,18 +10,17 @@
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`plymouthd_domtrans',`
|
|
+interface(`plymouthd_domtrans', `
|
|
gen_require(`
|
|
type plymouthd_t, plymouthd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, plymouthd_exec_t, plymouthd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute plymouthd in the caller domain.
|
|
+## Execute the plymoth daemon in the current domain
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -29,19 +28,18 @@ interface(`plymouthd_domtrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`plymouthd_exec',`
|
|
+interface(`plymouthd_exec', `
|
|
gen_require(`
|
|
type plymouthd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, plymouthd_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to plymouthd using a unix
|
|
-## domain stream socket.
|
|
+## Allow domain to Stream socket connect
|
|
+## to Plymouth daemon.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -49,18 +47,17 @@ interface(`plymouthd_exec',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`plymouthd_stream_connect',`
|
|
+interface(`plymouthd_stream_connect', `
|
|
gen_require(`
|
|
- type plymouthd_t, plymouthd_spool_t;
|
|
+ type plymouthd_t;
|
|
')
|
|
|
|
- files_search_spool($1)
|
|
- stream_connect_pattern($1, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
|
|
+ allow $1 plymouthd_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute plymouth in the caller domain.
|
|
+## Execute the plymoth command in the current domain
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -68,18 +65,17 @@ interface(`plymouthd_stream_connect',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`plymouthd_exec_plymouth',`
|
|
+interface(`plymouthd_exec_plymouth', `
|
|
gen_require(`
|
|
type plymouth_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, plymouth_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to run plymouth.
|
|
+## Execute a domain transition to run plymouthd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -87,12 +83,11 @@ interface(`plymouthd_exec_plymouth',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`plymouthd_domtrans_plymouth',`
|
|
+interface(`plymouthd_domtrans_plymouth', `
|
|
gen_require(`
|
|
type plymouth_t, plymouth_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, plymouth_exec_t, plymouth_t)
|
|
')
|
|
|
|
@@ -106,13 +101,13 @@ interface(`plymouthd_domtrans_plymouth',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`plymouthd_search_spool',`
|
|
+interface(`plymouthd_search_spool', `
|
|
gen_require(`
|
|
type plymouthd_spool_t;
|
|
')
|
|
|
|
- files_search_spool($1)
|
|
allow $1 plymouthd_spool_t:dir search_dir_perms;
|
|
+ files_search_spool($1)
|
|
')
|
|
|
|
########################################
|
|
@@ -145,7 +140,7 @@ interface(`plymouthd_read_spool_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`plymouthd_manage_spool_files',`
|
|
+interface(`plymouthd_manage_spool_files', `
|
|
gen_require(`
|
|
type plymouthd_spool_t;
|
|
')
|
|
@@ -164,13 +159,13 @@ interface(`plymouthd_manage_spool_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`plymouthd_search_lib',`
|
|
+interface(`plymouthd_search_lib', `
|
|
gen_require(`
|
|
type plymouthd_var_lib_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
allow $1 plymouthd_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
@@ -183,7 +178,7 @@ interface(`plymouthd_search_lib',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`plymouthd_read_lib_files',`
|
|
+interface(`plymouthd_read_lib_files', `
|
|
gen_require(`
|
|
type plymouthd_var_lib_t;
|
|
')
|
|
@@ -203,7 +198,7 @@ interface(`plymouthd_read_lib_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`plymouthd_manage_lib_files',`
|
|
+interface(`plymouthd_manage_lib_files', `
|
|
gen_require(`
|
|
type plymouthd_var_lib_t;
|
|
')
|
|
@@ -214,7 +209,7 @@ interface(`plymouthd_manage_lib_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read plymouthd pid files.
|
|
+## Read plymouthd PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -222,7 +217,7 @@ interface(`plymouthd_manage_lib_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`plymouthd_read_pid_files',`
|
|
+interface(`plymouthd_read_pid_files', `
|
|
gen_require(`
|
|
type plymouthd_var_run_t;
|
|
')
|
|
@@ -233,36 +228,93 @@ interface(`plymouthd_read_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an plymouthd environment.
|
|
+## Allow the specified domain to read
|
|
+## to plymouthd log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`plymouthd_read_log',`
|
|
+ gen_require(`
|
|
+ type plymouthd_var_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to manage
|
|
+## to plymouthd log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`plymouthd_manage_log',`
|
|
+ gen_require(`
|
|
+ type plymouthd_var_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
|
|
+ manage_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
|
|
+ read_lnk_files_pattern($1, plymouthd_var_log_t, plymouthd_var_log_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow domain to create boot.log
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`plymouthd_create_log',`
|
|
+ gen_require(`
|
|
+ type plymouthd_var_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_rw_generic_log_dirs($1)
|
|
+ logging_log_named_filetrans($1, plymouthd_var_log_t, file, "boot.log")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an plymouthd environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`plymouthd_admin',`
|
|
+interface(`plymouthd_admin', `
|
|
gen_require(`
|
|
type plymouthd_t, plymouthd_spool_t, plymouthd_var_lib_t;
|
|
type plymouthd_var_run_t;
|
|
')
|
|
|
|
- allow $1 plymouthd_t:process { ptrace signal_perms };
|
|
- read_files_pattern($1, plymouthd_t, plymouthd_t)
|
|
+ allow $1 plymouthd_t:process signal_perms;
|
|
+ ps_process_pattern($1, plymouthd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 plymouthd_t:process ptrace;
|
|
+ ')
|
|
|
|
- files_search_spool($1)
|
|
+ files_list_var_lib($1)
|
|
admin_pattern($1, plymouthd_spool_t)
|
|
|
|
- files_search_var_lib($1)
|
|
admin_pattern($1, plymouthd_var_lib_t)
|
|
|
|
- files_search_pids($1)
|
|
+ files_list_pids($1)
|
|
admin_pattern($1, plymouthd_var_run_t)
|
|
')
|
|
diff --git a/plymouthd.te b/plymouthd.te
|
|
index 3078ce9..c1a1267 100644
|
|
--- a/plymouthd.te
|
|
+++ b/plymouthd.te
|
|
@@ -15,7 +15,7 @@ type plymouthd_exec_t;
|
|
init_daemon_domain(plymouthd_t, plymouthd_exec_t)
|
|
|
|
type plymouthd_spool_t;
|
|
-files_type(plymouthd_spool_t)
|
|
+files_spool_file(plymouthd_spool_t)
|
|
|
|
type plymouthd_var_lib_t;
|
|
files_type(plymouthd_var_lib_t)
|
|
@@ -28,12 +28,12 @@ files_pid_file(plymouthd_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
-# Daemon local policy
|
|
+# Plymouthd private policy
|
|
#
|
|
|
|
allow plymouthd_t self:capability { sys_admin sys_tty_config };
|
|
-dontaudit plymouthd_t self:capability dac_override;
|
|
allow plymouthd_t self:capability2 block_suspend;
|
|
+dontaudit plymouthd_t self:capability dac_override;
|
|
allow plymouthd_t self:process { signal getsched };
|
|
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
|
|
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
|
|
@@ -48,9 +48,7 @@ manage_files_pattern(plymouthd_t, plymouthd_var_lib_t, plymouthd_var_lib_t)
|
|
files_var_lib_filetrans(plymouthd_t, plymouthd_var_lib_t, { file dir })
|
|
|
|
manage_dirs_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
|
|
-append_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
|
|
-create_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
|
|
-setattr_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
|
|
+manage_files_pattern(plymouthd_t, plymouthd_var_log_t, plymouthd_var_log_t)
|
|
logging_log_filetrans(plymouthd_t, plymouthd_var_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(plymouthd_t, plymouthd_var_run_t, plymouthd_var_run_t)
|
|
@@ -70,19 +68,27 @@ domain_use_interactive_fds(plymouthd_t)
|
|
|
|
fs_getattr_all_fs(plymouthd_t)
|
|
|
|
-files_read_etc_files(plymouthd_t)
|
|
-files_read_usr_files(plymouthd_t)
|
|
|
|
term_getattr_pty_fs(plymouthd_t)
|
|
term_use_all_terms(plymouthd_t)
|
|
term_use_ptmx(plymouthd_t)
|
|
|
|
-miscfiles_read_localization(plymouthd_t)
|
|
+init_signal(plymouthd_t)
|
|
+
|
|
+logging_link_generic_logs(plymouthd_t)
|
|
+logging_delete_generic_logs(plymouthd_t)
|
|
+
|
|
+auth_read_passwd(plymouthd_t)
|
|
+
|
|
miscfiles_read_fonts(plymouthd_t)
|
|
miscfiles_manage_fonts_cache(plymouthd_t)
|
|
|
|
+userdom_read_admin_home_files(plymouthd_t)
|
|
+
|
|
+term_use_unallocated_ttys(plymouthd_t)
|
|
+
|
|
optional_policy(`
|
|
- gnome_read_generic_home_content(plymouthd_t)
|
|
+ gnome_read_config(plymouthd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -90,35 +96,33 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- xserver_manage_xdm_spool_files(plymouthd_t)
|
|
- xserver_read_xdm_state(plymouthd_t)
|
|
+ xserver_xdm_manage_spool(plymouthd_t)
|
|
+ xserver_read_state_xdm(plymouthd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Client local policy
|
|
+# Plymouth private policy
|
|
#
|
|
|
|
allow plymouth_t self:process signal;
|
|
-allow plymouth_t self:fifo_file rw_fifo_file_perms;
|
|
+allow plymouth_t self:fifo_file rw_file_perms;
|
|
allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
-stream_connect_pattern(plymouth_t, plymouthd_spool_t, plymouthd_spool_t, plymouthd_t)
|
|
-
|
|
kernel_read_system_state(plymouth_t)
|
|
kernel_stream_connect(plymouth_t)
|
|
|
|
domain_use_interactive_fds(plymouth_t)
|
|
|
|
-files_read_etc_files(plymouth_t)
|
|
|
|
term_use_ptmx(plymouth_t)
|
|
|
|
-miscfiles_read_localization(plymouth_t)
|
|
|
|
sysnet_read_config(plymouth_t)
|
|
|
|
-ifdef(`hide_broken_symptoms',`
|
|
+plymouthd_stream_connect(plymouth_t)
|
|
+
|
|
+ifdef(`hide_broken_symptoms', `
|
|
optional_policy(`
|
|
hal_dontaudit_write_log(plymouth_t)
|
|
hal_dontaudit_rw_pipes(plymouth_t)
|
|
diff --git a/podsleuth.te b/podsleuth.te
|
|
index 9123f71..5bf10ce 100644
|
|
--- a/podsleuth.te
|
|
+++ b/podsleuth.te
|
|
@@ -29,7 +29,8 @@ userdom_user_tmpfs_file(podsleuth_tmpfs_t)
|
|
#
|
|
|
|
allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
|
|
-allow podsleuth_t self:process { ptrace signal signull getsched execheap execmem execstack };
|
|
+allow podsleuth_t self:process { signal signull getsched execheap execmem execstack };
|
|
+
|
|
allow podsleuth_t self:fifo_file rw_fifo_file_perms;
|
|
allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow podsleuth_t self:sem create_sem_perms;
|
|
@@ -65,7 +66,6 @@ corenet_tcp_sendrecv_http_port(podsleuth_t)
|
|
|
|
dev_read_urand(podsleuth_t)
|
|
|
|
-files_read_etc_files(podsleuth_t)
|
|
|
|
fs_mount_dos_fs(podsleuth_t)
|
|
fs_unmount_dos_fs(podsleuth_t)
|
|
@@ -76,8 +76,6 @@ fs_getattr_tmpfs(podsleuth_t)
|
|
fs_list_tmpfs(podsleuth_t)
|
|
fs_rw_removable_blk_files(podsleuth_t)
|
|
|
|
-miscfiles_read_localization(podsleuth_t)
|
|
-
|
|
sysnet_dns_name_resolve(podsleuth_t)
|
|
|
|
userdom_signal_unpriv_users(podsleuth_t)
|
|
diff --git a/policykit.fc b/policykit.fc
|
|
index 1d76c72..93d09d9 100644
|
|
--- a/policykit.fc
|
|
+++ b/policykit.fc
|
|
@@ -1,23 +1,22 @@
|
|
-/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
|
-/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
|
-
|
|
-/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
|
-/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
|
|
-/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
|
|
-/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
|
-/usr/lib/policykit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
|
-/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
|
+/usr/lib/policykit/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
|
+/usr/bin/pkla-check-authorization -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
|
+/usr/lib/policykit/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
|
|
+/usr/lib/policykit/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
|
|
+/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
|
+/usr/lib/polkit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
|
|
|
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
|
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
|
|
-/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
|
|
-/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
|
-/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
|
-/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
|
+/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
|
|
+/usr/libexec/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
|
+/usr/libexec/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
|
+/usr/lib/polkit-1/polkit-agent-helper-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
|
+/usr/libexec/kde4/polkit-kde-authentication-agent-1 -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
|
|
+/usr/libexec/polkit-1/polkitd.* -- gen_context(system_u:object_r:policykit_exec_t,s0)
|
|
|
|
-/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
|
|
-/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
|
-/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
|
-/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
|
+/var/lib/misc/PolicyKit.reload gen_context(system_u:object_r:policykit_reload_t,s0)
|
|
+/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
|
+/var/lib/polkit-1(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
|
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
|
|
+/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
|
|
|
|
-/var/run/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_run_t,s0)
|
|
diff --git a/policykit.if b/policykit.if
|
|
index 032a84d..be00a65 100644
|
|
--- a/policykit.if
|
|
+++ b/policykit.if
|
|
@@ -17,6 +17,8 @@ interface(`policykit_dbus_chat',`
|
|
class dbus send_msg;
|
|
')
|
|
|
|
+ ps_process_pattern(policykit_t, $1)
|
|
+
|
|
allow $1 policykit_t:dbus send_msg;
|
|
allow policykit_t $1:dbus send_msg;
|
|
')
|
|
@@ -24,7 +26,7 @@ interface(`policykit_dbus_chat',`
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
-## policykit auth over dbus.
|
|
+## policykit over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -38,6 +40,8 @@ interface(`policykit_dbus_chat_auth',`
|
|
class dbus send_msg;
|
|
')
|
|
|
|
+ ps_process_pattern(policykit_auth_t, $1)
|
|
+
|
|
allow $1 policykit_auth_t:dbus send_msg;
|
|
allow policykit_auth_t $1:dbus send_msg;
|
|
')
|
|
@@ -47,9 +51,9 @@ interface(`policykit_dbus_chat_auth',`
|
|
## Execute a domain transition to run polkit_auth.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`policykit_domtrans_auth',`
|
|
@@ -57,15 +61,13 @@ interface(`policykit_domtrans_auth',`
|
|
type policykit_auth_t, policykit_auth_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, policykit_auth_exec_t, policykit_auth_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a policy_auth in the policy
|
|
-## auth domain, and allow the specified
|
|
-## role the policy auth domain.
|
|
+## Execute a policy_auth in the policy_auth domain, and
|
|
+## allow the specified role the policy_auth domain,
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -77,24 +79,28 @@ interface(`policykit_domtrans_auth',`
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
interface(`policykit_run_auth',`
|
|
gen_require(`
|
|
- attribute_role policykit_auth_roles;
|
|
+ type policykit_auth_t;
|
|
')
|
|
|
|
policykit_domtrans_auth($1)
|
|
- roleattribute $2 policykit_auth_roles;
|
|
+ role $2 types policykit_auth_t;
|
|
+
|
|
+ allow $1 policykit_auth_t:process signal;
|
|
+ ps_process_pattern(policykit_auth_t, $1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to run polkit grant.
|
|
+## Execute a domain transition to run polkit_grant.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`policykit_domtrans_grant',`
|
|
@@ -102,15 +108,13 @@ interface(`policykit_domtrans_grant',`
|
|
type policykit_grant_t, policykit_grant_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, policykit_grant_exec_t, policykit_grant_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a policy_grant in the policy
|
|
-## grant domain, and allow the specified
|
|
-## role the policy grant domain.
|
|
+## Execute a policy_grant in the policy_grant domain, and
|
|
+## allow the specified role the policy_grant domain,
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -126,16 +130,20 @@ interface(`policykit_domtrans_grant',`
|
|
#
|
|
interface(`policykit_run_grant',`
|
|
gen_require(`
|
|
- attribute_role policykit_grant_roles;
|
|
+ type policykit_grant_t;
|
|
')
|
|
|
|
policykit_domtrans_grant($1)
|
|
- roleattribute $2 policykit_grant_roles;
|
|
+ role $2 types policykit_grant_t;
|
|
+
|
|
+ allow $1 policykit_grant_t:process signal;
|
|
+
|
|
+ ps_process_pattern(policykit_grant_t, $1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read policykit reload files.
|
|
+## read policykit reload files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -154,7 +162,7 @@ interface(`policykit_read_reload',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write policykit reload files.
|
|
+## rw policykit reload files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -173,12 +181,12 @@ interface(`policykit_rw_reload',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to run polkit resolve.
|
|
+## Execute a domain transition to run polkit_resolve.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`policykit_domtrans_resolve',`
|
|
@@ -186,8 +194,9 @@ interface(`policykit_domtrans_resolve',`
|
|
type policykit_resolve_t, policykit_resolve_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
|
|
+
|
|
+ ps_process_pattern(policykit_resolve_t, $1)
|
|
')
|
|
|
|
########################################
|
|
@@ -205,13 +214,13 @@ interface(`policykit_search_lib',`
|
|
type policykit_var_lib_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
allow $1 policykit_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read policykit lib files.
|
|
+## read policykit lib files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -226,4 +235,50 @@ interface(`policykit_read_lib',`
|
|
|
|
files_search_var_lib($1)
|
|
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ # Broken placement
|
|
+ cron_read_system_job_lib_files($1)
|
|
+ ')
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## The per role template for the policykit module.
|
|
+## </summary>
|
|
+## <param name="user_role">
|
|
+## <summary>
|
|
+## Role allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="user_domain">
|
|
+## <summary>
|
|
+## User domain for the role
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`policykit_role',`
|
|
+ policykit_run_auth($2, $1)
|
|
+ policykit_run_grant($2, $1)
|
|
+ policykit_read_lib($2)
|
|
+ policykit_read_reload($2)
|
|
+ policykit_dbus_chat($2)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send generic signal to policy_auth
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`policykit_signal_auth',`
|
|
+ gen_require(`
|
|
+ type policykit_auth_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 policykit_auth_t:process signal;
|
|
')
|
|
diff --git a/policykit.te b/policykit.te
|
|
index ee91778..9baeb1b 100644
|
|
--- a/policykit.te
|
|
+++ b/policykit.te
|
|
@@ -7,9 +7,6 @@ policy_module(policykit, 1.3.0)
|
|
|
|
attribute policykit_domain;
|
|
|
|
-attribute_role policykit_auth_roles;
|
|
-attribute_role policykit_grant_roles;
|
|
-
|
|
type policykit_t, policykit_domain;
|
|
type policykit_exec_t;
|
|
init_daemon_domain(policykit_t, policykit_exec_t)
|
|
@@ -17,12 +14,10 @@ init_daemon_domain(policykit_t, policykit_exec_t)
|
|
type policykit_auth_t, policykit_domain;
|
|
type policykit_auth_exec_t;
|
|
init_daemon_domain(policykit_auth_t, policykit_auth_exec_t)
|
|
-role policykit_auth_roles types policykit_auth_t;
|
|
|
|
type policykit_grant_t, policykit_domain;
|
|
type policykit_grant_exec_t;
|
|
init_system_domain(policykit_grant_t, policykit_grant_exec_t)
|
|
-role policykit_grant_roles types policykit_grant_t;
|
|
|
|
type policykit_resolve_t, policykit_domain;
|
|
type policykit_resolve_exec_t;
|
|
@@ -42,63 +37,68 @@ files_pid_file(policykit_var_run_t)
|
|
|
|
#######################################
|
|
#
|
|
-# Common policykit domain local policy
|
|
+# policykit_domain local policy
|
|
#
|
|
|
|
allow policykit_domain self:process { execmem getattr };
|
|
allow policykit_domain self:fifo_file rw_fifo_file_perms;
|
|
|
|
-kernel_search_proc(policykit_domain)
|
|
-
|
|
-corecmd_exec_bin(policykit_domain)
|
|
-
|
|
dev_read_sysfs(policykit_domain)
|
|
|
|
-files_read_usr_files(policykit_domain)
|
|
-
|
|
-logging_send_syslog_msg(policykit_domain)
|
|
-
|
|
-miscfiles_read_localization(policykit_domain)
|
|
-
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# policykit local policy
|
|
#
|
|
|
|
allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
|
|
allow policykit_t self:process { getsched setsched signal };
|
|
-allow policykit_t self:unix_stream_socket { accept connectto listen };
|
|
+allow policykit_t self:unix_dgram_socket create_socket_perms;
|
|
+allow policykit_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+
|
|
+policykit_domtrans_auth(policykit_t)
|
|
+allow policykit_t policykit_auth_t:process signal;
|
|
+
|
|
+can_exec(policykit_t, policykit_exec_t)
|
|
+corecmd_exec_bin(policykit_t)
|
|
+
|
|
+dev_read_sysfs(policykit_t)
|
|
|
|
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
|
|
|
|
+policykit_domtrans_resolve(policykit_t)
|
|
+
|
|
manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
|
|
|
|
manage_dirs_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
|
|
manage_files_pattern(policykit_t, policykit_var_run_t, policykit_var_run_t)
|
|
files_pid_filetrans(policykit_t, policykit_var_run_t, { file dir })
|
|
|
|
-can_exec(policykit_t, policykit_exec_t)
|
|
-
|
|
-domtrans_pattern(policykit_t, policykit_auth_exec_t, policykit_auth_t)
|
|
-domtrans_pattern(policykit_t, policykit_resolve_exec_t, policykit_resolve_t)
|
|
-
|
|
-kernel_read_kernel_sysctls(policykit_t)
|
|
kernel_read_system_state(policykit_t)
|
|
+kernel_read_kernel_sysctls(policykit_t)
|
|
|
|
domain_read_all_domains_state(policykit_t)
|
|
|
|
files_dontaudit_search_all_mountpoints(policykit_t)
|
|
|
|
+fs_getattr_all_fs(policykit_t)
|
|
fs_list_inotifyfs(policykit_t)
|
|
+fs_list_cgroup_dirs(policykit_t)
|
|
|
|
auth_use_nsswitch(policykit_t)
|
|
|
|
+init_list_pid_dirs(policykit_t)
|
|
+
|
|
+logging_send_syslog_msg(policykit_t)
|
|
+
|
|
userdom_getattr_all_users(policykit_t)
|
|
userdom_read_all_users_state(policykit_t)
|
|
+userdom_dontaudit_search_admin_dir(policykit_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_domain(policykit_t, policykit_exec_t)
|
|
|
|
+ init_dbus_chat(policykit_t)
|
|
+
|
|
optional_policy(`
|
|
consolekit_dbus_chat(policykit_t)
|
|
')
|
|
@@ -109,29 +109,43 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ consolekit_list_pid_files(policykit_t)
|
|
consolekit_read_pid_files(policykit_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- gnome_read_generic_home_content(policykit_t)
|
|
+ kerberos_tmp_filetrans_host_rcache(policykit_t, "host_0")
|
|
+ kerberos_manage_host_rcache(policykit_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- kerberos_manage_host_rcache(policykit_t)
|
|
- kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0")
|
|
+ gnome_read_config(policykit_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ systemd_read_logind_sessions_files(policykit_t)
|
|
+ systemd_login_list_pid_dirs(policykit_t)
|
|
+ systemd_login_read_pid_files(policykit_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Auth local policy
|
|
+# polkit_auth local policy
|
|
#
|
|
|
|
-allow policykit_auth_t self:capability { ipc_lock setgid setuid sys_nice };
|
|
+allow policykit_auth_t self:capability { sys_nice ipc_lock setgid setuid };
|
|
dontaudit policykit_auth_t self:capability sys_tty_config;
|
|
-allow policykit_auth_t self:process { getsched setsched signal };
|
|
-allow policykit_auth_t self:unix_stream_socket { accept listen };
|
|
+allow policykit_auth_t self:process { setsched getsched signal };
|
|
+
|
|
+allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
|
|
+allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
-ps_process_pattern(policykit_auth_t, policykit_domain)
|
|
+policykit_dbus_chat(policykit_auth_t)
|
|
+
|
|
+kernel_read_system_state(policykit_auth_t)
|
|
+
|
|
+can_exec(policykit_auth_t, policykit_auth_exec_t)
|
|
+corecmd_exec_bin(policykit_auth_t)
|
|
|
|
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
|
|
|
|
@@ -145,9 +159,6 @@ manage_dirs_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
|
|
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
|
|
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
|
|
|
|
-can_exec(policykit_auth_t, policykit_auth_exec_t)
|
|
-
|
|
-kernel_read_system_state(policykit_auth_t)
|
|
kernel_dontaudit_search_kernel_sysctl(policykit_auth_t)
|
|
|
|
dev_read_video_dev(policykit_auth_t)
|
|
@@ -157,53 +168,64 @@ files_search_home(policykit_auth_t)
|
|
|
|
fs_getattr_all_fs(policykit_auth_t)
|
|
fs_search_tmpfs(policykit_auth_t)
|
|
+fs_dontaudit_append_ecryptfs_files(policykit_auth_t)
|
|
|
|
auth_rw_var_auth(policykit_auth_t)
|
|
auth_use_nsswitch(policykit_auth_t)
|
|
auth_domtrans_chk_passwd(policykit_auth_t)
|
|
|
|
+logging_send_syslog_msg(policykit_auth_t)
|
|
+
|
|
miscfiles_read_fonts(policykit_auth_t)
|
|
miscfiles_setattr_fonts_cache_dirs(policykit_auth_t)
|
|
|
|
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
|
|
+userdom_dontaudit_write_user_tmp_files(policykit_auth_t)
|
|
+userdom_read_admin_home_files(policykit_auth_t)
|
|
|
|
optional_policy(`
|
|
- dbus_system_domain(policykit_auth_t, policykit_auth_exec_t)
|
|
- dbus_all_session_bus_client(policykit_auth_t)
|
|
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
|
|
+ dbus_session_bus_client(policykit_auth_t)
|
|
|
|
optional_policy(`
|
|
consolekit_dbus_chat(policykit_auth_t)
|
|
')
|
|
-
|
|
- optional_policy(`
|
|
- policykit_dbus_chat(policykit_auth_t)
|
|
- ')
|
|
')
|
|
|
|
optional_policy(`
|
|
+ kernel_search_proc(policykit_auth_t)
|
|
hal_read_state(policykit_auth_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- kerberos_manage_host_rcache(policykit_auth_t)
|
|
- kerberos_tmp_filetrans_host_rcache(policykit_auth_t, file, "host_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(policykit_auth_t, "host_0")
|
|
+ kerberos_manage_host_rcache(policykit_auth_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_stream_connect(policykit_auth_t)
|
|
+ xserver_xdm_append_log(policykit_auth_t)
|
|
xserver_read_xdm_pid(policykit_auth_t)
|
|
+ xserver_search_xdm_lib(policykit_auth_t)
|
|
+ xserver_create_xdm_tmp_sockets(policykit_auth_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Grant local policy
|
|
+# polkit_grant local policy
|
|
#
|
|
|
|
allow policykit_grant_t self:capability setuid;
|
|
+
|
|
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
|
|
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
-ps_process_pattern(policykit_grant_t, policykit_domain)
|
|
+policykit_domtrans_auth(policykit_grant_t)
|
|
+
|
|
+policykit_domtrans_resolve(policykit_grant_t)
|
|
+
|
|
+can_exec(policykit_grant_t, policykit_grant_exec_t)
|
|
+corecmd_search_bin(policykit_grant_t)
|
|
|
|
rw_files_pattern(policykit_grant_t, policykit_reload_t, policykit_reload_t)
|
|
|
|
@@ -211,23 +233,20 @@ manage_files_pattern(policykit_grant_t, policykit_var_run_t, policykit_var_run_t
|
|
|
|
manage_files_pattern(policykit_grant_t, policykit_var_lib_t, policykit_var_lib_t)
|
|
|
|
-can_exec(policykit_grant_t, policykit_grant_exec_t)
|
|
-
|
|
-domtrans_pattern(policykit_grant_t, policykit_auth_exec_t, policykit_auth_t)
|
|
-domtrans_pattern(policykit_grant_t, policykit_resolve_exec_t, policykit_resolve_t)
|
|
|
|
auth_domtrans_chk_passwd(policykit_grant_t)
|
|
auth_use_nsswitch(policykit_grant_t)
|
|
|
|
+logging_send_syslog_msg(policykit_grant_t)
|
|
+
|
|
userdom_read_all_users_state(policykit_grant_t)
|
|
|
|
optional_policy(`
|
|
cron_manage_system_job_lib_files(policykit_grant_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
+ optional_policy(`
|
|
dbus_system_bus_client(policykit_grant_t)
|
|
-
|
|
optional_policy(`
|
|
consolekit_dbus_chat(policykit_grant_t)
|
|
')
|
|
@@ -235,26 +254,28 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Resolve local policy
|
|
+# polkit_resolve local policy
|
|
#
|
|
|
|
allow policykit_resolve_t self:capability { setuid sys_nice };
|
|
-allow policykit_resolve_t self:unix_stream_socket { accept listen };
|
|
|
|
-ps_process_pattern(policykit_resolve_t, policykit_domain)
|
|
+allow policykit_resolve_t self:unix_dgram_socket create_socket_perms;
|
|
+allow policykit_resolve_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+policykit_domtrans_auth(policykit_resolve_t)
|
|
|
|
read_files_pattern(policykit_resolve_t, policykit_reload_t, policykit_reload_t)
|
|
|
|
read_files_pattern(policykit_resolve_t, policykit_var_lib_t, policykit_var_lib_t)
|
|
|
|
can_exec(policykit_resolve_t, policykit_resolve_exec_t)
|
|
+corecmd_search_bin(policykit_resolve_t)
|
|
|
|
-domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
|
|
-
|
|
-mcs_ptrace_all(policykit_resolve_t)
|
|
|
|
auth_use_nsswitch(policykit_resolve_t)
|
|
|
|
+logging_send_syslog_msg(policykit_resolve_t)
|
|
+
|
|
userdom_read_all_users_state(policykit_resolve_t)
|
|
|
|
optional_policy(`
|
|
@@ -266,6 +287,6 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ kernel_search_proc(policykit_resolve_t)
|
|
hal_read_state(policykit_resolve_t)
|
|
')
|
|
-
|
|
diff --git a/polipo.fc b/polipo.fc
|
|
index d35614b..11f77ee 100644
|
|
--- a/polipo.fc
|
|
+++ b/polipo.fc
|
|
@@ -1,15 +1,16 @@
|
|
-HOME_DIR/\.forbidden -- gen_context(system_u:object_r:polipo_config_home_t,s0)
|
|
HOME_DIR/\.polipo -- gen_context(system_u:object_r:polipo_config_home_t,s0)
|
|
HOME_DIR/\.polipo-cache(/.*)? gen_context(system_u:object_r:polipo_cache_home_t,s0)
|
|
|
|
-/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_conf_t,s0)
|
|
+/etc/polipo(/.*)? gen_context(system_u:object_r:polipo_etc_t,s0)
|
|
|
|
/etc/rc\.d/init\.d/polipo -- gen_context(system_u:object_r:polipo_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/polipo.* -- gen_context(system_u:object_r:polipo_unit_file_t,s0)
|
|
+
|
|
/usr/bin/polipo -- gen_context(system_u:object_r:polipo_exec_t,s0)
|
|
|
|
/var/cache/polipo(/.*)? gen_context(system_u:object_r:polipo_cache_t,s0)
|
|
|
|
/var/log/polipo.* -- gen_context(system_u:object_r:polipo_log_t,s0)
|
|
|
|
-/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_var_run_t,s0)
|
|
+/var/run/polipo(/.*)? gen_context(system_u:object_r:polipo_pid_t,s0)
|
|
diff --git a/polipo.if b/polipo.if
|
|
index ae27bb7..d00f6ba 100644
|
|
--- a/polipo.if
|
|
+++ b/polipo.if
|
|
@@ -1,8 +1,8 @@
|
|
-## <summary>Lightweight forwarding and caching proxy server.</summary>
|
|
+## <summary>Caching web proxy.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for Polipo session.
|
|
+## Role access for polipo session.
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
@@ -11,14 +11,13 @@
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`polipo_role',`
|
|
gen_require(`
|
|
- type polipo_session_t, polipo_exec_t, polipo_config_home_t;
|
|
- type polipo_cache_home_t;
|
|
+ type polipo_session_t, polipo_exec_t;
|
|
')
|
|
|
|
########################################
|
|
@@ -33,15 +32,11 @@ template(`polipo_role',`
|
|
# Policy
|
|
#
|
|
|
|
- allow $2 polipo_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 { polipo_cache_home_t polipo_config_home_t }:file { manage_file_perms relabel_file_perms };
|
|
-
|
|
- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".forbidden")
|
|
- userdom_user_home_dir_filetrans($2, polipo_config_home_t, file, ".polipo")
|
|
- userdom_user_home_dir_filetrans($2, polipo_cache_home_t, dir, ".polipo-cache")
|
|
-
|
|
- allow $2 polipo_session_t:process { ptrace signal_perms };
|
|
+ allow $2 polipo_session_t:process signal_perms;
|
|
ps_process_pattern($2, polipo_session_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 polipo_session_t:process ptrace;
|
|
+ ')
|
|
|
|
tunable_policy(`polipo_session_users',`
|
|
domtrans_pattern($2, polipo_exec_t, polipo_session_t)
|
|
@@ -52,57 +47,129 @@ template(`polipo_role',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute Polipo in the Polipo
|
|
-## system domain.
|
|
+## Create configuration files in user
|
|
+## home directories with a named file
|
|
+## type transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`polipo_initrc_domtrans',`
|
|
+interface(`polipo_named_filetrans_config_home_files',`
|
|
gen_require(`
|
|
- type polipo_initrc_exec_t;
|
|
+ type polipo_config_home_t;
|
|
')
|
|
|
|
- init_labeled_script_domtrans($1, polipo_initrc_exec_t)
|
|
+ userdom_user_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create cache directories in user
|
|
+## home directories with a named file
|
|
+## type transition.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`polipo_named_filetrans_cache_home_dirs',`
|
|
+ gen_require(`
|
|
+ type polipo_cache_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified objects in generic
|
|
-## log directories with the polipo
|
|
-## log file type.
|
|
+## Create configuration files in admin
|
|
+## home directories with a named file
|
|
+## type transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
+#
|
|
+interface(`polipo_named_filetrans_admin_config_home_files',`
|
|
+ gen_require(`
|
|
+ type polipo_config_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_admin_home_dir_filetrans($1, polipo_config_home_t, file, ".polipo")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create cache directories in admin
|
|
+## home directories with a named file
|
|
+## type transition.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Class of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="name" optional="true">
|
|
+#
|
|
+interface(`polipo_named_filetrans_admin_cache_home_dirs',`
|
|
+ gen_require(`
|
|
+ type polipo_cache_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_admin_home_dir_filetrans($1, polipo_cache_home_t, dir, ".polipo-cache")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create log files with a named file
|
|
+## type transition.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`polipo_log_filetrans_log',`
|
|
+interface(`polipo_named_filetrans_log_files',`
|
|
gen_require(`
|
|
type polipo_log_t;
|
|
')
|
|
|
|
- logging_log_filetrans($1, polipo_log_t, $2, $3)
|
|
+ logging_log_named_filetrans($1, polipo_log_t, file, "polipo")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute polipo server in the polipo domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`polipo_systemctl',`
|
|
+ gen_require(`
|
|
+ type polipo_t;
|
|
+ type polipo_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 polipo_unit_file_t:file read_file_perms;
|
|
+ allow $1 polipo_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, polipo_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an polipo environment.
|
|
+## Administrate an polipo environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -118,27 +185,35 @@ interface(`polipo_log_filetrans_log',`
|
|
#
|
|
interface(`polipo_admin',`
|
|
gen_require(`
|
|
- type polipo_system_t, polipo_initrc_exec_t, polipo_cache_t;
|
|
- type polipo_conf_t, polipo_log_t, polipo_var_run_t;
|
|
+ type polipo_t, polipo_pid_t, polipo_cache_t;
|
|
+ type polipo_etc_t, polipo_log_t, polipo_initrc_exec_t;
|
|
+ type polipo_unit_file_t;
|
|
')
|
|
|
|
- allow $1 polipo_system_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, polipo_system_t)
|
|
+ allow $1 polipo_t:process signal_perms;
|
|
+ ps_process_pattern($1, polipo_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 polipo_t:process ptrace;
|
|
+ ')
|
|
|
|
- polipo_initrc_domtrans($1)
|
|
+ init_labeled_script_domtrans($1, polipo_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 polipo_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_var($1)
|
|
- admin_pattern($1, polipo_cache_t)
|
|
-
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, polipo_conf_t)
|
|
+ files_list_etc($1)
|
|
+ admin_pattern($1, polipo_etc_t)
|
|
|
|
- logging_search_logs($1)
|
|
+ logging_list_logs($1)
|
|
admin_pattern($1, polipo_log_t)
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, polipo_var_run_t)
|
|
+ files_list_var($1)
|
|
+ admin_pattern($1, polipo_cache_t)
|
|
+
|
|
+ files_list_pids($1)
|
|
+ admin_pattern($1, polipo_pid_t)
|
|
+
|
|
+ polipo_systemctl($1)
|
|
+ admin_pattern($1, polipo_unit_file_t)
|
|
+ allow $1 polipo_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/polipo.te b/polipo.te
|
|
index 9764bfe..2d8d495 100644
|
|
--- a/polipo.te
|
|
+++ b/polipo.te
|
|
@@ -7,19 +7,27 @@ policy_module(polipo, 1.1.1)
|
|
|
|
## <desc>
|
|
## <p>
|
|
-## Determine whether Polipo system
|
|
-## daemon can access CIFS file systems.
|
|
+## Determine whether polipo can
|
|
+## access cifs file systems.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(polipo_system_use_cifs, false)
|
|
+gen_tunable(polipo_use_cifs, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
-## Determine whether Polipo system
|
|
-## daemon can access NFS file systems.
|
|
+## Determine whether Polipo can
|
|
+## access nfs file systems.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(polipo_system_use_nfs, false)
|
|
+gen_tunable(polipo_use_nfs, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Determine whether Polipo session daemon
|
|
+## can bind tcp sockets to all unreserved ports.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(polipo_session_bind_all_unreserved_ports, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
@@ -31,24 +39,23 @@ gen_tunable(polipo_system_use_nfs, false)
|
|
gen_tunable(polipo_session_users, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether Polipo session daemon
|
|
-## can send syslog messages.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow polipo to connect to all ports > 1023
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(polipo_session_send_syslog_msg, false)
|
|
+gen_tunable(polipo_connect_all_unreserved, false)
|
|
|
|
attribute polipo_daemon;
|
|
|
|
-type polipo_system_t, polipo_daemon;
|
|
+type polipo_t, polipo_daemon;
|
|
type polipo_exec_t;
|
|
-init_daemon_domain(polipo_system_t, polipo_exec_t)
|
|
+init_daemon_domain(polipo_t, polipo_exec_t)
|
|
|
|
type polipo_initrc_exec_t;
|
|
init_script_file(polipo_initrc_exec_t)
|
|
|
|
-type polipo_conf_t;
|
|
-files_config_file(polipo_conf_t)
|
|
+type polipo_etc_t;
|
|
+files_config_file(polipo_etc_t)
|
|
|
|
type polipo_cache_t;
|
|
files_type(polipo_cache_t)
|
|
@@ -56,116 +63,102 @@ files_type(polipo_cache_t)
|
|
type polipo_log_t;
|
|
logging_log_file(polipo_log_t)
|
|
|
|
-type polipo_var_run_t;
|
|
-files_pid_file(polipo_var_run_t)
|
|
+type polipo_pid_t;
|
|
+files_pid_file(polipo_pid_t)
|
|
|
|
type polipo_session_t, polipo_daemon;
|
|
-userdom_user_application_domain(polipo_session_t, polipo_exec_t)
|
|
+application_domain(polipo_session_t, polipo_exec_t)
|
|
+ubac_constrained(polipo_session_t)
|
|
+
|
|
+type polipo_config_home_t;
|
|
+userdom_user_home_content(polipo_config_home_t)
|
|
|
|
type polipo_cache_home_t;
|
|
userdom_user_home_content(polipo_cache_home_t)
|
|
|
|
-type polipo_config_home_t;
|
|
-userdom_user_home_content(polipo_config_home_t)
|
|
+type polipo_unit_file_t;
|
|
+systemd_unit_file(polipo_unit_file_t)
|
|
|
|
########################################
|
|
#
|
|
-# Session local policy
|
|
+# Global local policy
|
|
#
|
|
|
|
-allow polipo_session_t polipo_config_home_t:file read_file_perms;
|
|
-
|
|
-manage_dirs_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
|
|
-manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
|
|
-userdom_user_home_dir_filetrans(polipo_session_t, polipo_cache_home_t, dir, ".polipo-cache")
|
|
-
|
|
-auth_use_nsswitch(polipo_session_t)
|
|
-
|
|
-userdom_use_user_terminals(polipo_session_t)
|
|
+allow polipo_daemon self:fifo_file rw_fifo_file_perms;
|
|
+allow polipo_daemon self:tcp_socket { listen accept };
|
|
|
|
-tunable_policy(`polipo_session_send_syslog_msg',`
|
|
- logging_send_syslog_msg(polipo_session_t)
|
|
-')
|
|
+corenet_tcp_bind_generic_node(polipo_daemon)
|
|
+corenet_tcp_sendrecv_generic_if(polipo_daemon)
|
|
+corenet_tcp_sendrecv_generic_node(polipo_daemon)
|
|
+corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
|
|
+corenet_tcp_bind_http_cache_port(polipo_daemon)
|
|
+corenet_sendrecv_http_cache_server_packets(polipo_daemon)
|
|
+corenet_tcp_connect_http_port(polipo_daemon)
|
|
+corenet_tcp_connect_tor_port(polipo_daemon)
|
|
+corenet_tcp_connect_flash_port(polipo_daemon)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_read_nfs_files(polipo_session_t)
|
|
-',`
|
|
- fs_dontaudit_read_nfs_files(polipo_session_t)
|
|
-')
|
|
+fs_search_auto_mountpoints(polipo_daemon)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_read_cifs_files(polipo_session_t)
|
|
-',`
|
|
- fs_dontaudit_read_cifs_files(polipo_session_t)
|
|
-')
|
|
|
|
########################################
|
|
#
|
|
-# System local policy
|
|
+# Polipo local policy
|
|
#
|
|
|
|
-read_files_pattern(polipo_system_t, polipo_conf_t, polipo_conf_t)
|
|
+read_files_pattern(polipo_t, polipo_etc_t, polipo_etc_t)
|
|
|
|
-manage_files_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
|
|
-manage_dirs_pattern(polipo_system_t, polipo_cache_t, polipo_cache_t)
|
|
-files_var_filetrans(polipo_system_t, polipo_cache_t, dir)
|
|
+manage_files_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
|
|
+manage_dirs_pattern(polipo_t, polipo_cache_t, polipo_cache_t)
|
|
+files_var_filetrans(polipo_t, polipo_cache_t, dir)
|
|
|
|
-append_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
|
|
-create_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
|
|
-setattr_files_pattern(polipo_system_t, polipo_log_t, polipo_log_t)
|
|
-logging_log_filetrans(polipo_system_t, polipo_log_t, file)
|
|
+manage_files_pattern(polipo_t, polipo_log_t, polipo_log_t)
|
|
+logging_log_filetrans(polipo_t, polipo_log_t, file)
|
|
|
|
-manage_files_pattern(polipo_system_t, polipo_var_run_t, polipo_var_run_t)
|
|
-files_pid_filetrans(polipo_system_t, polipo_var_run_t, file)
|
|
+manage_files_pattern(polipo_t, polipo_pid_t, polipo_pid_t)
|
|
+files_pid_filetrans(polipo_t, polipo_pid_t, file)
|
|
|
|
-auth_use_nsswitch(polipo_system_t)
|
|
+auth_use_nsswitch(polipo_t)
|
|
|
|
-logging_send_syslog_msg(polipo_system_t)
|
|
+logging_send_syslog_msg(polipo_t)
|
|
|
|
optional_policy(`
|
|
- cron_system_entry(polipo_system_t, polipo_exec_t)
|
|
+ cron_system_entry(polipo_t, polipo_exec_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`polipo_connect_all_unreserved',`
|
|
+ corenet_tcp_connect_all_unreserved_ports(polipo_t)
|
|
')
|
|
|
|
-tunable_policy(`polipo_system_use_cifs',`
|
|
- fs_manage_cifs_files(polipo_system_t)
|
|
-',`
|
|
- fs_dontaudit_read_cifs_files(polipo_system_t)
|
|
+tunable_policy(`polipo_use_cifs',`
|
|
+ fs_manage_cifs_files(polipo_t)
|
|
')
|
|
|
|
-tunable_policy(`polipo_system_use_nfs',`
|
|
- fs_manage_nfs_files(polipo_system_t)
|
|
-',`
|
|
- fs_dontaudit_read_nfs_files(polipo_system_t)
|
|
+tunable_policy(`polipo_use_nfs',`
|
|
+ fs_manage_nfs_files(polipo_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Polipo global local policy
|
|
+# Polipo session local policy
|
|
#
|
|
|
|
-allow polipo_daemon self:fifo_file rw_fifo_file_perms;
|
|
-allow polipo_daemon self:tcp_socket { listen accept };
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(polipo_daemon)
|
|
-corenet_all_recvfrom_netlabel(polipo_daemon)
|
|
-corenet_tcp_sendrecv_generic_if(polipo_daemon)
|
|
-corenet_tcp_sendrecv_generic_node(polipo_daemon)
|
|
-corenet_tcp_bind_generic_node(polipo_daemon)
|
|
+read_files_pattern(polipo_session_t, polipo_config_home_t, polipo_config_home_t)
|
|
+manage_files_pattern(polipo_session_t, polipo_cache_home_t, polipo_cache_home_t)
|
|
|
|
-corenet_sendrecv_http_client_packets(polipo_daemon)
|
|
-corenet_tcp_sendrecv_http_port(polipo_daemon)
|
|
-corenet_tcp_connect_http_port(polipo_daemon)
|
|
+auth_use_nsswitch(polipo_session_t)
|
|
|
|
-corenet_sendrecv_http_cache_server_packets(polipo_daemon)
|
|
-corenet_tcp_sendrecv_http_cache_port(polipo_daemon)
|
|
-corenet_tcp_bind_http_cache_port(polipo_daemon)
|
|
+userdom_use_user_terminals(polipo_session_t)
|
|
|
|
corenet_sendrecv_tor_client_packets(polipo_daemon)
|
|
corenet_tcp_sendrecv_tor_port(polipo_daemon)
|
|
corenet_tcp_connect_tor_port(polipo_daemon)
|
|
|
|
-files_read_usr_files(polipo_daemon)
|
|
+logging_send_syslog_msg(polipo_session_t)
|
|
|
|
-fs_search_auto_mountpoints(polipo_daemon)
|
|
+userdom_home_manager(polipo_session_t)
|
|
+
|
|
+tunable_policy(`polipo_session_bind_all_unreserved_ports',`
|
|
+ corenet_tcp_sendrecv_all_ports(polipo_session_t)
|
|
+ corenet_tcp_bind_all_unreserved_ports(polipo_session_t)
|
|
+')
|
|
|
|
-miscfiles_read_localization(polipo_daemon)
|
|
diff --git a/portage.if b/portage.if
|
|
index 67e8c12..18b89d7 100644
|
|
--- a/portage.if
|
|
+++ b/portage.if
|
|
@@ -67,6 +67,7 @@ interface(`portage_compile_domain',`
|
|
class dbus send_msg;
|
|
type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
|
|
type portage_tmpfs_t;
|
|
+ type portage_sandbox_t;
|
|
')
|
|
|
|
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
|
|
diff --git a/portage.te b/portage.te
|
|
index b410c67..2713b26 100644
|
|
--- a/portage.te
|
|
+++ b/portage.te
|
|
@@ -108,7 +108,6 @@ domain_use_interactive_fds(gcc_config_t)
|
|
|
|
files_manage_etc_files(gcc_config_t)
|
|
files_rw_etc_runtime_files(gcc_config_t)
|
|
-files_read_usr_files(gcc_config_t)
|
|
files_search_var_lib(gcc_config_t)
|
|
files_search_pids(gcc_config_t)
|
|
# complains loudly about not being able to list
|
|
@@ -291,7 +290,6 @@ dev_dontaudit_read_rand(portage_fetch_t)
|
|
domain_use_interactive_fds(portage_fetch_t)
|
|
|
|
files_read_etc_runtime_files(portage_fetch_t)
|
|
-files_read_usr_files(portage_fetch_t)
|
|
files_dontaudit_search_pids(portage_fetch_t)
|
|
|
|
fs_search_auto_mountpoints(portage_fetch_t)
|
|
diff --git a/portmap.fc b/portmap.fc
|
|
index cd45831..69406ee 100644
|
|
--- a/portmap.fc
|
|
+++ b/portmap.fc
|
|
@@ -4,9 +4,14 @@
|
|
/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
|
|
/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
|
|
|
|
+ifdef(`distro_debian',`
|
|
+/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
|
|
+/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
|
|
+', `
|
|
/usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
|
|
/usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
|
|
/usr/sbin/portmap -- gen_context(system_u:object_r:portmap_exec_t,s0)
|
|
+')
|
|
|
|
/var/run/portmap\.upgrade-state -- gen_context(system_u:object_r:portmap_var_run_t,s0)
|
|
/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0)
|
|
diff --git a/portmap.te b/portmap.te
|
|
index 18b255e..e75c4ec 100644
|
|
--- a/portmap.te
|
|
+++ b/portmap.te
|
|
@@ -45,7 +45,6 @@ files_pid_filetrans(portmap_t, portmap_var_run_t, file)
|
|
kernel_read_system_state(portmap_t)
|
|
kernel_read_kernel_sysctls(portmap_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(portmap_t)
|
|
corenet_all_recvfrom_netlabel(portmap_t)
|
|
corenet_tcp_sendrecv_generic_if(portmap_t)
|
|
corenet_udp_sendrecv_generic_if(portmap_t)
|
|
@@ -80,9 +79,11 @@ fs_search_auto_mountpoints(portmap_t)
|
|
|
|
domain_use_interactive_fds(portmap_t)
|
|
|
|
+auth_use_nsswitch(portmap_t)
|
|
+
|
|
logging_send_syslog_msg(portmap_t)
|
|
|
|
-miscfiles_read_localization(portmap_t)
|
|
+sysnet_read_config(portmap_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(portmap_t)
|
|
userdom_dontaudit_search_user_home_dirs(portmap_t)
|
|
@@ -106,7 +107,6 @@ allow portmap_helper_t self:tcp_socket { accept listen };
|
|
allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
|
|
files_pid_filetrans(portmap_helper_t, portmap_var_run_t, file)
|
|
|
|
-corenet_all_recvfrom_unlabeled(portmap_helper_t)
|
|
corenet_all_recvfrom_netlabel(portmap_helper_t)
|
|
corenet_tcp_sendrecv_generic_if(portmap_helper_t)
|
|
corenet_udp_sendrecv_generic_if(portmap_helper_t)
|
|
@@ -138,5 +138,7 @@ init_rw_utmp(portmap_helper_t)
|
|
|
|
logging_send_syslog_msg(portmap_helper_t)
|
|
|
|
-userdom_use_user_terminals(portmap_helper_t)
|
|
+sysnet_read_config(portmap_helper_t)
|
|
+
|
|
+userdom_use_inherited_user_terminals(portmap_helper_t)
|
|
userdom_dontaudit_use_all_users_fds(portmap_helper_t)
|
|
diff --git a/portreserve.fc b/portreserve.fc
|
|
index 1b2b4f9..575b7d6 100644
|
|
--- a/portreserve.fc
|
|
+++ b/portreserve.fc
|
|
@@ -1,6 +1,6 @@
|
|
/etc/portreserve(/.*)? gen_context(system_u:object_r:portreserve_etc_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/portreserve -- gen_context(system_u:object_r:portreserve_initrc_exec_t,s0)
|
|
|
|
/sbin/portreserve -- gen_context(system_u:object_r:portreserve_exec_t,s0)
|
|
|
|
diff --git a/portreserve.if b/portreserve.if
|
|
index 5ad5291..7f1ae2a 100644
|
|
--- a/portreserve.if
|
|
+++ b/portreserve.if
|
|
@@ -105,8 +105,11 @@ interface(`portreserve_admin',`
|
|
type portreserve_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 portreserve_t:process { ptrace signal_perms };
|
|
+ allow $1 portreserve_t:process signal_perms;
|
|
ps_process_pattern($1, portreserve_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 portreserve_t:process ptrace;
|
|
+ ')
|
|
|
|
portreserve_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/portreserve.te b/portreserve.te
|
|
index 00b01e2..ffbfcee 100644
|
|
--- a/portreserve.te
|
|
+++ b/portreserve.te
|
|
@@ -41,7 +41,6 @@ files_pid_filetrans(portreserve_t, portreserve_var_run_t, { file sock_file dir }
|
|
|
|
corecmd_getattr_bin_files(portreserve_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(portreserve_t)
|
|
corenet_all_recvfrom_netlabel(portreserve_t)
|
|
corenet_tcp_sendrecv_generic_if(portreserve_t)
|
|
corenet_udp_sendrecv_generic_if(portreserve_t)
|
|
@@ -56,6 +55,5 @@ corenet_sendrecv_all_server_packets(portreserve_t)
|
|
corenet_tcp_bind_all_ports(portreserve_t)
|
|
corenet_udp_bind_all_ports(portreserve_t)
|
|
|
|
-files_read_etc_files(portreserve_t)
|
|
|
|
userdom_dontaudit_search_user_home_content(portreserve_t)
|
|
diff --git a/portslave.te b/portslave.te
|
|
index cbe36c1..8ebeb87 100644
|
|
--- a/portslave.te
|
|
+++ b/portslave.te
|
|
@@ -48,7 +48,6 @@ kernel_read_kernel_sysctls(portslave_t)
|
|
corecmd_exec_bin(portslave_t)
|
|
corecmd_exec_shell(portslave_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(portslave_t)
|
|
corenet_all_recvfrom_netlabel(portslave_t)
|
|
corenet_tcp_sendrecv_generic_if(portslave_t)
|
|
corenet_udp_sendrecv_generic_if(portslave_t)
|
|
@@ -72,7 +71,7 @@ fs_getattr_xattr_fs(portslave_t)
|
|
|
|
term_use_unallocated_ttys(portslave_t)
|
|
term_setattr_unallocated_ttys(portslave_t)
|
|
-term_use_all_ttys(portslave_t)
|
|
+term_use_all_inherited_ttys(portslave_t)
|
|
term_search_ptys(portslave_t)
|
|
|
|
auth_domtrans_chk_passwd(portslave_t)
|
|
diff --git a/postfix.fc b/postfix.fc
|
|
index c0e8785..c0e0959 100644
|
|
--- a/postfix.fc
|
|
+++ b/postfix.fc
|
|
@@ -1,38 +1,38 @@
|
|
-/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
|
|
-/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
|
-/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
|
|
-
|
|
-/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
|
|
-
|
|
+# postfix
|
|
+/etc/rc\.d/init\.d/postfix -- gen_context(system_u:object_r:postfix_initrc_exec_t,s0)
|
|
+/etc/postfix.* gen_context(system_u:object_r:postfix_etc_t,s0)
|
|
+ifdef(`distro_redhat', `
|
|
+/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
|
+/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
|
|
+/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
|
+/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
|
|
+/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
|
+/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
|
|
+/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
|
|
+/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
|
|
+/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
|
+/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
|
+/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
|
|
+/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
|
|
+/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
|
|
+/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
|
|
+', `
|
|
/usr/lib/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
|
-/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
|
|
+/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
|
|
/usr/lib/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
|
|
/usr/lib/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
|
/usr/lib/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
|
|
-/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
|
|
+/usr/lib/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
|
|
+/usr/lib/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
|
|
/usr/lib/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
|
/usr/lib/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
|
/usr/lib/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
|
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
|
|
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
|
|
/usr/lib/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
|
|
-/usr/lib/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
|
|
-
|
|
-/usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
|
-/usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
|
|
-/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
|
-/usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
|
|
-/usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
|
-/usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
|
|
-/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
|
|
-/usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
|
|
-/usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
|
-/usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
|
|
-/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
|
|
-/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
|
|
-/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
|
|
-/usr/libexec/postfix/virtual -- gen_context(system_u:object_r:postfix_virtual_exec_t,s0)
|
|
-
|
|
+')
|
|
+/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
|
|
+/etc/postfix/prng_exch -- gen_context(system_u:object_r:postfix_prng_t,s0)
|
|
/usr/sbin/postalias -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
|
/usr/sbin/postcat -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
|
/usr/sbin/postdrop -- gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
|
|
@@ -44,14 +44,14 @@
|
|
/usr/sbin/postqueue -- gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
|
|
/usr/sbin/postsuper -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
|
|
|
|
-/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
|
|
+/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
|
|
|
|
-/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
|
|
-/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
|
-/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
|
-/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
|
-/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
|
|
-/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
|
|
-/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
|
|
-/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
|
+/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
|
|
+/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
|
+/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
|
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
|
|
+/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
|
|
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
|
|
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
|
|
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
|
|
/var/spool/postfix/flush(/.*)? gen_context(system_u:object_r:postfix_spool_flush_t,s0)
|
|
diff --git a/postfix.if b/postfix.if
|
|
index ded95ec..0b76d72 100644
|
|
--- a/postfix.if
|
|
+++ b/postfix.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Postfix email server.</summary>
|
|
+## <summary>Postfix email server</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -16,13 +16,14 @@ interface(`postfix_stub',`
|
|
')
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## The template to define a postfix domain.
|
|
+## Creates types and rules for a basic
|
|
+## postfix process domain.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## Prefix for the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
@@ -31,73 +32,69 @@ template(`postfix_domain_template',`
|
|
attribute postfix_domain;
|
|
')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
type postfix_$1_t, postfix_domain;
|
|
type postfix_$1_exec_t;
|
|
domain_type(postfix_$1_t)
|
|
domain_entry_file(postfix_$1_t, postfix_$1_exec_t)
|
|
role system_r types postfix_$1_t;
|
|
|
|
- ########################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
-
|
|
- can_exec(postfix_$1_t, postfix_$1_exec_t)
|
|
+ kernel_read_system_state(postfix_$1_t)
|
|
|
|
auth_use_nsswitch(postfix_$1_t)
|
|
+
|
|
+ logging_send_syslog_msg(postfix_$1_t)
|
|
+
|
|
+ can_exec(postfix_$1_t, postfix_$1_exec_t)
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## The template to define a postfix server domain.
|
|
+## Creates a postfix server process domain.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## Prefix of the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`postfix_server_domain_template',`
|
|
- gen_require(`
|
|
- attribute postfix_server_domain, postfix_server_tmp_content;
|
|
- ')
|
|
-
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
postfix_domain_template($1)
|
|
|
|
- typeattribute postfix_$1_t postfix_server_domain;
|
|
-
|
|
- type postfix_$1_tmp_t, postfix_server_tmp_content;
|
|
+ type postfix_$1_tmp_t;
|
|
files_tmp_file(postfix_$1_tmp_t)
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
+ allow postfix_$1_t self:capability { setuid setgid sys_chroot dac_override };
|
|
+ allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
|
+ allow postfix_$1_t self:tcp_socket create_socket_perms;
|
|
+ allow postfix_$1_t self:udp_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
|
|
manage_files_pattern(postfix_$1_t, postfix_$1_tmp_t, postfix_$1_tmp_t)
|
|
files_tmp_filetrans(postfix_$1_t, postfix_$1_tmp_t, { file dir })
|
|
|
|
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
|
|
+
|
|
+ corenet_all_recvfrom_netlabel(postfix_$1_t)
|
|
+ corenet_tcp_sendrecv_generic_if(postfix_$1_t)
|
|
+ corenet_udp_sendrecv_generic_if(postfix_$1_t)
|
|
+ corenet_tcp_sendrecv_generic_node(postfix_$1_t)
|
|
+ corenet_udp_sendrecv_generic_node(postfix_$1_t)
|
|
+ corenet_tcp_sendrecv_all_ports(postfix_$1_t)
|
|
+ corenet_udp_sendrecv_all_ports(postfix_$1_t)
|
|
+ corenet_tcp_bind_generic_node(postfix_$1_t)
|
|
+ corenet_udp_bind_generic_node(postfix_$1_t)
|
|
+ corenet_tcp_connect_all_ports(postfix_$1_t)
|
|
+ corenet_sendrecv_all_client_packets(postfix_$1_t)
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## The template to define a postfix user domain.
|
|
+## Creates a process domain for programs
|
|
+## that are ran by users.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## Prefix of the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
@@ -106,30 +103,22 @@ template(`postfix_user_domain_template',`
|
|
attribute postfix_user_domains, postfix_user_domtrans;
|
|
')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
postfix_domain_template($1)
|
|
|
|
typeattribute postfix_$1_t postfix_user_domains;
|
|
|
|
- ########################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
-
|
|
allow postfix_$1_t self:capability dac_override;
|
|
|
|
domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
|
|
|
|
domain_use_interactive_fds(postfix_$1_t)
|
|
+
|
|
+ application_domain(postfix_$1_t, postfix_$1_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read postfix configuration content.
|
|
+## Read postfix configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -143,16 +132,15 @@ interface(`postfix_read_config',`
|
|
type postfix_etc_t;
|
|
')
|
|
|
|
+ read_files_pattern($1, postfix_etc_t, postfix_etc_t)
|
|
+ read_lnk_files_pattern($1, postfix_etc_t, postfix_etc_t)
|
|
files_search_etc($1)
|
|
- allow $1 postfix_etc_t:dir list_dir_perms;
|
|
- allow $1 postfix_etc_t:file read_file_perms;
|
|
- allow $1 postfix_etc_t:lnk_file read_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified object in postfix
|
|
-## etc directories with a type transition.
|
|
+## Create files with the specified type in
|
|
+## the postfix configuration directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -180,6 +168,7 @@ interface(`postfix_config_filetrans',`
|
|
type postfix_etc_t;
|
|
')
|
|
|
|
+ files_search_etc($1)
|
|
filetrans_pattern($1, postfix_etc_t, $2, $3, $4)
|
|
')
|
|
|
|
@@ -205,7 +194,8 @@ interface(`postfix_dontaudit_rw_local_tcp_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write postfix local pipes.
|
|
+## Allow read/write postfix local pipes
|
|
+## TCP sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -221,30 +211,28 @@ interface(`postfix_rw_local_pipes',`
|
|
allow $1 postfix_local_t:fifo_file rw_fifo_file_perms;
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Read postfix local process state files.
|
|
+## Allow read/write postfix public pipes
|
|
+## TCP sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`postfix_read_local_state',`
|
|
- gen_require(`
|
|
- type postfix_local_t;
|
|
- ')
|
|
+interface(`postfix_rw_public_pipes',`
|
|
+ gen_require(`
|
|
+ type postfix_public_t;
|
|
+ ')
|
|
|
|
- kernel_search_proc($1)
|
|
- allow $1 postfix_local_t:dir list_dir_perms;
|
|
- allow $1 postfix_local_t:file read_file_perms;
|
|
- allow $1 postfix_local_t:lnk_file read_lnk_file_perms;
|
|
+ allow $1 postfix_public_t:fifo_file rw_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write inherited postfix master pipes.
|
|
+## Allow domain to read postfix local process state
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -252,18 +240,18 @@ interface(`postfix_read_local_state',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`postfix_rw_inherited_master_pipes',`
|
|
+interface(`postfix_read_local_state',`
|
|
gen_require(`
|
|
- type postfix_master_t;
|
|
+ type postfix_local_t;
|
|
')
|
|
|
|
- allow $1 postfix_master_t:fd use;
|
|
- allow $1 postfix_master_t:fifo_file { getattr write append lock ioctl read };
|
|
+ kernel_search_proc($1)
|
|
+ ps_process_pattern($1, postfix_local_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read postfix master process state files.
|
|
+## Allow domain to read postfix master process state
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -277,14 +265,13 @@ interface(`postfix_read_master_state',`
|
|
')
|
|
|
|
kernel_search_proc($1)
|
|
- allow $1 postfix_master_t:dir list_dir_perms;
|
|
- allow $1 postfix_master_t:file read_file_perms;
|
|
- allow $1 postfix_master_t:lnk_file read_lnk_file_perms;
|
|
+ ps_process_pattern($1, postfix_master_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Use postfix master file descriptors.
|
|
+## Use postfix master process file
|
|
+## file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -335,15 +322,13 @@ interface(`postfix_domtrans_map',`
|
|
type postfix_map_t, postfix_map_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, postfix_map_exec_t, postfix_map_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute postfix map in the postfix
|
|
-## map domain, and allow the specified
|
|
-## role the postfix_map domain.
|
|
+## Execute postfix_map in the postfix_map domain, and
|
|
+## allow the specified role the postfix_map domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -359,17 +344,17 @@ interface(`postfix_domtrans_map',`
|
|
#
|
|
interface(`postfix_run_map',`
|
|
gen_require(`
|
|
- attribute_role postfix_map_roles;
|
|
+ type postfix_map_t;
|
|
')
|
|
|
|
postfix_domtrans_map($1)
|
|
- roleattribute $2 postfix_map_roles;
|
|
+ role $2 types postfix_map_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the master postfix program
|
|
-## in the postfix_master domain.
|
|
+## Execute the master postfix program in the
|
|
+## postfix_master domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -382,14 +367,32 @@ interface(`postfix_domtrans_master',`
|
|
type postfix_master_t, postfix_master_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
|
|
')
|
|
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Execute the master postfix program
|
|
-## in the caller domain.
|
|
+## Execute the master postfix in the postfix master domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`postfix_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type postfix_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, postfix_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute the master postfix program in the
|
|
+## caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -402,21 +405,18 @@ interface(`postfix_exec_master',`
|
|
type postfix_master_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, postfix_master_exec_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Connect to postfix master process
|
|
-## using a unix domain stream socket.
|
|
+## Connect to postfix master process using a unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`postfix_stream_connect_master',`
|
|
gen_require(`
|
|
@@ -428,8 +428,7 @@ interface(`postfix_stream_connect_master',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write postfix master
|
|
-## unnamed pipes. (Deprecated)
|
|
+## Allow read/write postfix master pipes
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -437,15 +436,18 @@ interface(`postfix_stream_connect_master',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`postfix_rw_master_pipes',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use postfix_rw_inherited_master_pipes() instead.')
|
|
- postfix_rw_inherited_master_pipes($1)
|
|
+interface(`postfix_rw_inherited_master_pipes',`
|
|
+ gen_require(`
|
|
+ type postfix_master_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 postfix_master_t:fifo_file rw_inherited_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the master postdrop in the
|
|
-## postfix postdrop domain.
|
|
+## postfix_postdrop domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -458,14 +460,13 @@ interface(`postfix_domtrans_postdrop',`
|
|
type postfix_postdrop_t, postfix_postdrop_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the master postqueue in the
|
|
-## postfix postqueue domain.
|
|
+## postfix_postqueue domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -478,30 +479,85 @@ interface(`postfix_domtrans_postqueue',`
|
|
type postfix_postqueue_t, postfix_postqueue_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Execute the master postqueue in
|
|
-## the caller domain. (Deprecated)
|
|
+## Execute the master postqueue in the
|
|
+## postfix_postdrop domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the iptables domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
#
|
|
-interface(`posftix_exec_postqueue',`
|
|
- refpolicywarn(`$0($*) has been deprecated.')
|
|
- postfix_exec_postqueue($1)
|
|
+
|
|
+interface(`postfix_run_postqueue',`
|
|
+ gen_require(`
|
|
+ type postfix_postqueue_t;
|
|
+ ')
|
|
+
|
|
+ postfix_domtrans_postqueue($1)
|
|
+ role $2 types postfix_postqueue_t;
|
|
+ allow postfix_postqueue_t $1:unix_stream_socket { read write getattr };
|
|
')
|
|
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute postfix_postgqueue in the postfix_postgqueue domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`postfix_domtrans_postgqueue',`
|
|
+ gen_require(`
|
|
+ type postfix_postgqueue_t;
|
|
+ type postfix_postgqueue_exec_t;
|
|
+ ')
|
|
+ domtrans_pattern($1, postfix_postgqueue_exec_t,postfix_postgqueue_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute postfix_postgqueue in the postfix_postgqueue domain, and
|
|
+## allow the specified role the postfix_postgqueue domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`postfix_run_postgqueue',`
|
|
+ gen_require(`
|
|
+ type postfix_postgqueue_t;
|
|
+ ')
|
|
+
|
|
+ postfix_domtrans_postgqueue($1)
|
|
+ role $2 types postfix_postgqueue_t;
|
|
+')
|
|
+
|
|
+
|
|
#######################################
|
|
## <summary>
|
|
-## Execute postfix postqueue in
|
|
-## the caller domain.
|
|
+## Execute the master postqueue in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -514,13 +570,12 @@ interface(`postfix_exec_postqueue',`
|
|
type postfix_postqueue_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, postfix_postqueue_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create postfix private sock files.
|
|
+## Create a named socket in a postfix private directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -533,13 +588,13 @@ interface(`postfix_create_private_sockets',`
|
|
type postfix_private_t;
|
|
')
|
|
|
|
+ allow $1 postfix_private_t:dir list_dir_perms;
|
|
create_sock_files_pattern($1, postfix_private_t, postfix_private_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## postfix private sock files.
|
|
+## manage named socket in a postfix private directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -552,13 +607,14 @@ interface(`postfix_manage_private_sockets',`
|
|
type postfix_private_t;
|
|
')
|
|
|
|
+ allow $1 postfix_private_t:dir list_dir_perms;
|
|
manage_sock_files_pattern($1, postfix_private_t, postfix_private_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the smtp postfix program
|
|
-## in the postfix smtp domain.
|
|
+## Execute the master postfix program in the
|
|
+## postfix_master domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -571,14 +627,12 @@ interface(`postfix_domtrans_smtp',`
|
|
type postfix_smtp_t, postfix_smtp_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, postfix_smtp_exec_t, postfix_smtp_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Get attributes of all postfix mail
|
|
-## spool files.
|
|
+## Getattr postfix mail spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -586,7 +640,7 @@ interface(`postfix_domtrans_smtp',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`postfix_getattr_all_spool_files',`
|
|
+interface(`postfix_getattr_spool_files',`
|
|
gen_require(`
|
|
attribute postfix_spool_type;
|
|
')
|
|
@@ -607,11 +661,11 @@ interface(`postfix_getattr_all_spool_files',`
|
|
#
|
|
interface(`postfix_search_spool',`
|
|
gen_require(`
|
|
- type postfix_spool_t;
|
|
+ attribute postfix_spool_type;
|
|
')
|
|
|
|
+ allow $1 postfix_spool_type:dir search_dir_perms;
|
|
files_search_spool($1)
|
|
- allow $1 postfix_spool_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -626,11 +680,11 @@ interface(`postfix_search_spool',`
|
|
#
|
|
interface(`postfix_list_spool',`
|
|
gen_require(`
|
|
- type postfix_spool_t;
|
|
+ attribute postfix_spool_type;
|
|
')
|
|
|
|
+ allow $1 postfix_spool_type:dir list_dir_perms;
|
|
files_search_spool($1)
|
|
- allow $1 postfix_spool_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -645,17 +699,16 @@ interface(`postfix_list_spool',`
|
|
#
|
|
interface(`postfix_read_spool_files',`
|
|
gen_require(`
|
|
- type postfix_spool_t;
|
|
+ attribute postfix_spool_type;
|
|
')
|
|
|
|
files_search_spool($1)
|
|
- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
|
|
+ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## postfix mail spool files.
|
|
+## Create, read, write, and delete postfix mail spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -665,11 +718,50 @@ interface(`postfix_read_spool_files',`
|
|
#
|
|
interface(`postfix_manage_spool_files',`
|
|
gen_require(`
|
|
- type postfix_spool_t;
|
|
+ attribute postfix_spool_type;
|
|
')
|
|
|
|
files_search_spool($1)
|
|
- manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
|
|
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read, write, and delete postfix maildrop spool files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`postfix_rw_spool_maildrop_files',`
|
|
+ gen_require(`
|
|
+ type postfix_spool_maildrop_t;
|
|
+ ')
|
|
+
|
|
+ files_search_spool($1)
|
|
+ rw_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete postfix maildrop spool files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`postfix_manage_spool_maildrop_files',`
|
|
+ gen_require(`
|
|
+ type postfix_spool_maildrop_t;
|
|
+ ')
|
|
+
|
|
+ files_search_spool($1)
|
|
+ manage_dirs_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
+ manage_files_pattern($1, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -693,8 +785,8 @@ interface(`postfix_domtrans_user_mail_handler',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an postfix environment.
|
|
+## All of the rules required to administrate
|
|
+## an postfix environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -710,38 +802,137 @@ interface(`postfix_domtrans_user_mail_handler',`
|
|
#
|
|
interface(`postfix_admin',`
|
|
gen_require(`
|
|
- attribute postfix_domain, postfix_spool_type, postfix_server_tmp_content;
|
|
- type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
|
|
- type postfix_data_t, postfix_var_run_t, postfix_public_t;
|
|
- type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
|
|
- type postfix_keytab_t;
|
|
+ attribute postfix_spool_type;
|
|
+ type postfix_bounce_t, postfix_cleanup_t, postfix_local_t;
|
|
+ type postfix_master_t, postfix_pickup_t, postfix_qmgr_t;
|
|
+ type postfix_initrc_exec_t, postfix_data_t, postfix_etc_t;
|
|
+ type postfix_map_tmp_t, postfix_prng_t, postfix_public_t;
|
|
+ type postfix_smtpd_t, postfix_var_run_t;
|
|
')
|
|
|
|
- allow $1 postfix_domain:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, postfix_domain)
|
|
+ allow $1 postfix_bounce_t:process signal_perms;
|
|
+ ps_process_pattern($1, postfix_bounce_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 postfix_bounce_t:process ptrace;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, postfix_initrc_exec_t)
|
|
+ allow $1 postfix_cleanup_t:process signal_perms;
|
|
+ ps_process_pattern($1, postfix_cleanup_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 postfix_cleanup_t:process ptrace;
|
|
+ allow $1 postfix_local_t:process ptrace;
|
|
+ allow $1 postfix_master_t:process ptrace;
|
|
+ allow $1 postfix_pickup_t:process ptrace;
|
|
+ allow $1 postfix_qmgr_t:process ptrace;
|
|
+ allow $1 postfix_smtpd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 postfix_local_t:process signal_perms;
|
|
+ ps_process_pattern($1, postfix_local_t)
|
|
+
|
|
+ allow $1 postfix_master_t:process signal_perms;
|
|
+ ps_process_pattern($1, postfix_master_t)
|
|
+
|
|
+ allow $1 postfix_pickup_t:process signal_perms;
|
|
+ ps_process_pattern($1, postfix_pickup_t)
|
|
+
|
|
+ allow $1 postfix_qmgr_t:process signal_perms;
|
|
+ ps_process_pattern($1, postfix_qmgr_t)
|
|
+
|
|
+ allow $1 postfix_smtpd_t:process signal_perms;
|
|
+ ps_process_pattern($1, postfix_smtpd_t)
|
|
+
|
|
+ postfix_run_map($1, $2)
|
|
+ postfix_run_postdrop($1, $2)
|
|
+ postfix_run_postqueue($1, $2)
|
|
+
|
|
+ postfix_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 postfix_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })
|
|
+ admin_pattern($1, postfix_data_t)
|
|
|
|
- files_search_spool($1)
|
|
- admin_pattern($1, { postfix_public_t postfix_private_t postfix_spool_type })
|
|
+ files_list_etc($1)
|
|
+ admin_pattern($1, postfix_etc_t)
|
|
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, postfix_data_t)
|
|
+ files_list_spool($1)
|
|
+ admin_pattern($1, postfix_spool_type)
|
|
|
|
- files_search_pids($1)
|
|
admin_pattern($1, postfix_var_run_t)
|
|
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t })
|
|
+ files_list_tmp($1)
|
|
+ admin_pattern($1, postfix_map_tmp_t)
|
|
+
|
|
+ admin_pattern($1, postfix_prng_t)
|
|
|
|
- postfix_exec_master($1)
|
|
- postfix_exec_postqueue($1)
|
|
- postfix_stream_connect_master($1)
|
|
- postfix_run_map($1, $2)
|
|
+ admin_pattern($1, postfix_public_t)
|
|
+
|
|
+ postfix_filetrans_named_content($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute the master postdrop in the
|
|
+## postfix_postdrop domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the iptables domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`postfix_run_postdrop',`
|
|
+ gen_require(`
|
|
+ type postfix_postdrop_t;
|
|
+ ')
|
|
+
|
|
+ postfix_domtrans_postdrop($1)
|
|
+ role $2 types postfix_postdrop_t;
|
|
+ allow postfix_postdrop_t $1:unix_stream_socket { read write getattr };
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute postfix exec in the users domain
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`postfix_exec',`
|
|
+ gen_require(`
|
|
+ type postfix_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, postfix_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to postfix named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`postfix_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type postfix_exec_t;
|
|
+ type postfix_prng_t;
|
|
+ ')
|
|
+
|
|
+ postfix_config_filetrans($1, postfix_exec_t, file, "postfix-script")
|
|
+ postfix_config_filetrans($1, postfix_prng_t, file, "prng_exch")
|
|
')
|
|
diff --git a/postfix.te b/postfix.te
|
|
index 5cfb83e..a18b985 100644
|
|
--- a/postfix.te
|
|
+++ b/postfix.te
|
|
@@ -6,27 +6,23 @@ policy_module(postfix, 1.15.1)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether postfix local
|
|
-## can manage mail spool content.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow postfix_local domain full write access to mail_spool directories
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(postfix_local_write_mail_spool, true)
|
|
|
|
attribute postfix_domain;
|
|
-attribute postfix_server_domain;
|
|
-attribute postfix_server_tmp_content;
|
|
attribute postfix_spool_type;
|
|
attribute postfix_user_domains;
|
|
+# domains that transition to the
|
|
+# postfix user domains
|
|
attribute postfix_user_domtrans;
|
|
|
|
-attribute_role postfix_map_roles;
|
|
-roleattribute system_r postfix_map_roles;
|
|
-
|
|
postfix_server_domain_template(bounce)
|
|
|
|
type postfix_spool_bounce_t, postfix_spool_type;
|
|
-files_type(postfix_spool_bounce_t)
|
|
+files_spool_file(postfix_spool_bounce_t)
|
|
|
|
postfix_server_domain_template(cleanup)
|
|
|
|
@@ -42,16 +38,19 @@ files_type(postfix_keytab_t)
|
|
postfix_server_domain_template(local)
|
|
mta_mailserver_delivery(postfix_local_t)
|
|
|
|
+# Program for creating database files
|
|
type postfix_map_t;
|
|
type postfix_map_exec_t;
|
|
application_domain(postfix_map_t, postfix_map_exec_t)
|
|
-role postfix_map_roles types postfix_map_t;
|
|
+role system_r types postfix_map_t;
|
|
|
|
type postfix_map_tmp_t;
|
|
files_tmp_file(postfix_map_tmp_t)
|
|
|
|
postfix_domain_template(master)
|
|
typealias postfix_master_t alias postfix_t;
|
|
+# alias is a hack to make the disable trans bool
|
|
+# generation macro work
|
|
mta_mailserver(postfix_t, postfix_master_exec_t)
|
|
|
|
type postfix_initrc_exec_t;
|
|
@@ -63,6 +62,7 @@ postfix_server_domain_template(pipe)
|
|
|
|
postfix_user_domain_template(postdrop)
|
|
mta_mailserver_user_agent(postfix_postdrop_t)
|
|
+mta_agent_executable(postfix_postdrop_t)
|
|
|
|
postfix_user_domain_template(postqueue)
|
|
mta_mailserver_user_agent(postfix_postqueue_t)
|
|
@@ -83,13 +83,13 @@ mta_mailserver_sender(postfix_smtp_t)
|
|
postfix_server_domain_template(smtpd)
|
|
|
|
type postfix_spool_t, postfix_spool_type;
|
|
-files_type(postfix_spool_t)
|
|
+files_spool_file(postfix_spool_t)
|
|
|
|
type postfix_spool_maildrop_t, postfix_spool_type;
|
|
-files_type(postfix_spool_maildrop_t)
|
|
+files_spool_file(postfix_spool_maildrop_t)
|
|
|
|
type postfix_spool_flush_t, postfix_spool_type;
|
|
-files_type(postfix_spool_flush_t)
|
|
+files_spool_file(postfix_spool_flush_t)
|
|
|
|
type postfix_public_t;
|
|
files_type(postfix_public_t)
|
|
@@ -97,6 +97,7 @@ files_type(postfix_public_t)
|
|
type postfix_var_run_t;
|
|
files_pid_file(postfix_var_run_t)
|
|
|
|
+# the data_directory config parameter
|
|
type postfix_data_t;
|
|
files_type(postfix_data_t)
|
|
|
|
@@ -105,109 +106,22 @@ mta_mailserver_delivery(postfix_virtual_t)
|
|
|
|
########################################
|
|
#
|
|
-# Common postfix domain local policy
|
|
-#
|
|
-
|
|
-allow postfix_domain self:capability { sys_nice sys_chroot };
|
|
-dontaudit postfix_domain self:capability sys_tty_config;
|
|
-allow postfix_domain self:process { signal_perms setpgid setsched };
|
|
-allow postfix_domain self:fifo_file rw_fifo_file_perms;
|
|
-allow postfix_domain self:unix_stream_socket { accept connectto listen };
|
|
-
|
|
-allow postfix_domain postfix_etc_t:dir list_dir_perms;
|
|
-allow postfix_domain postfix_etc_t:file read_file_perms;
|
|
-allow postfix_domain postfix_etc_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
-allow postfix_domain postfix_master_t:file read_file_perms;
|
|
-
|
|
-allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
|
|
-
|
|
-allow postfix_domain postfix_master_t:process sigchld;
|
|
-
|
|
-allow postfix_domain postfix_spool_t:dir list_dir_perms;
|
|
-
|
|
-manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
|
|
-files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
|
|
-
|
|
-kernel_read_system_state(postfix_domain)
|
|
-kernel_read_network_state(postfix_domain)
|
|
-kernel_read_all_sysctls(postfix_domain)
|
|
-
|
|
-dev_read_sysfs(postfix_domain)
|
|
-dev_read_rand(postfix_domain)
|
|
-dev_read_urand(postfix_domain)
|
|
-
|
|
-fs_search_auto_mountpoints(postfix_domain)
|
|
-fs_getattr_all_fs(postfix_domain)
|
|
-fs_rw_anon_inodefs_files(postfix_domain)
|
|
-
|
|
-term_dontaudit_use_console(postfix_domain)
|
|
-
|
|
-corecmd_exec_shell(postfix_domain)
|
|
-
|
|
-files_read_etc_runtime_files(postfix_domain)
|
|
-files_read_usr_files(postfix_domain)
|
|
-files_search_spool(postfix_domain)
|
|
-files_getattr_tmp_dirs(postfix_domain)
|
|
-files_search_all_mountpoints(postfix_domain)
|
|
-
|
|
-init_dontaudit_use_fds(postfix_domain)
|
|
-init_sigchld(postfix_domain)
|
|
-
|
|
-logging_send_syslog_msg(postfix_domain)
|
|
-
|
|
-miscfiles_read_localization(postfix_domain)
|
|
-miscfiles_read_generic_certs(postfix_domain)
|
|
-
|
|
-userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
|
|
-
|
|
-optional_policy(`
|
|
- udev_read_db(postfix_domain)
|
|
-')
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Common postfix server domain local policy
|
|
-#
|
|
-
|
|
-allow postfix_server_domain self:capability { setuid setgid dac_override };
|
|
-
|
|
-allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(postfix_server_domain)
|
|
-corenet_all_recvfrom_netlabel(postfix_server_domain)
|
|
-corenet_tcp_sendrecv_generic_if(postfix_server_domain)
|
|
-corenet_tcp_sendrecv_generic_node(postfix_server_domain)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(postfix_server_domain)
|
|
-corenet_tcp_connect_all_ports(postfix_server_domain)
|
|
-corenet_tcp_sendrecv_all_ports(postfix_server_domain)
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Common postfix user domain local policy
|
|
-#
|
|
-
|
|
-allow postfix_user_domains self:capability dac_override;
|
|
-
|
|
-domain_use_interactive_fds(postfix_user_domains)
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Master local policy
|
|
+# Postfix master process local policy
|
|
#
|
|
|
|
-allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid sys_tty_config };
|
|
+# chown is to set the correct ownership of queue dirs
|
|
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
|
|
allow postfix_master_t self:capability2 block_suspend;
|
|
+
|
|
allow postfix_master_t self:process setrlimit;
|
|
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
|
|
allow postfix_master_t self:udp_socket create_socket_perms;
|
|
|
|
-allow postfix_master_t postfix_domain:fifo_file rw_fifo_file_perms;
|
|
-allow postfix_master_t postfix_domain:process signal;
|
|
-
|
|
allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
|
|
allow postfix_master_t postfix_etc_t:file rw_file_perms;
|
|
+mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
|
|
+
|
|
+can_exec(postfix_master_t, postfix_exec_t)
|
|
|
|
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
|
|
allow postfix_master_t postfix_data_t:file manage_file_perms;
|
|
@@ -216,34 +130,32 @@ allow postfix_master_t postfix_keytab_t:file read_file_perms;
|
|
|
|
allow postfix_master_t postfix_map_exec_t:file { mmap_file_perms ioctl lock };
|
|
|
|
-allow postfix_master_t { postfix_postdrop_exec_t postfix_postqueue_exec_t }:file getattr_file_perms;
|
|
+allow postfix_master_t postfix_postqueue_exec_t:file getattr_file_perms;
|
|
+
|
|
+manage_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
+manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
+manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
+
|
|
+domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
|
|
|
|
allow postfix_master_t postfix_prng_t:file rw_file_perms;
|
|
|
|
+manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
|
|
+manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
|
|
+
|
|
+domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
|
|
+
|
|
+# allow access to deferred queue and allow removing bogus incoming entries
|
|
manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
|
manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t)
|
|
files_spool_filetrans(postfix_master_t, postfix_spool_t, dir)
|
|
|
|
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
|
|
allow postfix_master_t postfix_spool_bounce_t:file getattr_file_perms;
|
|
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_bounce_t, dir, "bounce")
|
|
|
|
manage_dirs_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
|
manage_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
|
manage_lnk_files_pattern(postfix_master_t, postfix_spool_flush_t, postfix_spool_flush_t)
|
|
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_flush_t, dir, "flush")
|
|
-
|
|
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_private_t)
|
|
-manage_fifo_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
-manage_sock_files_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
-setattr_dirs_pattern(postfix_master_t, postfix_private_t, postfix_private_t)
|
|
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_private_t, dir, "private")
|
|
-
|
|
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_public_t)
|
|
-manage_fifo_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
|
|
-manage_sock_files_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
|
|
-setattr_dirs_pattern(postfix_master_t, postfix_public_t, postfix_public_t)
|
|
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_public_t, dir, "public")
|
|
|
|
create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t)
|
|
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
@@ -253,16 +165,8 @@ filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, d
|
|
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "deferred")
|
|
filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_spool_maildrop_t, dir, "maildrop")
|
|
|
|
-create_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t)
|
|
-setattr_dirs_pattern(postfix_master_t, postfix_var_run_t, postfix_var_run_t)
|
|
-filetrans_pattern(postfix_master_t, postfix_spool_t, postfix_var_run_t, dir, "pid")
|
|
+kernel_read_all_sysctls(postfix_master_t)
|
|
|
|
-can_exec(postfix_master_t, postfix_exec_t)
|
|
-
|
|
-domtrans_pattern(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
|
|
-domtrans_pattern(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(postfix_master_t)
|
|
corenet_all_recvfrom_netlabel(postfix_master_t)
|
|
corenet_tcp_sendrecv_generic_if(postfix_master_t)
|
|
corenet_udp_sendrecv_generic_if(postfix_master_t)
|
|
@@ -270,50 +174,44 @@ corenet_tcp_sendrecv_generic_node(postfix_master_t)
|
|
corenet_udp_sendrecv_generic_node(postfix_master_t)
|
|
corenet_tcp_sendrecv_all_ports(postfix_master_t)
|
|
corenet_udp_sendrecv_all_ports(postfix_master_t)
|
|
+corenet_udp_bind_generic_node(postfix_master_t)
|
|
+corenet_udp_bind_all_unreserved_ports(postfix_master_t)
|
|
+corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
|
|
corenet_tcp_bind_generic_node(postfix_master_t)
|
|
-
|
|
-corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
|
|
corenet_tcp_bind_amavisd_send_port(postfix_master_t)
|
|
-
|
|
-corenet_sendrecv_smtp_server_packets(postfix_master_t)
|
|
corenet_tcp_bind_smtp_port(postfix_master_t)
|
|
-
|
|
-corenet_sendrecv_spamd_server_packets(postfix_master_t)
|
|
-corenet_tcp_bind_spamd_port(postfix_master_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(postfix_master_t)
|
|
corenet_tcp_connect_all_ports(postfix_master_t)
|
|
+corenet_sendrecv_amavisd_send_server_packets(postfix_master_t)
|
|
+corenet_sendrecv_smtp_server_packets(postfix_master_t)
|
|
+corenet_sendrecv_all_client_packets(postfix_master_t)
|
|
+# for spampd
|
|
+corenet_tcp_bind_spamd_port(postfix_master_t)
|
|
|
|
-# Can this be conditional?
|
|
-corenet_sendrecv_all_server_packets(postfix_master_t)
|
|
-corenet_udp_bind_all_unreserved_ports(postfix_master_t)
|
|
-corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
|
|
-
|
|
+# for a find command
|
|
selinux_dontaudit_search_fs(postfix_master_t)
|
|
|
|
+corecmd_exec_shell(postfix_master_t)
|
|
corecmd_exec_bin(postfix_master_t)
|
|
|
|
domain_use_interactive_fds(postfix_master_t)
|
|
|
|
+files_search_var_lib(postfix_master_t)
|
|
files_search_tmp(postfix_master_t)
|
|
|
|
-mcs_file_read_all(postfix_master_t)
|
|
-
|
|
term_dontaudit_search_ptys(postfix_master_t)
|
|
|
|
-miscfiles_read_man_pages(postfix_master_t)
|
|
-
|
|
seutil_sigchld_newrole(postfix_master_t)
|
|
-seutil_dontaudit_search_config(postfix_master_t)
|
|
|
|
-mta_manage_aliases(postfix_master_t)
|
|
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases")
|
|
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliases.db")
|
|
-mta_etc_filetrans_aliases(postfix_master_t, file, "aliasesdb-stamp")
|
|
-mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
|
|
+mta_rw_aliases(postfix_master_t)
|
|
mta_read_sendmail_bin(postfix_master_t)
|
|
mta_getattr_spool(postfix_master_t)
|
|
|
|
+ifdef(`distro_redhat',`
|
|
+ # for newer main.cf that uses /etc/aliases
|
|
+ mta_manage_aliases(postfix_master_t)
|
|
+ mta_etc_filetrans_aliases(postfix_master_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
cyrus_stream_connect(postfix_master_t)
|
|
')
|
|
@@ -324,14 +222,6 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- mailman_manage_data_files(postfix_master_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- mysql_stream_connect(postfix_master_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
postgrey_search_spool(postfix_master_t)
|
|
')
|
|
|
|
@@ -341,12 +231,14 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Bounce local policy
|
|
+# Postfix bounce local policy
|
|
#
|
|
|
|
allow postfix_bounce_t self:capability dac_read_search;
|
|
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
|
|
|
|
-write_sock_files_pattern(postfix_bounce_t, postfix_public_t, postfix_public_t)
|
|
+allow postfix_bounce_t postfix_public_t:sock_file write;
|
|
+allow postfix_bounce_t postfix_public_t:dir search_dir_perms;
|
|
|
|
manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
|
manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t)
|
|
@@ -363,37 +255,34 @@ manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool
|
|
|
|
########################################
|
|
#
|
|
-# Cleanup local policy
|
|
+# Postfix cleanup local policy
|
|
#
|
|
|
|
allow postfix_cleanup_t self:process setrlimit;
|
|
-
|
|
allow postfix_cleanup_t postfix_smtpd_t:tcp_socket rw_stream_socket_perms;
|
|
-allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
|
|
-
|
|
-allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
|
|
-allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
|
|
-allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
|
|
|
|
+# connect to master process
|
|
stream_connect_pattern(postfix_cleanup_t, postfix_private_t, postfix_private_t, postfix_master_t)
|
|
|
|
rw_fifo_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
|
|
write_sock_files_pattern(postfix_cleanup_t, postfix_public_t, postfix_public_t)
|
|
+allow postfix_cleanup_t postfix_smtpd_t:unix_stream_socket rw_socket_perms;
|
|
|
|
manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
|
manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
|
manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t)
|
|
files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir)
|
|
|
|
+allow postfix_cleanup_t postfix_spool_maildrop_t:dir list_dir_perms;
|
|
+allow postfix_cleanup_t postfix_spool_maildrop_t:file read_file_perms;
|
|
+allow postfix_cleanup_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
|
|
+
|
|
allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms;
|
|
|
|
corecmd_exec_bin(postfix_cleanup_t)
|
|
|
|
-corenet_sendrecv_kismet_client_packets(postfix_cleanup_t)
|
|
-corenet_tcp_connect_kismet_port(postfix_cleanup_t)
|
|
-corenet_tcp_sendrecv_kismet_port(postfix_cleanup_t)
|
|
-
|
|
-mta_read_aliases(postfix_cleanup_t)
|
|
+# allow postfix to connect to sqlgrey
|
|
+corenet_tcp_connect_rtsclient_port(postfix_cleanup_t)
|
|
|
|
optional_policy(`
|
|
mailman_read_data_files(postfix_cleanup_t)
|
|
@@ -401,36 +290,50 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Local local policy
|
|
+# Postfix local local policy
|
|
#
|
|
|
|
-allow postfix_local_t self:capability chown;
|
|
-allow postfix_local_t self:process setrlimit;
|
|
+allow postfix_local_t self:process { setsched setrlimit };
|
|
|
|
+# connect to master process
|
|
stream_connect_pattern(postfix_local_t, postfix_public_t, postfix_public_t, postfix_master_t)
|
|
|
|
+# for .forward - maybe we need a new type for it?
|
|
rw_sock_files_pattern(postfix_local_t, postfix_private_t, postfix_private_t)
|
|
-
|
|
-allow postfix_local_t postfix_spool_t:file rw_file_perms;
|
|
+rw_files_pattern(postfix_local_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
|
|
domtrans_pattern(postfix_local_t, postfix_postdrop_exec_t, postfix_postdrop_t)
|
|
|
|
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
|
|
+
|
|
+corecmd_exec_shell(postfix_local_t)
|
|
corecmd_exec_bin(postfix_local_t)
|
|
|
|
logging_dontaudit_search_logs(postfix_local_t)
|
|
|
|
mta_delete_spool(postfix_local_t)
|
|
-mta_read_aliases(postfix_local_t)
|
|
-mta_read_config(postfix_local_t)
|
|
+# Handle vacation script
|
|
mta_send_mail(postfix_local_t)
|
|
|
|
+userdom_read_user_home_content_files(postfix_local_t)
|
|
+userdom_exec_user_bin_files(postfix_local_t)
|
|
+
|
|
+tunable_policy(`use_nfs_home_dirs',`
|
|
+ fs_exec_nfs_files(postfix_local_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`use_samba_home_dirs',`
|
|
+ fs_exec_cifs_files(postfix_local_t)
|
|
+')
|
|
+
|
|
tunable_policy(`postfix_local_write_mail_spool',`
|
|
mta_manage_spool(postfix_local_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- clamav_search_lib(postfix_local_t)
|
|
- clamav_exec_clamscan(postfix_local_t)
|
|
+ antivirus_search_db(postfix_local_t)
|
|
+ antivirus_exec(postfix_local_t)
|
|
+ antivirus_stream_connect(postfix_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -442,6 +345,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+# for postalias
|
|
mailman_manage_data_files(postfix_local_t)
|
|
mailman_append_log(postfix_local_t)
|
|
mailman_read_log(postfix_local_t)
|
|
@@ -452,6 +356,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ openshift_search_lib(postfix_local_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
procmail_domtrans(postfix_local_t)
|
|
')
|
|
|
|
@@ -466,15 +374,17 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Map local policy
|
|
+# Postfix map local policy
|
|
#
|
|
-
|
|
allow postfix_map_t self:capability { dac_override setgid setuid };
|
|
-allow postfix_map_t self:tcp_socket { accept listen };
|
|
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
|
|
+allow postfix_map_t self:tcp_socket create_stream_socket_perms;
|
|
+allow postfix_map_t self:udp_socket create_socket_perms;
|
|
|
|
-allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
|
|
-allow postfix_map_t postfix_etc_t:file manage_file_perms;
|
|
-allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
|
|
+manage_dirs_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
|
|
+manage_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
|
|
+manage_lnk_files_pattern(postfix_map_t, postfix_etc_t, postfix_etc_t)
|
|
|
|
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
|
|
manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
|
|
@@ -484,14 +394,15 @@ kernel_read_kernel_sysctls(postfix_map_t)
|
|
kernel_dontaudit_list_proc(postfix_map_t)
|
|
kernel_dontaudit_read_system_state(postfix_map_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(postfix_map_t)
|
|
corenet_all_recvfrom_netlabel(postfix_map_t)
|
|
corenet_tcp_sendrecv_generic_if(postfix_map_t)
|
|
+corenet_udp_sendrecv_generic_if(postfix_map_t)
|
|
corenet_tcp_sendrecv_generic_node(postfix_map_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(postfix_map_t)
|
|
-corenet_tcp_connect_all_ports(postfix_map_t)
|
|
+corenet_udp_sendrecv_generic_node(postfix_map_t)
|
|
corenet_tcp_sendrecv_all_ports(postfix_map_t)
|
|
+corenet_udp_sendrecv_all_ports(postfix_map_t)
|
|
+corenet_tcp_connect_all_ports(postfix_map_t)
|
|
+corenet_sendrecv_all_client_packets(postfix_map_t)
|
|
|
|
corecmd_list_bin(postfix_map_t)
|
|
corecmd_read_bin_symlinks(postfix_map_t)
|
|
@@ -500,7 +411,6 @@ corecmd_read_bin_pipes(postfix_map_t)
|
|
corecmd_read_bin_sockets(postfix_map_t)
|
|
|
|
files_list_home(postfix_map_t)
|
|
-files_read_usr_files(postfix_map_t)
|
|
files_read_etc_runtime_files(postfix_map_t)
|
|
files_dontaudit_search_var(postfix_map_t)
|
|
|
|
@@ -508,21 +418,22 @@ auth_use_nsswitch(postfix_map_t)
|
|
|
|
logging_send_syslog_msg(postfix_map_t)
|
|
|
|
-miscfiles_read_localization(postfix_map_t)
|
|
-
|
|
optional_policy(`
|
|
locallogin_dontaudit_use_fds(postfix_map_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+# for postalias
|
|
mailman_manage_data_files(postfix_map_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Pickup local policy
|
|
+# Postfix pickup local policy
|
|
#
|
|
|
|
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
|
|
+
|
|
stream_connect_pattern(postfix_pickup_t, postfix_private_t, postfix_private_t, postfix_master_t)
|
|
|
|
rw_fifo_files_pattern(postfix_pickup_t, postfix_public_t, postfix_public_t)
|
|
@@ -532,16 +443,15 @@ allow postfix_pickup_t postfix_spool_t:dir list_dir_perms;
|
|
read_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
|
|
delete_files_pattern(postfix_pickup_t, postfix_spool_t, postfix_spool_t)
|
|
|
|
+postfix_list_spool(postfix_pickup_t)
|
|
+
|
|
allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
|
|
read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
|
|
-mcs_file_read_all(postfix_pickup_t)
|
|
-mcs_file_write_all(postfix_pickup_t)
|
|
-
|
|
########################################
|
|
#
|
|
-# Pipe local policy
|
|
+# Postfix pipe local policy
|
|
#
|
|
|
|
allow postfix_pipe_t self:process setrlimit;
|
|
@@ -584,19 +494,26 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Postdrop local policy
|
|
+# Postfix postdrop local policy
|
|
#
|
|
|
|
+# usually it does not need a UDP socket
|
|
allow postfix_postdrop_t self:capability sys_resource;
|
|
+allow postfix_postdrop_t self:tcp_socket create;
|
|
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
|
|
+
|
|
+# Might be a leak, but I need a postfix expert to explain
|
|
+allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
|
|
+allow postfix_postdrop_t postfix_master_t:unix_stream_socket connectto;
|
|
|
|
rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
|
|
+rw_sock_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t)
|
|
|
|
+postfix_list_spool(postfix_postdrop_t)
|
|
manage_files_pattern(postfix_postdrop_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
|
|
-allow postfix_postdrop_t postfix_local_t:unix_stream_socket { read write };
|
|
-
|
|
-mcs_file_read_all(postfix_postdrop_t)
|
|
-mcs_file_write_all(postfix_postdrop_t)
|
|
+corenet_udp_sendrecv_generic_if(postfix_postdrop_t)
|
|
+corenet_udp_sendrecv_generic_node(postfix_postdrop_t)
|
|
|
|
term_dontaudit_use_all_ptys(postfix_postdrop_t)
|
|
term_dontaudit_use_all_ttys(postfix_postdrop_t)
|
|
@@ -611,10 +528,7 @@ optional_policy(`
|
|
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- fail2ban_dontaudit_use_fds(postfix_postdrop_t)
|
|
-')
|
|
-
|
|
+# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239951
|
|
optional_policy(`
|
|
fstools_read_pipes(postfix_postdrop_t)
|
|
')
|
|
@@ -629,17 +543,24 @@ optional_policy(`
|
|
|
|
#######################################
|
|
#
|
|
-# Postqueue local policy
|
|
+# Postfix postqueue local policy
|
|
#
|
|
|
|
+allow postfix_postqueue_t self:capability2 block_suspend;
|
|
+allow postfix_postqueue_t self:tcp_socket create;
|
|
+allow postfix_postqueue_t self:udp_socket { create ioctl };
|
|
+
|
|
+# wants to write to /var/spool/postfix/public/showq
|
|
stream_connect_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t, postfix_master_t)
|
|
|
|
+# write to /var/spool/postfix/public/qmgr
|
|
write_fifo_files_pattern(postfix_postqueue_t, postfix_public_t, postfix_public_t)
|
|
|
|
domtrans_pattern(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
|
|
|
|
-term_use_all_ptys(postfix_postqueue_t)
|
|
-term_use_all_ttys(postfix_postqueue_t)
|
|
+# to write the mailq output, it really should not need read access!
|
|
+term_use_all_inherited_ptys(postfix_postqueue_t)
|
|
+term_use_all_inherited_ttys(postfix_postqueue_t)
|
|
|
|
init_sigchld_script(postfix_postqueue_t)
|
|
init_use_script_fds(postfix_postqueue_t)
|
|
@@ -655,69 +576,78 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Qmgr local policy
|
|
+# Postfix qmgr local policy
|
|
#
|
|
|
|
-allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
|
|
-allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
|
|
-allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
stream_connect_pattern(postfix_qmgr_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
|
|
|
rw_fifo_files_pattern(postfix_qmgr_t, postfix_public_t, postfix_public_t)
|
|
|
|
-manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
-manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
-allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
+# for /var/spool/postfix/active
|
|
manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
|
manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
|
manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t)
|
|
files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
|
|
|
|
+allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms;
|
|
+allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms;
|
|
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file read_lnk_file_perms;
|
|
+
|
|
+manage_files_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
+manage_dirs_pattern(postfix_qmgr_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
+allow postfix_qmgr_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
|
|
+
|
|
corecmd_exec_bin(postfix_qmgr_t)
|
|
|
|
########################################
|
|
#
|
|
-# Showq local policy
|
|
+# Postfix showq local policy
|
|
#
|
|
|
|
allow postfix_showq_t self:capability { setuid setgid };
|
|
+allow postfix_showq_t self:tcp_socket create_socket_perms;
|
|
|
|
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
|
|
|
|
+allow postfix_showq_t postfix_spool_t:file read_file_perms;
|
|
+
|
|
+postfix_list_spool(postfix_showq_t)
|
|
+
|
|
allow postfix_showq_t postfix_spool_maildrop_t:dir list_dir_perms;
|
|
allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
|
|
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
|
|
|
|
-allow postfix_showq_t postfix_spool_t:file read_file_perms;
|
|
-
|
|
-mcs_file_read_all(postfix_showq_t)
|
|
-
|
|
+# to write the mailq output, it really should not need read access!
|
|
term_use_all_ptys(postfix_showq_t)
|
|
term_use_all_ttys(postfix_showq_t)
|
|
|
|
########################################
|
|
#
|
|
-# Smtp delivery local policy
|
|
+# Postfix smtp delivery local policy
|
|
#
|
|
|
|
+# connect to master process
|
|
allow postfix_smtp_t self:capability sys_chroot;
|
|
-
|
|
stream_connect_pattern(postfix_smtp_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
|
|
|
-allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms;
|
|
+allow postfix_smtp_t postfix_prng_t:file rw_file_perms;
|
|
+
|
|
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
|
|
|
|
rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
|
|
|
|
corenet_tcp_bind_generic_node(postfix_smtp_t)
|
|
+# for spampd
|
|
+corenet_tcp_connect_spamd_port(postfix_master_t)
|
|
+
|
|
+files_search_all_mountpoints(postfix_smtp_t)
|
|
|
|
optional_policy(`
|
|
cyrus_stream_connect(postfix_smtp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- dovecot_stream_connect(postfix_smtp_t)
|
|
+ dovecot_stream_connect(postfix_smtp_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -730,29 +660,30 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Smtpd local policy
|
|
+# Postfix smtpd local policy
|
|
#
|
|
-
|
|
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
|
|
|
|
+# connect to master process
|
|
stream_connect_pattern(postfix_smtpd_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
|
|
|
+# Connect to policy server
|
|
+corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
|
|
+
|
|
+# for prng_exch
|
|
manage_dirs_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
|
|
manage_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
|
|
manage_lnk_files_pattern(postfix_smtpd_t, postfix_spool_t, postfix_spool_t)
|
|
allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
|
|
|
|
-corenet_sendrecv_postfix_policyd_client_packets(postfix_smtpd_t)
|
|
-corenet_tcp_connect_postfix_policyd_port(postfix_smtpd_t)
|
|
-corenet_tcp_sendrecv_postfix_policyd_port(postfix_smtpd_t)
|
|
-
|
|
corecmd_exec_bin(postfix_smtpd_t)
|
|
|
|
+# for OpenSSL certificates
|
|
+
|
|
+# postfix checks the size of all mounted file systems
|
|
fs_getattr_all_dirs(postfix_smtpd_t)
|
|
fs_getattr_all_fs(postfix_smtpd_t)
|
|
|
|
-mta_read_aliases(postfix_smtpd_t)
|
|
-
|
|
optional_policy(`
|
|
dovecot_stream_connect_auth(postfix_smtpd_t)
|
|
dovecot_stream_connect(postfix_smtpd_t)
|
|
@@ -764,6 +695,7 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
milter_stream_connect_all(postfix_smtpd_t)
|
|
+ spamassassin_read_pid_files(postfix_smtpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -774,31 +706,99 @@ optional_policy(`
|
|
sasl_connect(postfix_smtpd_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
- spamassassin_read_spamd_pid_files(postfix_smtpd_t)
|
|
- spamassassin_stream_connect_spamd(postfix_smtpd_t)
|
|
-')
|
|
-
|
|
########################################
|
|
#
|
|
-# Virtual local policy
|
|
+# Postfix virtual local policy
|
|
#
|
|
|
|
-allow postfix_virtual_t self:process setrlimit;
|
|
+allow postfix_virtual_t self:process { setsched setrlimit };
|
|
|
|
-allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
|
|
+manage_files_pattern(postfix_virtual_t, postfix_spool_t, postfix_spool_t)
|
|
|
|
+# connect to master process
|
|
stream_connect_pattern(postfix_virtual_t, { postfix_private_t postfix_public_t }, { postfix_private_t postfix_public_t }, postfix_master_t)
|
|
|
|
+corecmd_exec_shell(postfix_virtual_t)
|
|
corecmd_exec_bin(postfix_virtual_t)
|
|
|
|
-mta_read_aliases(postfix_virtual_t)
|
|
mta_delete_spool(postfix_virtual_t)
|
|
-mta_read_config(postfix_virtual_t)
|
|
mta_manage_spool(postfix_virtual_t)
|
|
|
|
userdom_manage_user_home_dirs(postfix_virtual_t)
|
|
-userdom_manage_user_home_content_dirs(postfix_virtual_t)
|
|
-userdom_manage_user_home_content_files(postfix_virtual_t)
|
|
-userdom_home_filetrans_user_home_dir(postfix_virtual_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, { file dir })
|
|
+userdom_manage_user_home_content(postfix_virtual_t)
|
|
+userdom_filetrans_home_content(postfix_virtual_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# postfix_domain common policy
|
|
+#
|
|
+allow postfix_domain self:capability { sys_nice sys_chroot };
|
|
+dontaudit postfix_domain self:capability sys_tty_config;
|
|
+allow postfix_domain self:process { signal_perms setpgid setsched };
|
|
+allow postfix_domain self:unix_dgram_socket create_socket_perms;
|
|
+allow postfix_domain self:unix_stream_socket create_stream_socket_perms;
|
|
+allow postfix_domain self:unix_stream_socket connectto;
|
|
+allow postfix_domain self:fifo_file rw_fifo_file_perms;
|
|
+
|
|
+allow postfix_master_t postfix_domain:fifo_file { read write };
|
|
+allow postfix_master_t postfix_domain:process signal;
|
|
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=244456
|
|
+allow postfix_domain postfix_master_t:file read;
|
|
+allow postfix_domain postfix_etc_t:dir list_dir_perms;
|
|
+read_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
|
|
+read_lnk_files_pattern(postfix_domain, postfix_etc_t, postfix_etc_t)
|
|
+
|
|
+allow postfix_domain postfix_exec_t:file { mmap_file_perms lock };
|
|
+
|
|
+allow postfix_domain postfix_master_t:process sigchld;
|
|
+
|
|
+allow postfix_domain postfix_spool_t:dir list_dir_perms;
|
|
+
|
|
+manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
|
|
+files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
|
|
+
|
|
+kernel_read_network_state(postfix_domain)
|
|
+kernel_read_all_sysctls(postfix_domain)
|
|
+
|
|
+dev_read_sysfs(postfix_domain)
|
|
+dev_read_rand(postfix_domain)
|
|
+dev_read_urand(postfix_domain)
|
|
+
|
|
+fs_search_auto_mountpoints(postfix_domain)
|
|
+fs_getattr_xattr_fs(postfix_domain)
|
|
+fs_rw_anon_inodefs_files(postfix_domain)
|
|
+
|
|
+term_dontaudit_use_console(postfix_domain)
|
|
+
|
|
+corecmd_exec_shell(postfix_domain)
|
|
+
|
|
+files_read_etc_runtime_files(postfix_domain)
|
|
+files_read_usr_symlinks(postfix_domain)
|
|
+files_search_spool(postfix_domain)
|
|
+files_list_tmp(postfix_domain)
|
|
+files_search_all_mountpoints(postfix_domain)
|
|
+
|
|
+init_dontaudit_use_fds(postfix_domain)
|
|
+init_sigchld(postfix_domain)
|
|
+init_dontaudit_rw_stream_socket(postfix_domain)
|
|
+
|
|
+# For reading spamassasin
|
|
+mta_read_config(postfix_domain)
|
|
+mta_read_aliases(postfix_domain)
|
|
+
|
|
+miscfiles_read_generic_certs(postfix_domain)
|
|
+
|
|
+userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_stream_connect(postfix_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ spamd_stream_connect(postfix_domain)
|
|
+ spamassassin_domtrans_client(postfix_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ udev_read_db(postfix_domain)
|
|
+')
|
|
diff --git a/postfixpolicyd.if b/postfixpolicyd.if
|
|
index 5de8173..985b877 100644
|
|
--- a/postfixpolicyd.if
|
|
+++ b/postfixpolicyd.if
|
|
@@ -23,8 +23,11 @@ interface(`postfixpolicyd_admin',`
|
|
type postfix_policyd_var_run_t, postfix_policyd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 postfix_policyd_t:process { ptrace signal_perms };
|
|
+ allow $1 postfix_policyd_t:process signal_perms;
|
|
ps_process_pattern($1, postfix_policyd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 postfix_policyd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, postfix_policyd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/postfixpolicyd.te b/postfixpolicyd.te
|
|
index ea1582a..0c1a059 100644
|
|
--- a/postfixpolicyd.te
|
|
+++ b/postfixpolicyd.te
|
|
@@ -34,7 +34,6 @@ allow postfix_policyd_t postfix_policyd_conf_t:lnk_file read_lnk_file_perms;
|
|
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
|
|
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
|
|
|
|
-corenet_all_recvfrom_unlabeled(postfix_policyd_t)
|
|
corenet_tcp_sendrecv_generic_if(postfix_policyd_t)
|
|
corenet_tcp_sendrecv_generic_node(postfix_policyd_t)
|
|
corenet_tcp_bind_generic_node(postfix_policyd_t)
|
|
@@ -47,11 +46,7 @@ corenet_sendrecv_mysqld_server_packets(postfix_policyd_t)
|
|
corenet_tcp_bind_mysqld_port(postfix_policyd_t)
|
|
corenet_tcp_sendrecv_mysqld_port(postfix_policyd_t)
|
|
|
|
-files_read_etc_files(postfix_policyd_t)
|
|
-files_read_usr_files(postfix_policyd_t)
|
|
|
|
logging_send_syslog_msg(postfix_policyd_t)
|
|
|
|
-miscfiles_read_localization(postfix_policyd_t)
|
|
-
|
|
sysnet_dns_name_resolve(postfix_policyd_t)
|
|
diff --git a/postgrey.if b/postgrey.if
|
|
index b9e71b5..a7502cd 100644
|
|
--- a/postgrey.if
|
|
+++ b/postgrey.if
|
|
@@ -16,9 +16,9 @@ interface(`postgrey_stream_connect',`
|
|
type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
|
|
')
|
|
|
|
+ stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
|
|
files_search_pids($1)
|
|
files_search_spool($1)
|
|
- stream_connect_pattern($1, { postgrey_spool_t postgrey_var_run_t }, { postgrey_spool_t postgrey_var_run_t }, postgrey_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -59,14 +59,17 @@ interface(`postgrey_search_spool',`
|
|
#
|
|
interface(`postgrey_admin',`
|
|
gen_require(`
|
|
- type postgrey_t, postgrey_etc_t, postgrey_spool_t;
|
|
- type postgrey_var_lib_t, postgrey_var_run_t;
|
|
- type postgrey_initrc_exec_t;
|
|
+ type postgrey_t, postgrey_etc_t, postgrey_initrc_exec_t;
|
|
+ type postgrey_spool_t, postgrey_var_lib_t, postgrey_var_run_t;
|
|
')
|
|
|
|
- allow $1 postgrey_t:process { ptrace signal_perms };
|
|
+ allow $1 postgrey_t:process signal_perms;
|
|
ps_process_pattern($1, postgrey_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 postgrey_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, postgrey_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 postgrey_initrc_exec_t system_r;
|
|
diff --git a/postgrey.te b/postgrey.te
|
|
index fd58805..3b2474d 100644
|
|
--- a/postgrey.te
|
|
+++ b/postgrey.te
|
|
@@ -16,7 +16,7 @@ type postgrey_initrc_exec_t;
|
|
init_script_file(postgrey_initrc_exec_t)
|
|
|
|
type postgrey_spool_t;
|
|
-files_type(postgrey_spool_t)
|
|
+files_spool_file(postgrey_spool_t)
|
|
|
|
type postgrey_var_lib_t;
|
|
files_type(postgrey_var_lib_t)
|
|
@@ -57,7 +57,6 @@ kernel_read_kernel_sysctls(postgrey_t)
|
|
|
|
corecmd_search_bin(postgrey_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(postgrey_t)
|
|
corenet_all_recvfrom_netlabel(postgrey_t)
|
|
corenet_tcp_sendrecv_generic_if(postgrey_t)
|
|
corenet_tcp_sendrecv_generic_node(postgrey_t)
|
|
@@ -72,17 +71,15 @@ dev_read_sysfs(postgrey_t)
|
|
|
|
domain_use_interactive_fds(postgrey_t)
|
|
|
|
-files_read_etc_files(postgrey_t)
|
|
files_read_etc_runtime_files(postgrey_t)
|
|
-files_read_usr_files(postgrey_t)
|
|
files_getattr_tmp_dirs(postgrey_t)
|
|
|
|
fs_getattr_all_fs(postgrey_t)
|
|
fs_search_auto_mountpoints(postgrey_t)
|
|
|
|
-logging_send_syslog_msg(postgrey_t)
|
|
+auth_read_passwd(postgrey_t)
|
|
|
|
-miscfiles_read_localization(postgrey_t)
|
|
+logging_send_syslog_msg(postgrey_t)
|
|
|
|
sysnet_read_config(postgrey_t)
|
|
|
|
diff --git a/ppp.fc b/ppp.fc
|
|
index efcb653..ff2c96a 100644
|
|
--- a/ppp.fc
|
|
+++ b/ppp.fc
|
|
@@ -1,30 +1,45 @@
|
|
-HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
|
|
+#
|
|
+# /etc
|
|
+#
|
|
+/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/ppp -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
|
|
+/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
|
|
+/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
|
+/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
|
+/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
|
|
+/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
|
+# Fix /etc/ppp {up,down} family scripts (see man pppd)
|
|
+/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
|
|
|
|
-/etc/ppp -d gen_context(system_u:object_r:pppd_etc_t,s0)
|
|
-/etc/ppp(/.*)? -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
|
-/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
|
-/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
|
|
-/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
|
|
-/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
|
|
+/usr/lib/systemd/system/ppp.* -- gen_context(system_u:object_r:iptables_unit_file_t,s0)
|
|
|
|
-/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
-/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
+/root/.ppprc -- gen_context(system_u:object_r:pppd_etc_t,s0)
|
|
|
|
-/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
-/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
-/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
-/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
-/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
|
|
+#
|
|
+# /sbin
|
|
+#
|
|
+/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
+/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
|
|
-/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
|
|
-
|
|
-/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
|
|
-/var/log/ppp/.* -- gen_context(system_u:object_r:pppd_log_t,s0)
|
|
-/var/log/pptp.* -- gen_context(system_u:object_r:pptp_log_t,s0)
|
|
+#
|
|
+# /usr
|
|
+#
|
|
+/usr/sbin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
+/usr/sbin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
+/usr/sbin/pppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
+/usr/sbin/pppoe-server -- gen_context(system_u:object_r:pppd_exec_t,s0)
|
|
+/usr/sbin/pptp -- gen_context(system_u:object_r:pptp_exec_t,s0)
|
|
|
|
+#
|
|
+# /var
|
|
+#
|
|
/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
|
|
/var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
|
|
-/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
|
|
-/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
|
|
+/var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
|
|
+# Fix pptp sockets
|
|
+/var/run/pptp(/.*)? gen_context(system_u:object_r:pptp_var_run_t,s0)
|
|
+
|
|
+/var/lock/ppp(/.*)? gen_context(system_u:object_r:pppd_lock_t,s0)
|
|
+
|
|
+/var/log/ppp-connect-errors.* -- gen_context(system_u:object_r:pppd_log_t,s0)
|
|
+/var/log/ppp(/.*)? gen_context(system_u:object_r:pppd_log_t,s0)
|
|
diff --git a/ppp.if b/ppp.if
|
|
index cd8b8b9..6c73980 100644
|
|
--- a/ppp.if
|
|
+++ b/ppp.if
|
|
@@ -1,110 +1,91 @@
|
|
-## <summary>Point to Point Protocol daemon creates links in ppp networks.</summary>
|
|
+## <summary>Point to Point Protocol daemon creates links in ppp networks</summary>
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Role access for ppp.
|
|
+## Create, read, write, and delete
|
|
+## ppp home files.
|
|
## </summary>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## User domain for the role.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`ppp_role',`
|
|
- refpolicywarn(`$0($*) has been deprecated')
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Create, read, write, and delete
|
|
-## ppp home files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`ppp_manage_home_files',`
|
|
- gen_require(`
|
|
- type ppp_home_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type ppp_home_t;
|
|
+ ')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 ppp_home_t:file manage_file_perms;
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ allow $1 ppp_home_t:file manage_file_perms;
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Read ppp user home content files.
|
|
+## Read ppp user home content files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`ppp_read_home_files',`
|
|
- gen_require(`
|
|
- type ppp_home_t;
|
|
+ gen_require(`
|
|
+ type ppp_home_t;
|
|
|
|
- ')
|
|
+ ')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 ppp_home_t:file read_file_perms;
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ allow $1 ppp_home_t:file read_file_perms;
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Relabel ppp home files.
|
|
+## Relabel ppp home files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`ppp_relabel_home_files',`
|
|
- gen_require(`
|
|
- type ppp_home_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type ppp_home_t;
|
|
+ ')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 ppp_home_t:file relabel_file_perms;
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ allow $1 ppp_home_t:file relabel_file_perms;
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Create objects in user home
|
|
-## directories with the ppp home type.
|
|
+## Create objects in user home
|
|
+## directories with the ppp home type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Class of the object being created.
|
|
+## </summary>
|
|
## </param>
|
|
## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## The name of the object being created.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`ppp_home_filetrans_ppp_home',`
|
|
- gen_require(`
|
|
- type ppp_home_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type ppp_home_t;
|
|
+ ')
|
|
|
|
- userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
|
|
+ userdom_user_home_dir_filetrans($1, ppp_home_t, $2, $3)
|
|
')
|
|
|
|
########################################
|
|
@@ -128,7 +109,7 @@ interface(`ppp_use_fds',`
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to inherit
|
|
-## and use ppp file discriptors.
|
|
+## and use PPP file discriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -146,7 +127,7 @@ interface(`ppp_dontaudit_use_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send child terminated signals to ppp.
|
|
+## Send a SIGCHLD signal to PPP.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -165,7 +146,7 @@ interface(`ppp_sigchld',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send kill signals to ppp.
|
|
+## Send ppp a kill signal
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -173,7 +154,6 @@ interface(`ppp_sigchld',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-#
|
|
interface(`ppp_kill',`
|
|
gen_require(`
|
|
type pppd_t;
|
|
@@ -184,7 +164,7 @@ interface(`ppp_kill',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to ppp.
|
|
+## Send a generic signal to PPP.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -202,7 +182,7 @@ interface(`ppp_signal',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send null signals to ppp.
|
|
+## Send a generic signull to PPP.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -220,7 +200,7 @@ interface(`ppp_signull',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute pppd in the pppd domain.
|
|
+## Execute domain in the ppp domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -239,8 +219,7 @@ interface(`ppp_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Conditionally execute pppd on
|
|
-## behalf of a user or staff type.
|
|
+## Conditionally execute ppp daemon on behalf of a user or staff type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -249,7 +228,7 @@ interface(`ppp_domtrans',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to allow the ppp domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -268,8 +247,7 @@ interface(`ppp_run_cond',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Unconditionally execute ppp daemon
|
|
-## on behalf of a user or staff type.
|
|
+## Unconditionally execute ppp daemon on behalf of a user or staff type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -278,7 +256,7 @@ interface(`ppp_run_cond',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to allow the ppp domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -294,7 +272,7 @@ interface(`ppp_run',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute domain in the caller domain.
|
|
+## Execute domain in the ppp caller.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -326,13 +304,13 @@ interface(`ppp_read_config',`
|
|
type pppd_etc_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
read_files_pattern($1, pppd_etc_t, pppd_etc_t)
|
|
+ files_search_etc($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read ppp writable configuration content.
|
|
+## Read PPP-writable configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -345,15 +323,14 @@ interface(`ppp_read_rw_config',`
|
|
type pppd_etc_t, pppd_etc_rw_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
- allow $1 { pppd_etc_t pppd_etc_rw_t }:dir list_dir_perms;
|
|
+ allow $1 pppd_etc_t:dir list_dir_perms;
|
|
allow $1 pppd_etc_rw_t:file read_file_perms;
|
|
- allow $1 { pppd_etc_t pppd_etc_rw_t }:lnk_file read_lnk_file_perms;
|
|
+ files_search_etc($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read ppp secret files.
|
|
+## Read PPP secrets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -366,15 +343,14 @@ interface(`ppp_read_secrets',`
|
|
type pppd_etc_t, pppd_secret_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
allow $1 pppd_etc_t:dir list_dir_perms;
|
|
allow $1 pppd_secret_t:file read_file_perms;
|
|
- allow $1 pppd_etc_t:lnk_file read_lnk_file_perms;
|
|
+ files_search_etc($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read ppp pid files.
|
|
+## Read PPP pid files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -388,13 +364,12 @@ interface(`ppp_read_pid_files',`
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- allow $1 pppd_var_run_t:file read_file_perms;
|
|
+ read_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## ppp pid files.
|
|
+## Create, read, write, and delete PPP pid files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -408,42 +383,30 @@ interface(`ppp_manage_pid_files',`
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- allow $1 pppd_var_run_t:file manage_file_perms;
|
|
+ manage_files_pattern($1, pppd_var_run_t, pppd_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified pppd pid objects
|
|
-## with a type transition.
|
|
+## Create, read, write, and delete PPP pid files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
#
|
|
interface(`ppp_pid_filetrans',`
|
|
gen_require(`
|
|
type pppd_var_run_t;
|
|
')
|
|
|
|
- files_pid_filetrans($1, pppd_var_run_t, $2, $3)
|
|
+ files_pid_filetrans($1, pppd_var_run_t, file)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute pppd init script in
|
|
-## the initrc domain.
|
|
+## Execute ppp server in the ntpd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -461,31 +424,62 @@ interface(`ppp_initrc_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an ppp environment.
|
|
+## Execute pppd server in the pppd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`ppp_systemctl',`
|
|
+ gen_require(`
|
|
+ type pppd_unit_file_t;
|
|
+ type pppd_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 pppd_unit_file_t:file read_file_perms;
|
|
+ allow $1 pppd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, pppd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an ppp environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`ppp_admin',`
|
|
gen_require(`
|
|
type pppd_t, pppd_tmp_t, pppd_log_t, pppd_lock_t;
|
|
- type pppd_etc_t, pppd_secret_t, pppd_etc_rw_t;
|
|
- type pppd_var_run_t, pppd_initrc_exec_t;
|
|
+ type pppd_etc_t, pppd_secret_t, pppd_var_run_t;
|
|
type pptp_t, pptp_log_t, pptp_var_run_t;
|
|
+ type pppd_initrc_exec_t, pppd_etc_rw_t;
|
|
+ type pppd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 pppd_t:process signal_perms;
|
|
+ ps_process_pattern($1, pppd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 pppd_t:process ptrace;
|
|
+ allow $1 pptp_t:process ptrace;
|
|
')
|
|
|
|
- allow $1 { pptp_t pppd_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { pptp_t pppd_t })
|
|
+ allow $1 pptp_t:process signal_perms;
|
|
+ ps_process_pattern($1, pptp_t)
|
|
|
|
ppp_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
@@ -496,14 +490,26 @@ interface(`ppp_admin',`
|
|
admin_pattern($1, pppd_tmp_t)
|
|
|
|
logging_list_logs($1)
|
|
- admin_pattern($1, { pptp_log_t pppd_log_t })
|
|
+ admin_pattern($1, pppd_log_t)
|
|
|
|
files_list_locks($1)
|
|
admin_pattern($1, pppd_lock_t)
|
|
|
|
files_list_etc($1)
|
|
- admin_pattern($1, { pppd_etc_rw_t pppd_secret_t pppd_etc_t })
|
|
+ admin_pattern($1, pppd_etc_t)
|
|
+
|
|
+ admin_pattern($1, pppd_etc_rw_t)
|
|
+
|
|
+ admin_pattern($1, pppd_secret_t)
|
|
|
|
files_list_pids($1)
|
|
- admin_pattern($1, { pptp_var_run_t pppd_var_run_t })
|
|
+ admin_pattern($1, pppd_var_run_t)
|
|
+
|
|
+ admin_pattern($1, pptp_log_t)
|
|
+
|
|
+ admin_pattern($1, pptp_var_run_t)
|
|
+
|
|
+ ppp_systemctl($1)
|
|
+ admin_pattern($1, pppd_unit_file_t)
|
|
+ allow $1 pppd_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/ppp.te b/ppp.te
|
|
index d616ca3..fd72341 100644
|
|
--- a/ppp.te
|
|
+++ b/ppp.te
|
|
@@ -6,41 +6,47 @@ policy_module(ppp, 1.14.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether pppd can
|
|
-## load kernel modules.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow pppd to load kernel modules for certain modems
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(pppd_can_insmod, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether common users can
|
|
-## run pppd with a domain transition.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow pppd to be run for a regular user
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(pppd_for_user, false)
|
|
|
|
attribute_role pppd_roles;
|
|
-attribute_role pptp_roles;
|
|
|
|
+# pppd_t is the domain for the pppd program.
|
|
+# pppd_exec_t is the type of the pppd executable.
|
|
type pppd_t;
|
|
type pppd_exec_t;
|
|
init_daemon_domain(pppd_t, pppd_exec_t)
|
|
role pppd_roles types pppd_t;
|
|
+role system_r types pppd_t;
|
|
|
|
type pppd_devpts_t;
|
|
term_pty(pppd_devpts_t)
|
|
|
|
+# Define a separate type for /etc/ppp
|
|
type pppd_etc_t;
|
|
files_config_file(pppd_etc_t)
|
|
|
|
+# Define a separate type for writable files under /etc/ppp
|
|
type pppd_etc_rw_t;
|
|
files_type(pppd_etc_rw_t)
|
|
|
|
type pppd_initrc_exec_t alias pppd_script_exec_t;
|
|
init_script_file(pppd_initrc_exec_t)
|
|
|
|
+type pppd_unit_file_t;
|
|
+systemd_unit_file(pppd_unit_file_t)
|
|
+
|
|
+# pppd_secret_t is the type of the pap and chap password files
|
|
type pppd_secret_t;
|
|
files_type(pppd_secret_t)
|
|
|
|
@@ -59,7 +65,8 @@ files_pid_file(pppd_var_run_t)
|
|
type pptp_t;
|
|
type pptp_exec_t;
|
|
init_daemon_domain(pptp_t, pptp_exec_t)
|
|
-role pptp_roles types pptp_t;
|
|
+#role pppd_roles types pptp_t;
|
|
+role system_r types pptp_t;
|
|
|
|
type pptp_log_t;
|
|
logging_log_file(pptp_log_t)
|
|
@@ -67,54 +74,57 @@ logging_log_file(pptp_log_t)
|
|
type pptp_var_run_t;
|
|
files_pid_file(pptp_var_run_t)
|
|
|
|
-type ppp_home_t;
|
|
-userdom_user_home_content(ppp_home_t)
|
|
-
|
|
########################################
|
|
#
|
|
-# PPPD local policy
|
|
+# PPPD Local policy
|
|
#
|
|
|
|
allow pppd_t self:capability { kill net_admin setuid setgid sys_admin fsetid fowner net_raw dac_override sys_nice };
|
|
dontaudit pppd_t self:capability sys_tty_config;
|
|
-allow pppd_t self:process { getsched setsched signal };
|
|
+allow pppd_t self:process { getsched setsched signal_perms };
|
|
allow pppd_t self:fifo_file rw_fifo_file_perms;
|
|
allow pppd_t self:socket create_socket_perms;
|
|
-allow pppd_t self:netlink_route_socket nlmsg_write;
|
|
-allow pppd_t self:tcp_socket { accept listen };
|
|
+allow pppd_t self:unix_dgram_socket create_socket_perms;
|
|
+allow pppd_t self:unix_stream_socket create_socket_perms;
|
|
+allow pppd_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
+allow pppd_t self:tcp_socket create_stream_socket_perms;
|
|
+allow pppd_t self:udp_socket { connect connected_socket_perms };
|
|
allow pppd_t self:packet_socket create_socket_perms;
|
|
|
|
+domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
|
|
+
|
|
allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
|
|
|
allow pppd_t pppd_etc_t:dir rw_dir_perms;
|
|
-allow pppd_t { pppd_etc_t ppp_home_t }:file read_file_perms;
|
|
+allow pppd_t pppd_etc_t:file read_file_perms;
|
|
allow pppd_t pppd_etc_t:lnk_file read_lnk_file_perms;
|
|
|
|
manage_files_pattern(pppd_t, pppd_etc_rw_t, pppd_etc_rw_t)
|
|
+# Automatically label newly created files under /etc/ppp with this type
|
|
filetrans_pattern(pppd_t, pppd_etc_t, pppd_etc_rw_t, file)
|
|
|
|
-allow pppd_t pppd_lock_t:file manage_file_perms;
|
|
-files_lock_filetrans(pppd_t, pppd_lock_t, file)
|
|
+manage_files_pattern(pppd_t, pppd_lock_t, pppd_lock_t)
|
|
+files_search_locks(pppd_t)
|
|
|
|
-allow pppd_t pppd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+manage_files_pattern(pppd_t, pppd_log_t, pppd_log_t)
|
|
logging_log_filetrans(pppd_t, pppd_log_t, file)
|
|
|
|
manage_dirs_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
|
|
manage_files_pattern(pppd_t, pppd_tmp_t, pppd_tmp_t)
|
|
-files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file})
|
|
+files_tmp_filetrans(pppd_t, pppd_tmp_t, { file dir })
|
|
|
|
manage_dirs_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
|
|
manage_files_pattern(pppd_t, pppd_var_run_t, pppd_var_run_t)
|
|
files_pid_filetrans(pppd_t, pppd_var_run_t, { dir file })
|
|
|
|
-can_exec(pppd_t, pppd_exec_t)
|
|
-
|
|
-domtrans_pattern(pppd_t, pptp_exec_t, pptp_t)
|
|
-
|
|
allow pppd_t pptp_t:process signal;
|
|
|
|
+# for SSP
|
|
+# Access secret files
|
|
allow pppd_t pppd_secret_t:file read_file_perms;
|
|
|
|
+ppp_initrc_domtrans(pppd_t)
|
|
+
|
|
kernel_read_kernel_sysctls(pppd_t)
|
|
kernel_read_system_state(pppd_t)
|
|
kernel_rw_net_sysctls(pppd_t)
|
|
@@ -122,10 +132,10 @@ kernel_read_network_state(pppd_t)
|
|
kernel_request_load_module(pppd_t)
|
|
|
|
dev_read_urand(pppd_t)
|
|
+dev_search_sysfs(pppd_t)
|
|
dev_read_sysfs(pppd_t)
|
|
dev_rw_modem(pppd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(pppd_t)
|
|
corenet_all_recvfrom_netlabel(pppd_t)
|
|
corenet_tcp_sendrecv_generic_if(pppd_t)
|
|
corenet_raw_sendrecv_generic_if(pppd_t)
|
|
@@ -135,9 +145,21 @@ corenet_raw_sendrecv_generic_node(pppd_t)
|
|
corenet_udp_sendrecv_generic_node(pppd_t)
|
|
corenet_tcp_sendrecv_all_ports(pppd_t)
|
|
corenet_udp_sendrecv_all_ports(pppd_t)
|
|
-
|
|
+# Access /dev/ppp.
|
|
corenet_rw_ppp_dev(pppd_t)
|
|
|
|
+fs_getattr_all_fs(pppd_t)
|
|
+fs_search_auto_mountpoints(pppd_t)
|
|
+
|
|
+term_use_unallocated_ttys(pppd_t)
|
|
+term_use_usb_ttys(pppd_t)
|
|
+term_setattr_unallocated_ttys(pppd_t)
|
|
+term_ioctl_generic_ptys(pppd_t)
|
|
+# for pppoe
|
|
+term_create_pty(pppd_t, pppd_devpts_t)
|
|
+term_use_generic_ptys(pppd_t)
|
|
+
|
|
+# allow running ip-up and ip-down scripts and running chat.
|
|
corecmd_exec_bin(pppd_t)
|
|
corecmd_exec_shell(pppd_t)
|
|
|
|
@@ -147,36 +169,31 @@ files_exec_etc_files(pppd_t)
|
|
files_manage_etc_runtime_files(pppd_t)
|
|
files_dontaudit_write_etc_files(pppd_t)
|
|
|
|
-fs_getattr_all_fs(pppd_t)
|
|
-fs_search_auto_mountpoints(pppd_t)
|
|
+# for scripts
|
|
|
|
-term_use_unallocated_ttys(pppd_t)
|
|
-term_setattr_unallocated_ttys(pppd_t)
|
|
-term_ioctl_generic_ptys(pppd_t)
|
|
-term_create_pty(pppd_t, pppd_devpts_t)
|
|
-term_use_generic_ptys(pppd_t)
|
|
-
|
|
-init_labeled_script_domtrans(pppd_t, pppd_initrc_exec_t)
|
|
init_read_utmp(pppd_t)
|
|
-init_signal_script(pppd_t)
|
|
init_dontaudit_write_utmp(pppd_t)
|
|
+init_signal_script(pppd_t)
|
|
|
|
-auth_run_chk_passwd(pppd_t, pppd_roles)
|
|
auth_use_nsswitch(pppd_t)
|
|
+auth_domtrans_chk_passwd(pppd_t)
|
|
+#auth_run_chk_passwd(pppd_t,pppd_roles)
|
|
auth_write_login_records(pppd_t)
|
|
|
|
logging_send_syslog_msg(pppd_t)
|
|
logging_send_audit_msgs(pppd_t)
|
|
|
|
-miscfiles_read_localization(pppd_t)
|
|
-
|
|
sysnet_exec_ifconfig(pppd_t)
|
|
sysnet_manage_config(pppd_t)
|
|
sysnet_etc_filetrans_config(pppd_t)
|
|
+sysnet_filetrans_config_fromdir(pppd_t, pppd_var_run_t, file, "resolv.conf")
|
|
|
|
-userdom_use_user_terminals(pppd_t)
|
|
+userdom_use_inherited_user_terminals(pppd_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(pppd_t)
|
|
userdom_search_user_home_dirs(pppd_t)
|
|
+userdom_search_admin_dir(pppd_t)
|
|
+
|
|
+ppp_exec(pppd_t)
|
|
|
|
optional_policy(`
|
|
ddclient_run(pppd_t, pppd_roles)
|
|
@@ -186,11 +203,13 @@ optional_policy(`
|
|
l2tpd_dgram_send(pppd_t)
|
|
l2tpd_rw_socket(pppd_t)
|
|
l2tpd_stream_connect(pppd_t)
|
|
+ l2tpd_read_pid_files(pppd_t)
|
|
+ l2tpd_dbus_chat(pppd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`pppd_can_insmod',`
|
|
- modutils_domtrans_insmod(pppd_t)
|
|
+ modutils_domtrans_insmod_uncond(pppd_t)
|
|
')
|
|
')
|
|
|
|
@@ -218,16 +237,19 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# PPTP local policy
|
|
+# PPTP Local policy
|
|
#
|
|
|
|
allow pptp_t self:capability { dac_override dac_read_search net_raw net_admin };
|
|
dontaudit pptp_t self:capability sys_tty_config;
|
|
allow pptp_t self:process signal;
|
|
allow pptp_t self:fifo_file rw_fifo_file_perms;
|
|
-allow pptp_t self:unix_stream_socket { accept connectto listen };
|
|
+allow pptp_t self:unix_dgram_socket create_socket_perms;
|
|
+allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
allow pptp_t self:rawip_socket create_socket_perms;
|
|
-allow pptp_t self:netlink_route_socket nlmsg_write;
|
|
+allow pptp_t self:tcp_socket create_socket_perms;
|
|
+allow pptp_t self:udp_socket create_socket_perms;
|
|
+allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
|
|
allow pptp_t pppd_etc_t:dir list_dir_perms;
|
|
allow pptp_t pppd_etc_t:file read_file_perms;
|
|
@@ -236,45 +258,43 @@ allow pptp_t pppd_etc_t:lnk_file read_lnk_file_perms;
|
|
allow pptp_t pppd_etc_rw_t:dir list_dir_perms;
|
|
allow pptp_t pppd_etc_rw_t:file read_file_perms;
|
|
allow pptp_t pppd_etc_rw_t:lnk_file read_lnk_file_perms;
|
|
+can_exec(pptp_t, pppd_etc_rw_t)
|
|
|
|
+# Allow pptp to append to pppd log files
|
|
allow pptp_t pppd_log_t:file append_file_perms;
|
|
|
|
-allow pptp_t pptp_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+allow pptp_t pptp_log_t:file manage_file_perms;
|
|
logging_log_filetrans(pptp_t, pptp_log_t, file)
|
|
|
|
+manage_dirs_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
|
|
manage_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
|
|
manage_sock_files_pattern(pptp_t, pptp_var_run_t, pptp_var_run_t)
|
|
-files_pid_filetrans(pptp_t, pptp_var_run_t, file)
|
|
-
|
|
-can_exec(pptp_t, pppd_etc_rw_t)
|
|
+files_pid_filetrans(pptp_t, pptp_var_run_t, { file dir })
|
|
|
|
+kernel_list_proc(pptp_t)
|
|
kernel_read_kernel_sysctls(pptp_t)
|
|
kernel_read_network_state(pptp_t)
|
|
+kernel_read_proc_symlinks(pptp_t)
|
|
kernel_read_system_state(pptp_t)
|
|
kernel_signal(pptp_t)
|
|
|
|
+dev_read_sysfs(pptp_t)
|
|
+
|
|
corecmd_exec_shell(pptp_t)
|
|
corecmd_read_bin_symlinks(pptp_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(pptp_t)
|
|
corenet_all_recvfrom_netlabel(pptp_t)
|
|
corenet_tcp_sendrecv_generic_if(pptp_t)
|
|
corenet_raw_sendrecv_generic_if(pptp_t)
|
|
corenet_tcp_sendrecv_generic_node(pptp_t)
|
|
corenet_raw_sendrecv_generic_node(pptp_t)
|
|
corenet_tcp_sendrecv_all_ports(pptp_t)
|
|
-
|
|
-corenet_tcp_connect_all_reserved_ports(pptp_t)
|
|
+corenet_tcp_bind_generic_node(pptp_t)
|
|
corenet_tcp_connect_generic_port(pptp_t)
|
|
+corenet_tcp_connect_all_reserved_ports(pptp_t)
|
|
corenet_sendrecv_generic_client_packets(pptp_t)
|
|
-
|
|
-corenet_sendrecv_pptp_client_packets(pptp_t)
|
|
corenet_tcp_connect_pptp_port(pptp_t)
|
|
|
|
-dev_read_sysfs(pptp_t)
|
|
-
|
|
-domain_use_interactive_fds(pptp_t)
|
|
-
|
|
fs_getattr_all_fs(pptp_t)
|
|
fs_search_auto_mountpoints(pptp_t)
|
|
|
|
@@ -282,12 +302,12 @@ term_ioctl_generic_ptys(pptp_t)
|
|
term_search_ptys(pptp_t)
|
|
term_use_ptmx(pptp_t)
|
|
|
|
+domain_use_interactive_fds(pptp_t)
|
|
+
|
|
auth_use_nsswitch(pptp_t)
|
|
|
|
logging_send_syslog_msg(pptp_t)
|
|
|
|
-miscfiles_read_localization(pptp_t)
|
|
-
|
|
sysnet_exec_ifconfig(pptp_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
|
|
@@ -299,6 +319,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_dontaudit_search_config(pppd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
dbus_system_domain(pppd_t, pppd_exec_t)
|
|
|
|
optional_policy(`
|
|
diff --git a/prelink.fc b/prelink.fc
|
|
index a90d623..62af9a4 100644
|
|
--- a/prelink.fc
|
|
+++ b/prelink.fc
|
|
@@ -1,11 +1,11 @@
|
|
/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
|
|
|
|
-/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
|
|
+/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
|
|
|
|
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
|
|
|
|
-/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
|
|
-/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
|
|
+/var/log/prelink\.log.* -- gen_context(system_u:object_r:prelink_log_t,s0)
|
|
+/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
|
|
|
|
-/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
|
|
-/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
|
|
+/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
|
|
+/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)
|
|
diff --git a/prelink.if b/prelink.if
|
|
index 20d4697..e6605c1 100644
|
|
--- a/prelink.if
|
|
+++ b/prelink.if
|
|
@@ -2,7 +2,7 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute prelink in the prelink domain.
|
|
+## Execute the prelink program in the prelink domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -18,15 +18,15 @@ interface(`prelink_domtrans',`
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, prelink_exec_t, prelink_t)
|
|
|
|
- ifdef(`hide_broken_symptoms',`
|
|
+ ifdef(`hide_broken_symptoms', `
|
|
dontaudit prelink_t $1:socket_class_set { read write };
|
|
- dontaudit prelink_t $1:fifo_file setattr_fifo_file_perms;
|
|
+ dontaudit prelink_t $1:fifo_file setattr;
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute prelink in the caller domain.
|
|
+## Execute the prelink program in the current domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -45,9 +45,7 @@ interface(`prelink_exec',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute prelink in the prelink
|
|
-## domain, and allow the specified role
|
|
-## the prelink domain.
|
|
+## Execute the prelink program in the prelink domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -56,18 +54,18 @@ interface(`prelink_exec',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to allow the prelink domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`prelink_run',`
|
|
gen_require(`
|
|
- attribute_role prelink_roles;
|
|
+ type prelink_t;
|
|
')
|
|
|
|
prelink_domtrans($1)
|
|
- roleattribute $2 prelink_roles;
|
|
+ role $2 types prelink_t;
|
|
')
|
|
|
|
########################################
|
|
@@ -80,6 +78,7 @@ interface(`prelink_run',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
+# cjp: added for misc non-entrypoint objects
|
|
interface(`prelink_object_file',`
|
|
gen_require(`
|
|
attribute prelink_object;
|
|
@@ -90,7 +89,7 @@ interface(`prelink_object_file',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read prelink cache files.
|
|
+## Read the prelink cache.
|
|
## </summary>
|
|
## <param name="file_type">
|
|
## <summary>
|
|
@@ -109,7 +108,7 @@ interface(`prelink_read_cache',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Delete prelink cache files.
|
|
+## Delete the prelink cache.
|
|
## </summary>
|
|
## <param name="file_type">
|
|
## <summary>
|
|
@@ -122,8 +121,8 @@ interface(`prelink_delete_cache',`
|
|
type prelink_cache_t;
|
|
')
|
|
|
|
+ allow $1 prelink_cache_t:file unlink;
|
|
files_rw_etc_dirs($1)
|
|
- allow $1 prelink_cache_t:file delete_file_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -168,7 +167,7 @@ interface(`prelink_manage_lib',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Relabel from prelink lib files.
|
|
+## Relabel from files in the /boot directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -187,7 +186,7 @@ interface(`prelink_relabelfrom_lib',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Relabel prelink lib files.
|
|
+## Relabel from files in the /boot directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -203,3 +202,21 @@ interface(`prelink_relabel_lib',`
|
|
files_search_var_lib($1)
|
|
relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to prelink named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`prelink_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type prelink_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_etc_filetrans($1, prelink_cache_t, file, "prelink.cache")
|
|
+')
|
|
diff --git a/prelink.te b/prelink.te
|
|
index 8e26216..d59dc50 100644
|
|
--- a/prelink.te
|
|
+++ b/prelink.te
|
|
@@ -6,13 +6,10 @@ policy_module(prelink, 1.11.0)
|
|
|
|
attribute prelink_object;
|
|
|
|
-attribute_role prelink_roles;
|
|
-
|
|
type prelink_t;
|
|
type prelink_exec_t;
|
|
init_system_domain(prelink_t, prelink_exec_t)
|
|
domain_obj_id_change_exemption(prelink_t)
|
|
-role prelink_roles types prelink_t;
|
|
|
|
type prelink_cache_t;
|
|
files_type(prelink_cache_t)
|
|
@@ -47,24 +44,27 @@ allow prelink_t self:fifo_file rw_fifo_file_perms;
|
|
allow prelink_t prelink_cache_t:file manage_file_perms;
|
|
files_etc_filetrans(prelink_t, prelink_cache_t, file)
|
|
|
|
-allow prelink_t prelink_log_t:dir setattr_dir_perms;
|
|
+allow prelink_t prelink_log_t:dir setattr;
|
|
create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
|
|
append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
|
|
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
|
|
logging_log_filetrans(prelink_t, prelink_log_t, file)
|
|
|
|
-allow prelink_t prelink_tmp_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
|
|
+allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
|
|
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
|
|
|
|
-allow prelink_t prelink_tmpfs_t:file { manage_file_perms mmap_file_perms relabel_file_perms execmod };
|
|
+allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
|
|
fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
|
|
|
|
manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
|
|
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
|
|
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
|
|
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
|
|
+files_search_var_lib(prelink_t)
|
|
|
|
-allow prelink_t prelink_object:file { manage_file_perms mmap_file_perms relabel_file_perms };
|
|
+# prelink misc objects that are not system
|
|
+# libraries or entrypoints
|
|
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
|
|
|
|
kernel_read_system_state(prelink_t)
|
|
kernel_read_kernel_sysctls(prelink_t)
|
|
@@ -75,25 +75,23 @@ corecmd_mmap_all_executables(prelink_t)
|
|
corecmd_read_bin_symlinks(prelink_t)
|
|
|
|
dev_read_urand(prelink_t)
|
|
+dev_getattr_all_chr_files(prelink_t)
|
|
|
|
-files_getattr_all_files(prelink_t)
|
|
files_list_all(prelink_t)
|
|
+files_getattr_all_files(prelink_t)
|
|
+files_write_non_security_dirs(prelink_t)
|
|
+files_read_etc_runtime_files(prelink_t)
|
|
+files_dontaudit_read_all_symlinks(prelink_t)
|
|
files_manage_usr_files(prelink_t)
|
|
files_manage_var_files(prelink_t)
|
|
-files_read_etc_files(prelink_t)
|
|
-files_read_etc_runtime_files(prelink_t)
|
|
files_relabelfrom_usr_files(prelink_t)
|
|
-files_search_var_lib(prelink_t)
|
|
-files_write_non_security_dirs(prelink_t)
|
|
-files_dontaudit_read_all_symlinks(prelink_t)
|
|
|
|
-fs_getattr_all_fs(prelink_t)
|
|
-fs_search_auto_mountpoints(prelink_t)
|
|
-
|
|
-selinux_get_enforce_mode(prelink_t)
|
|
+fs_getattr_xattr_fs(prelink_t)
|
|
|
|
storage_getattr_fixed_disk_dev(prelink_t)
|
|
|
|
+selinux_get_enforce_mode(prelink_t)
|
|
+
|
|
libs_exec_ld_so(prelink_t)
|
|
libs_legacy_use_shared_libs(prelink_t)
|
|
libs_manage_ld_so(prelink_t)
|
|
@@ -102,32 +100,16 @@ libs_manage_shared_libs(prelink_t)
|
|
libs_relabel_shared_libs(prelink_t)
|
|
libs_delete_lib_symlinks(prelink_t)
|
|
|
|
-miscfiles_read_localization(prelink_t)
|
|
|
|
-userdom_use_user_terminals(prelink_t)
|
|
-userdom_manage_user_home_content_files(prelink_t)
|
|
-# pending
|
|
-# userdom_relabel_user_home_content_files(prelink_t)
|
|
-# userdom_execmod_user_home_content_files(prelink_t)
|
|
+userdom_use_inherited_user_terminals(prelink_t)
|
|
+userdom_manage_user_home_content(prelink_t)
|
|
+userdom_relabel_user_home_files(prelink_t)
|
|
+userdom_execmod_user_home_files(prelink_t)
|
|
userdom_exec_user_home_content_files(prelink_t)
|
|
|
|
-ifdef(`hide_broken_symptoms',`
|
|
- miscfiles_read_man_pages(prelink_t)
|
|
+systemd_read_unit_files(prelink_t)
|
|
|
|
- optional_policy(`
|
|
- dbus_read_config(prelink_t)
|
|
- ')
|
|
-')
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_exec_nfs_files(prelink_t)
|
|
- fs_manage_nfs_files(prelink_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_exec_cifs_files(prelink_t)
|
|
- fs_manage_cifs_files(prelink_t)
|
|
-')
|
|
+term_use_all_inherited_terms(prelink_t)
|
|
|
|
optional_policy(`
|
|
amanda_manage_lib(prelink_t)
|
|
@@ -138,11 +120,12 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_dontaudit_read_config(prelink_t)
|
|
gnome_dontaudit_read_inherited_gconf_config_files(prelink_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mozilla_manage_plugin_rw_files(prelink_t)
|
|
+ mozilla_plugin_manage_rw_files(prelink_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -155,17 +138,18 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Cron system local policy
|
|
+# Prelink Cron system Policy
|
|
#
|
|
|
|
optional_policy(`
|
|
allow prelink_cron_system_t self:capability setuid;
|
|
allow prelink_cron_system_t self:process { setsched setfscreate signal };
|
|
allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
|
|
- allow prelink_cron_system_t self:unix_dgram_socket create_socket_perms;
|
|
+ allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
|
|
|
|
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
|
|
- allow prelink_cron_system_t prelink_cache_t:file delete_file_perms;
|
|
+ allow prelink_cron_system_t prelink_cache_t:file unlink;
|
|
+ files_delete_etc_dir_entry(prelink_cron_system_t)
|
|
|
|
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
|
|
allow prelink_cron_system_t prelink_t:process noatsecure;
|
|
@@ -174,7 +158,7 @@ optional_policy(`
|
|
|
|
manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
|
|
files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
|
|
- allow prelink_cron_system_t prelink_var_lib_t:file relabel_file_perms;
|
|
+ allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
|
|
|
|
kernel_read_system_state(prelink_cron_system_t)
|
|
|
|
@@ -184,23 +168,36 @@ optional_policy(`
|
|
dev_list_sysfs(prelink_cron_system_t)
|
|
dev_read_sysfs(prelink_cron_system_t)
|
|
|
|
- files_rw_etc_dirs(prelink_cron_system_t)
|
|
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
|
|
+ files_search_var_lib(prelink_cron_system_t)
|
|
+ files_dontaudit_list_non_security(prelink_cron_system_t)
|
|
+
|
|
+ fs_search_cgroup_dirs(prelink_cron_system_t)
|
|
|
|
auth_use_nsswitch(prelink_cron_system_t)
|
|
|
|
init_telinit(prelink_cron_system_t)
|
|
init_exec(prelink_cron_system_t)
|
|
+ init_reload_services(prelink_cron_system_t)
|
|
|
|
libs_exec_ld_so(prelink_cron_system_t)
|
|
|
|
logging_search_logs(prelink_cron_system_t)
|
|
|
|
- miscfiles_read_localization(prelink_cron_system_t)
|
|
+ init_stream_connect(prelink_cron_system_t)
|
|
+
|
|
|
|
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
|
|
|
|
+ userdom_dontaudit_list_admin_dir(prelink_cron_system_t)
|
|
+
|
|
optional_policy(`
|
|
rpm_read_db(prelink_cron_system_t)
|
|
')
|
|
')
|
|
+
|
|
+ifdef(`hide_broken_symptoms', `
|
|
+ optional_policy(`
|
|
+ dbus_read_config(prelink_t)
|
|
+ ')
|
|
+')
|
|
diff --git a/prelude.if b/prelude.if
|
|
index c83a838..f41a4f7 100644
|
|
--- a/prelude.if
|
|
+++ b/prelude.if
|
|
@@ -1,13 +1,13 @@
|
|
-## <summary>Prelude hybrid intrusion detection system.</summary>
|
|
+## <summary>Prelude hybrid intrusion detection system</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to run prelude.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`prelude_domtrans',`
|
|
@@ -15,19 +15,17 @@ interface(`prelude_domtrans',`
|
|
type prelude_t, prelude_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, prelude_exec_t, prelude_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run prelude audisp.
|
|
+## Execute a domain transition to run prelude_audisp.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`prelude_domtrans_audisp',`
|
|
@@ -35,18 +33,17 @@ interface(`prelude_domtrans_audisp',`
|
|
type prelude_audisp_t, prelude_audisp_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, prelude_audisp_exec_t, prelude_audisp_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to prelude audisp.
|
|
+## Signal the prelude_audisp domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed acccess.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`prelude_signal_audisp',`
|
|
@@ -59,7 +56,7 @@ interface(`prelude_signal_audisp',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read prelude spool files.
|
|
+## Read the prelude spool files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -78,13 +75,12 @@ interface(`prelude_read_spool',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## prelude manager spool files.
|
|
+## Manage to prelude-manager spool files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`prelude_manage_spool',`
|
|
@@ -99,8 +95,8 @@ interface(`prelude_manage_spool',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an prelude environment.
|
|
+## All of the rules required to administrate
|
|
+## an prelude environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -116,32 +112,42 @@ interface(`prelude_manage_spool',`
|
|
#
|
|
interface(`prelude_admin',`
|
|
gen_require(`
|
|
- type prelude_t, prelude_spool_t, prelude_lml_var_run_t;
|
|
- type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
|
|
- type prelude_audisp_t, prelude_audisp_var_run_t;
|
|
- type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
|
|
+ type prelude_t, prelude_spool_t, prelude_initrc_exec_t;
|
|
+ type prelude_var_run_t, prelude_var_lib_t, prelude_lml_var_run_t;
|
|
+ type prelude_audisp_t, prelude_audisp_var_run_t, prelude_lml_tmp_t;
|
|
+ type prelude_lml_t;
|
|
')
|
|
|
|
- allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t })
|
|
+ allow $1 prelude_t:process signal_perms;
|
|
+ ps_process_pattern($1, prelude_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 prelude_t:process ptrace;
|
|
+ allow $1 prelude_audisp_t:process ptrace;
|
|
+ allow $1 prelude_lml_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $1 prelude_audisp_t:process signal_perms;
|
|
+ ps_process_pattern($1, prelude_audisp_t)
|
|
+
|
|
+ allow $1 prelude_lml_t:process signal_perms;
|
|
+ ps_process_pattern($1, prelude_lml_t)
|
|
|
|
init_labeled_script_domtrans($1, prelude_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 prelude_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_spool($1)
|
|
+ files_list_spool($1)
|
|
admin_pattern($1, prelude_spool_t)
|
|
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, prelude_log_t)
|
|
-
|
|
- files_search_var_lib($1)
|
|
+ files_list_var_lib($1)
|
|
admin_pattern($1, prelude_var_lib_t)
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, { prelude_audisp_var_run_t prelude_var_run_t prelude_lml_var_run_t })
|
|
+ files_list_pids($1)
|
|
+ admin_pattern($1, prelude_var_run_t)
|
|
+ admin_pattern($1, prelude_audisp_var_run_t)
|
|
+ admin_pattern($1, prelude_lml_var_run_t)
|
|
|
|
- files_search_tmp($1)
|
|
+ files_list_tmp($1)
|
|
admin_pattern($1, prelude_lml_tmp_t)
|
|
')
|
|
diff --git a/prelude.te b/prelude.te
|
|
index 8f44609..509fd0a 100644
|
|
--- a/prelude.te
|
|
+++ b/prelude.te
|
|
@@ -13,7 +13,7 @@ type prelude_initrc_exec_t;
|
|
init_script_file(prelude_initrc_exec_t)
|
|
|
|
type prelude_spool_t;
|
|
-files_type(prelude_spool_t)
|
|
+files_spool_file(prelude_spool_t)
|
|
|
|
type prelude_log_t;
|
|
logging_log_file(prelude_log_t)
|
|
@@ -81,7 +81,6 @@ kernel_read_sysctl(prelude_t)
|
|
|
|
corecmd_search_bin(prelude_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(prelude_t)
|
|
corenet_all_recvfrom_netlabel(prelude_t)
|
|
corenet_tcp_sendrecv_generic_if(prelude_t)
|
|
corenet_tcp_sendrecv_generic_node(prelude_t)
|
|
@@ -97,7 +96,6 @@ dev_read_rand(prelude_t)
|
|
dev_read_urand(prelude_t)
|
|
|
|
files_read_etc_runtime_files(prelude_t)
|
|
-files_read_usr_files(prelude_t)
|
|
files_search_spool(prelude_t)
|
|
files_search_tmp(prelude_t)
|
|
|
|
@@ -108,8 +106,6 @@ auth_use_nsswitch(prelude_t)
|
|
logging_send_audit_msgs(prelude_t)
|
|
logging_send_syslog_msg(prelude_t)
|
|
|
|
-miscfiles_read_localization(prelude_t)
|
|
-
|
|
optional_policy(`
|
|
mysql_stream_connect(prelude_t)
|
|
mysql_tcp_connect(prelude_t)
|
|
@@ -141,7 +137,6 @@ kernel_read_system_state(prelude_audisp_t)
|
|
|
|
corecmd_search_bin(prelude_audisp_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(prelude_audisp_t)
|
|
corenet_all_recvfrom_netlabel(prelude_audisp_t)
|
|
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
|
|
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
|
|
@@ -155,15 +150,12 @@ dev_read_urand(prelude_audisp_t)
|
|
|
|
domain_use_interactive_fds(prelude_audisp_t)
|
|
|
|
-files_read_etc_files(prelude_audisp_t)
|
|
files_read_etc_runtime_files(prelude_audisp_t)
|
|
files_search_spool(prelude_audisp_t)
|
|
files_search_tmp(prelude_audisp_t)
|
|
|
|
logging_send_syslog_msg(prelude_audisp_t)
|
|
|
|
-miscfiles_read_localization(prelude_audisp_t)
|
|
-
|
|
sysnet_dns_name_resolve(prelude_audisp_t)
|
|
|
|
########################################
|
|
@@ -184,7 +176,6 @@ kernel_read_sysctl(prelude_correlator_t)
|
|
|
|
corecmd_search_bin(prelude_correlator_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(prelude_correlator_t)
|
|
corenet_all_recvfrom_netlabel(prelude_correlator_t)
|
|
corenet_tcp_sendrecv_generic_if(prelude_correlator_t)
|
|
corenet_tcp_sendrecv_generic_node(prelude_correlator_t)
|
|
@@ -196,14 +187,10 @@ corenet_tcp_sendrecv_prelude_port(prelude_correlator_t)
|
|
dev_read_rand(prelude_correlator_t)
|
|
dev_read_urand(prelude_correlator_t)
|
|
|
|
-files_read_etc_files(prelude_correlator_t)
|
|
-files_read_usr_files(prelude_correlator_t)
|
|
files_search_spool(prelude_correlator_t)
|
|
|
|
logging_send_syslog_msg(prelude_correlator_t)
|
|
|
|
-miscfiles_read_localization(prelude_correlator_t)
|
|
-
|
|
sysnet_dns_name_resolve(prelude_correlator_t)
|
|
|
|
########################################
|
|
@@ -212,6 +199,8 @@ sysnet_dns_name_resolve(prelude_correlator_t)
|
|
#
|
|
|
|
allow prelude_lml_t self:capability dac_override;
|
|
+allow prelude_lml_t self:tcp_socket { setopt create_socket_perms };
|
|
+allow prelude_lml_t self:unix_dgram_socket create_socket_perms;
|
|
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
|
|
allow prelude_lml_t self:unix_stream_socket connectto;
|
|
|
|
@@ -262,8 +251,6 @@ libs_read_lib_files(prelude_lml_t)
|
|
logging_send_syslog_msg(prelude_lml_t)
|
|
logging_read_generic_logs(prelude_lml_t)
|
|
|
|
-miscfiles_read_localization(prelude_lml_t)
|
|
-
|
|
userdom_read_all_users_state(prelude_lml_t)
|
|
|
|
optional_policy(`
|
|
diff --git a/privoxy.if b/privoxy.if
|
|
index bdcee30..34f3143 100644
|
|
--- a/privoxy.if
|
|
+++ b/privoxy.if
|
|
@@ -23,8 +23,11 @@ interface(`privoxy_admin',`
|
|
type privoxy_etc_rw_t, privoxy_var_run_t;
|
|
')
|
|
|
|
- allow $1 privoxy_t:process { ptrace signal_perms };
|
|
+ allow $1 privoxy_t:process signal_perms;
|
|
ps_process_pattern($1, privoxy_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 privoxy_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, privoxy_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/privoxy.te b/privoxy.te
|
|
index ec21f80..a9f650a 100644
|
|
--- a/privoxy.te
|
|
+++ b/privoxy.te
|
|
@@ -85,6 +85,7 @@ corenet_sendrecv_tor_client_packets(privoxy_t)
|
|
corenet_tcp_connect_tor_port(privoxy_t)
|
|
corenet_tcp_sendrecv_tor_port(privoxy_t)
|
|
|
|
+
|
|
dev_read_sysfs(privoxy_t)
|
|
|
|
domain_use_interactive_fds(privoxy_t)
|
|
@@ -96,8 +97,6 @@ auth_use_nsswitch(privoxy_t)
|
|
|
|
logging_send_syslog_msg(privoxy_t)
|
|
|
|
-miscfiles_read_localization(privoxy_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(privoxy_t)
|
|
userdom_dontaudit_search_user_home_dirs(privoxy_t)
|
|
|
|
diff --git a/procmail.fc b/procmail.fc
|
|
index bdff6c9..4b36a13 100644
|
|
--- a/procmail.fc
|
|
+++ b/procmail.fc
|
|
@@ -1,6 +1,7 @@
|
|
-HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t,s0)
|
|
+HOME_DIR/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
|
|
+/root/\.procmailrc -- gen_context(system_u:object_r:procmail_home_t, s0)
|
|
|
|
/usr/bin/procmail -- gen_context(system_u:object_r:procmail_exec_t,s0)
|
|
|
|
-/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
|
|
-/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
|
|
+/var/log/procmail\.log.* -- gen_context(system_u:object_r:procmail_log_t,s0)
|
|
+/var/log/procmail(/.*)? gen_context(system_u:object_r:procmail_log_t,s0)
|
|
diff --git a/procmail.if b/procmail.if
|
|
index 00edeab..166e9c3 100644
|
|
--- a/procmail.if
|
|
+++ b/procmail.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Procmail mail delivery agent.</summary>
|
|
+## <summary>Procmail mail delivery agent</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,6 +15,7 @@ interface(`procmail_domtrans',`
|
|
type procmail_exec_t, procmail_t;
|
|
')
|
|
|
|
+ files_search_usr($1)
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, procmail_exec_t, procmail_t)
|
|
')
|
|
@@ -34,101 +35,33 @@ interface(`procmail_exec',`
|
|
type procmail_exec_t;
|
|
')
|
|
|
|
+ files_search_usr($1)
|
|
corecmd_search_bin($1)
|
|
can_exec($1, procmail_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## procmail home files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`procmail_manage_home_files',`
|
|
- gen_require(`
|
|
- type procmail_home_t;
|
|
- ')
|
|
-
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 procmail_home_t:file manage_file_perms;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Read procmail user home content files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`procmail_read_home_files',`
|
|
- gen_require(`
|
|
- type procmail_home_t;
|
|
-
|
|
- ')
|
|
-
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 procmail_home_t:file read_file_perms;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Relabel procmail home files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`procmail_relabel_home_files',`
|
|
- gen_require(`
|
|
- type ppp_home_t;
|
|
- ')
|
|
-
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 procmail_home_t:file relabel_file_perms;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Create objects in user home
|
|
-## directories with the procmail home type.
|
|
+## Read procmail tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
#
|
|
-interface(`procmail_home_filetrans_procmail_home',`
|
|
+interface(`procmail_read_tmp_files',`
|
|
gen_require(`
|
|
- type procmail_home_t;
|
|
+ type procmail_tmp_t;
|
|
')
|
|
|
|
- userdom_user_home_dir_filetrans($1, procmail_home_t, $2, $3)
|
|
+ files_search_tmp($1)
|
|
+ allow $1 procmail_tmp_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read procmail tmp files.
|
|
+## Read/write procmail tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -136,18 +69,18 @@ interface(`procmail_home_filetrans_procmail_home',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`procmail_read_tmp_files',`
|
|
+interface(`procmail_rw_tmp_files',`
|
|
gen_require(`
|
|
type procmail_tmp_t;
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
- allow $1 procmail_tmp_t:file read_file_perms;
|
|
+ rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write procmail tmp files.
|
|
+## Read procmail home directory content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -155,11 +88,11 @@ interface(`procmail_read_tmp_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`procmail_rw_tmp_files',`
|
|
+interface(`procmail_read_home_files',`
|
|
gen_require(`
|
|
- type procmail_tmp_t;
|
|
+ type procmail_home_t;
|
|
')
|
|
|
|
- files_search_tmp($1)
|
|
- rw_files_pattern($1, procmail_tmp_t, procmail_tmp_t)
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
|
|
')
|
|
diff --git a/procmail.te b/procmail.te
|
|
index cc426e6..3bbf1d7 100644
|
|
--- a/procmail.te
|
|
+++ b/procmail.te
|
|
@@ -14,7 +14,7 @@ type procmail_home_t;
|
|
userdom_user_home_content(procmail_home_t)
|
|
|
|
type procmail_log_t;
|
|
-logging_log_file(procmail_log_t)
|
|
+logging_log_file(procmail_log_t)
|
|
|
|
type procmail_tmp_t;
|
|
files_tmp_file(procmail_tmp_t)
|
|
@@ -27,10 +27,14 @@ files_tmp_file(procmail_tmp_t)
|
|
allow procmail_t self:capability { sys_nice chown fsetid setuid setgid dac_override };
|
|
allow procmail_t self:process { setsched signal signull };
|
|
allow procmail_t self:fifo_file rw_fifo_file_perms;
|
|
-allow procmail_t self:tcp_socket { accept listen };
|
|
+allow procmail_t self:unix_stream_socket create_socket_perms;
|
|
+allow procmail_t self:unix_dgram_socket create_socket_perms;
|
|
+allow procmail_t self:tcp_socket create_stream_socket_perms;
|
|
+allow procmail_t self:udp_socket create_socket_perms;
|
|
|
|
-allow procmail_t procmail_home_t:file read_file_perms;
|
|
+can_exec(procmail_t, procmail_exec_t)
|
|
|
|
+# Write log to /var/log/procmail.log or /var/log/procmail/.*
|
|
allow procmail_t procmail_log_t:dir setattr_dir_perms;
|
|
create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
|
append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
|
|
@@ -40,83 +44,96 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
|
|
allow procmail_t procmail_tmp_t:file manage_file_perms;
|
|
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
|
|
|
|
-can_exec(procmail_t, procmail_exec_t)
|
|
-
|
|
+kernel_read_network_state(procmail_t)
|
|
kernel_read_system_state(procmail_t)
|
|
kernel_read_kernel_sysctls(procmail_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(procmail_t)
|
|
corenet_all_recvfrom_netlabel(procmail_t)
|
|
corenet_tcp_sendrecv_generic_if(procmail_t)
|
|
+corenet_udp_sendrecv_generic_if(procmail_t)
|
|
corenet_tcp_sendrecv_generic_node(procmail_t)
|
|
-
|
|
-corenet_sendrecv_spamd_client_packets(procmail_t)
|
|
+corenet_udp_sendrecv_generic_node(procmail_t)
|
|
+corenet_tcp_sendrecv_all_ports(procmail_t)
|
|
+corenet_udp_sendrecv_all_ports(procmail_t)
|
|
+corenet_udp_bind_generic_node(procmail_t)
|
|
corenet_tcp_connect_spamd_port(procmail_t)
|
|
-corenet_tcp_sendrecv_spamd_port(procmail_t)
|
|
-
|
|
+corenet_sendrecv_spamd_client_packets(procmail_t)
|
|
corenet_sendrecv_comsat_client_packets(procmail_t)
|
|
-corenet_tcp_connect_comsat_port(procmail_t)
|
|
-corenet_tcp_sendrecv_comsat_port(procmail_t)
|
|
-
|
|
-corecmd_exec_bin(procmail_t)
|
|
-corecmd_exec_shell(procmail_t)
|
|
|
|
dev_read_urand(procmail_t)
|
|
|
|
-fs_getattr_all_fs(procmail_t)
|
|
+fs_getattr_xattr_fs(procmail_t)
|
|
fs_search_auto_mountpoints(procmail_t)
|
|
fs_rw_anon_inodefs_files(procmail_t)
|
|
|
|
auth_use_nsswitch(procmail_t)
|
|
|
|
+corecmd_exec_bin(procmail_t)
|
|
+corecmd_exec_shell(procmail_t)
|
|
+
|
|
files_read_etc_runtime_files(procmail_t)
|
|
-files_read_usr_files(procmail_t)
|
|
+files_search_pids(procmail_t)
|
|
+# for spamassasin
|
|
|
|
-logging_send_syslog_msg(procmail_t)
|
|
+application_exec_all(procmail_t)
|
|
|
|
-miscfiles_read_localization(procmail_t)
|
|
+init_read_utmp(procmail_t)
|
|
+
|
|
+logging_send_syslog_msg(procmail_t)
|
|
+logging_append_all_logs(procmail_t)
|
|
|
|
+list_dirs_pattern(procmail_t, procmail_home_t, procmail_home_t)
|
|
+read_files_pattern(procmail_t, procmail_home_t, procmail_home_t)
|
|
userdom_search_user_home_dirs(procmail_t)
|
|
+userdom_search_admin_dir(procmail_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(procmail_t)
|
|
- fs_manage_nfs_files(procmail_t)
|
|
- fs_manage_nfs_symlinks(procmail_t)
|
|
-')
|
|
+# only works until we define a different type for maildir
|
|
+userdom_manage_user_home_content_dirs(procmail_t)
|
|
+userdom_manage_user_home_content_files(procmail_t)
|
|
+userdom_manage_user_home_content_symlinks(procmail_t)
|
|
+userdom_manage_user_home_content_pipes(procmail_t)
|
|
+userdom_manage_user_home_content_sockets(procmail_t)
|
|
+userdom_filetrans_home_content(procmail_t)
|
|
+
|
|
+userdom_manage_user_tmp_dirs(procmail_t)
|
|
+userdom_manage_user_tmp_files(procmail_t)
|
|
+userdom_manage_user_tmp_symlinks(procmail_t)
|
|
+
|
|
+# Execute user executables
|
|
+userdom_exec_user_bin_files(procmail_t)
|
|
+
|
|
+mta_manage_spool(procmail_t)
|
|
+mta_read_queue(procmail_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(procmail_t)
|
|
- fs_manage_cifs_files(procmail_t)
|
|
- fs_manage_cifs_symlinks(procmail_t)
|
|
+ifdef(`hide_broken_symptoms',`
|
|
+ mta_dontaudit_rw_queue(procmail_t)
|
|
')
|
|
|
|
+userdom_home_manager(procmail_t)
|
|
+
|
|
optional_policy(`
|
|
- clamav_domtrans_clamscan(procmail_t)
|
|
- clamav_search_lib(procmail_t)
|
|
+ antivirus_domtrans(procmail_t)
|
|
+ antivirus_search_db(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- cyrus_stream_connect(procmail_t)
|
|
+ dovecot_stream_connect(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mta_manage_spool(procmail_t)
|
|
- mta_read_config(procmail_t)
|
|
- mta_read_queue(procmail_t)
|
|
- mta_manage_mail_home_rw_content(procmail_t)
|
|
- mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
|
|
- mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
|
|
+ cyrus_stream_connect(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- munin_dontaudit_search_lib(procmail_t)
|
|
+ gnome_manage_data(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- nagios_search_spool(procmail_t)
|
|
+ munin_dontaudit_search_lib(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # for a bug in the postfix local program
|
|
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
|
|
postfix_dontaudit_use_fds(procmail_t)
|
|
postfix_read_spool_files(procmail_t)
|
|
@@ -126,11 +143,17 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ nagios_search_spool(procmail_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
pyzor_domtrans(procmail_t)
|
|
pyzor_signal(procmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mta_read_config(procmail_t)
|
|
+ mta_manage_home_rw(procmail_t)
|
|
sendmail_domtrans(procmail_t)
|
|
sendmail_signal(procmail_t)
|
|
sendmail_dontaudit_rw_tcp_sockets(procmail_t)
|
|
diff --git a/prosody.fc b/prosody.fc
|
|
new file mode 100644
|
|
index 0000000..96a0d9f
|
|
--- /dev/null
|
|
+++ b/prosody.fc
|
|
@@ -0,0 +1,8 @@
|
|
+/usr/bin/prosody -- gen_context(system_u:object_r:prosody_exec_t,s0)
|
|
+/usr/bin/prosodyctl -- gen_context(system_u:object_r:prosody_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/prosody.service -- gen_context(system_u:object_r:prosody_unit_file_t,s0)
|
|
+
|
|
+/var/lib/prosody(/.*)? gen_context(system_u:object_r:prosody_var_lib_t,s0)
|
|
+
|
|
+/var/run/prosody(/.*)? gen_context(system_u:object_r:prosody_var_run_t,s0)
|
|
diff --git a/prosody.if b/prosody.if
|
|
new file mode 100644
|
|
index 0000000..19c35c1
|
|
--- /dev/null
|
|
+++ b/prosody.if
|
|
@@ -0,0 +1,234 @@
|
|
+
|
|
+## <summary>policy for prosody</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the prosody domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`prosody_domtrans',`
|
|
+ gen_require(`
|
|
+ type prosody_t, prosody_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, prosody_exec_t, prosody_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search prosody lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`prosody_search_lib',`
|
|
+ gen_require(`
|
|
+ type prosody_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 prosody_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read prosody lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`prosody_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type prosody_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage prosody lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`prosody_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type prosody_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage prosody lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`prosody_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type prosody_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, prosody_var_lib_t, prosody_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read prosody PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`prosody_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type prosody_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, prosody_var_run_t, prosody_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute prosody server in the prosody domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`prosody_systemctl',`
|
|
+ gen_require(`
|
|
+ type prosody_t;
|
|
+ type prosody_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 prosody_unit_file_t:file read_file_perms;
|
|
+ allow $1 prosody_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, prosody_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute prosody in the prosody domain, and
|
|
+## allow the specified role the prosody domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the prosody domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`prosody_run',`
|
|
+ gen_require(`
|
|
+ type prosody_t;
|
|
+ attribute_role prosody_roles;
|
|
+ ')
|
|
+
|
|
+ prosody_domtrans($1)
|
|
+ roleattribute $2 prosody_roles;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Role access for prosody
|
|
+## </summary>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## User domain for the role
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`prosody_role',`
|
|
+ gen_require(`
|
|
+ type prosody_t;
|
|
+ attribute_role prosody_roles;
|
|
+ ')
|
|
+
|
|
+ roleattribute $1 prosody_roles;
|
|
+
|
|
+ prosody_domtrans($2)
|
|
+
|
|
+ ps_process_pattern($2, prosody_t)
|
|
+ allow $2 prosody_t:process { signull signal sigkill };
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an prosody environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`prosody_admin',`
|
|
+ gen_require(`
|
|
+ type prosody_t;
|
|
+ type prosody_var_lib_t;
|
|
+ type prosody_var_run_t;
|
|
+ type prosody_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 prosody_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, prosody_t)
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ admin_pattern($1, prosody_var_lib_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, prosody_var_run_t)
|
|
+
|
|
+ prosody_systemctl($1)
|
|
+ admin_pattern($1, prosody_unit_file_t)
|
|
+ allow $1 prosody_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/prosody.te b/prosody.te
|
|
new file mode 100644
|
|
index 0000000..4f6badd
|
|
--- /dev/null
|
|
+++ b/prosody.te
|
|
@@ -0,0 +1,75 @@
|
|
+policy_module(prosody, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Permit to prosody to bind apache port.
|
|
+## Need to be activated to use BOSH.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(prosody_bind_http_port, false)
|
|
+
|
|
+type prosody_t;
|
|
+type prosody_exec_t;
|
|
+init_daemon_domain(prosody_t, prosody_exec_t)
|
|
+
|
|
+type prosody_var_lib_t;
|
|
+files_type(prosody_var_lib_t)
|
|
+
|
|
+type prosody_var_run_t;
|
|
+files_pid_file(prosody_var_run_t)
|
|
+
|
|
+type prosody_unit_file_t;
|
|
+systemd_unit_file(prosody_unit_file_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# prosody local policy
|
|
+#
|
|
+allow prosody_t self:capability { setuid setgid };
|
|
+allow prosody_t self:process signal_perms;
|
|
+allow prosody_t self:tcp_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
|
|
+manage_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
|
|
+manage_lnk_files_pattern(prosody_t, prosody_var_lib_t, prosody_var_lib_t)
|
|
+files_var_lib_filetrans(prosody_t, prosody_var_lib_t, { dir file lnk_file })
|
|
+
|
|
+manage_dirs_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
|
|
+manage_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
|
|
+manage_lnk_files_pattern(prosody_t, prosody_var_run_t, prosody_var_run_t)
|
|
+files_pid_filetrans(prosody_t, prosody_var_run_t, { dir file lnk_file })
|
|
+
|
|
+can_exec(prosody_t, prosody_exec_t)
|
|
+
|
|
+kernel_read_system_state(prosody_t)
|
|
+
|
|
+corecmd_exec_bin(prosody_t)
|
|
+corecmd_exec_shell(prosody_t)
|
|
+
|
|
+corenet_udp_bind_generic_node(prosody_t)
|
|
+corenet_tcp_connect_jabber_interserver_port(prosody_t)
|
|
+corenet_tcp_connect_jabber_client_port(prosody_t)
|
|
+corenet_tcp_bind_jabber_client_port(prosody_t)
|
|
+corenet_tcp_bind_jabber_interserver_port(prosody_t)
|
|
+corenet_tcp_bind_jabber_router_port(prosody_t)
|
|
+tunable_policy(`prosody_bind_http_port',`
|
|
+ corenet_tcp_bind_http_port(prosody_t)
|
|
+')
|
|
+
|
|
+dev_read_urand(prosody_t)
|
|
+
|
|
+domain_use_interactive_fds(prosody_t)
|
|
+
|
|
+files_read_etc_files(prosody_t)
|
|
+
|
|
+auth_use_nsswitch(prosody_t)
|
|
+sysnet_read_config(prosody_t)
|
|
+
|
|
+logging_send_syslog_msg(prosody_t)
|
|
+
|
|
+miscfiles_read_localization(prosody_t)
|
|
diff --git a/psad.if b/psad.if
|
|
index d4dcf78..3cce82e 100644
|
|
--- a/psad.if
|
|
+++ b/psad.if
|
|
@@ -93,9 +93,8 @@ interface(`psad_manage_config',`
|
|
')
|
|
|
|
files_search_etc($1)
|
|
- allow $1 psad_etc_t:dir manage_dir_perms;
|
|
- allow $1 psad_etc_t:file manage_file_perms;
|
|
- allow $1 psad_etc_t:lnk_file manage_lnk_file_perms;
|
|
+ manage_dirs_pattern($1, psad_etc_t, psad_etc_t)
|
|
+ manage_files_pattern($1, psad_etc_t, psad_etc_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -119,7 +118,7 @@ interface(`psad_read_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write psad pid files.
|
|
+## Read and write psad PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -179,6 +178,45 @@ interface(`psad_append_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Allow the specified domain to write to psad's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`psad_write_log',`
|
|
+ gen_require(`
|
|
+ type psad_var_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ write_files_pattern($1, psad_var_log_t, psad_var_log_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow the specified domain to setattr to psad's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`psad_setattr_log',`
|
|
+ gen_require(`
|
|
+ type psad_var_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ setattr_files_pattern($1, psad_var_log_t, psad_var_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Read and write psad fifo files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -198,6 +236,45 @@ interface(`psad_rw_fifo_file',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
+## Allow setattr to psad fifo files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`psad_setattr_fifo_file',`
|
|
+ gen_require(`
|
|
+ type psad_t, psad_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ allow $1 psad_var_lib_t:fifo_file setattr;
|
|
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow search to psad lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`psad_search_lib_files',`
|
|
+ gen_require(`
|
|
+ type psad_t, psad_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ search_dirs_pattern($1, psad_var_lib_t, psad_var_lib_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
## Read and write psad temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -235,30 +312,34 @@ interface(`psad_rw_tmp_files',`
|
|
interface(`psad_admin',`
|
|
gen_require(`
|
|
type psad_t, psad_var_run_t, psad_var_log_t;
|
|
- type psad_initrc_exec_t, psad_var_lib_t;
|
|
+ type psad_initrc_exec_t, psad_var_lib_t, psad_etc_t;
|
|
type psad_tmp_t;
|
|
')
|
|
|
|
- allow $1 psad_t:process { ptrace signal_perms };
|
|
+ allow $1 psad_t:process signal_perms;
|
|
ps_process_pattern($1, psad_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 psad_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, psad_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 psad_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_etc($1)
|
|
+ files_list_etc($1)
|
|
admin_pattern($1, psad_etc_t)
|
|
|
|
- files_search_pids($1)
|
|
+ files_list_pids($1)
|
|
admin_pattern($1, psad_var_run_t)
|
|
|
|
- logging_search_logs($1)
|
|
+ logging_list_logs($1)
|
|
admin_pattern($1, psad_var_log_t)
|
|
|
|
- files_search_var_lib($1)
|
|
+ files_list_var_lib($1)
|
|
admin_pattern($1, psad_var_lib_t)
|
|
|
|
- files_search_tmp($1)
|
|
+ files_list_tmp($1)
|
|
admin_pattern($1, psad_tmp_t)
|
|
')
|
|
diff --git a/psad.te b/psad.te
|
|
index b5d717b..0de086e 100644
|
|
--- a/psad.te
|
|
+++ b/psad.te
|
|
@@ -66,7 +66,6 @@ kernel_read_net_sysctls(psad_t)
|
|
corecmd_exec_bin(psad_t)
|
|
corecmd_exec_shell(psad_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(psad_t)
|
|
corenet_all_recvfrom_netlabel(psad_t)
|
|
corenet_tcp_sendrecv_generic_if(psad_t)
|
|
corenet_tcp_sendrecv_generic_node(psad_t)
|
|
@@ -78,7 +77,6 @@ corenet_tcp_sendrecv_whois_port(psad_t)
|
|
dev_read_urand(psad_t)
|
|
|
|
files_read_etc_runtime_files(psad_t)
|
|
-files_read_usr_files(psad_t)
|
|
|
|
fs_getattr_all_fs(psad_t)
|
|
|
|
@@ -88,8 +86,6 @@ logging_read_generic_logs(psad_t)
|
|
logging_read_syslog_config(psad_t)
|
|
logging_send_syslog_msg(psad_t)
|
|
|
|
-miscfiles_read_localization(psad_t)
|
|
-
|
|
sysnet_exec_ifconfig(psad_t)
|
|
|
|
optional_policy(`
|
|
diff --git a/ptchown.te b/ptchown.te
|
|
index 28d2abc..c2cfb5e 100644
|
|
--- a/ptchown.te
|
|
+++ b/ptchown.te
|
|
@@ -21,7 +21,6 @@ role ptchown_roles types ptchown_t;
|
|
allow ptchown_t self:capability { chown fowner fsetid setuid };
|
|
allow ptchown_t self:process { getcap setcap };
|
|
|
|
-files_read_etc_files(ptchown_t)
|
|
|
|
fs_rw_anon_inodefs_files(ptchown_t)
|
|
|
|
@@ -31,4 +30,4 @@ term_setattr_all_ptys(ptchown_t)
|
|
term_use_generic_ptys(ptchown_t)
|
|
term_use_ptmx(ptchown_t)
|
|
|
|
-miscfiles_read_localization(ptchown_t)
|
|
+auth_read_passwd(ptchown_t)
|
|
diff --git a/pulseaudio.fc b/pulseaudio.fc
|
|
index 6864479..0e7d875 100644
|
|
--- a/pulseaudio.fc
|
|
+++ b/pulseaudio.fc
|
|
@@ -1,9 +1,14 @@
|
|
HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
|
|
-HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
|
|
HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
|
|
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
|
|
+HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
|
|
|
|
-/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
|
|
+/root/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
|
|
+/root/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0)
|
|
+/root/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
|
|
+/root/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
|
|
|
|
-/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
|
|
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
|
|
|
|
-/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
|
|
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
|
|
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
|
|
diff --git a/pulseaudio.if b/pulseaudio.if
|
|
index 45843b5..116be8a 100644
|
|
--- a/pulseaudio.if
|
|
+++ b/pulseaudio.if
|
|
@@ -2,43 +2,48 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for pulseaudio.
|
|
+## Role access for pulseaudio
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`pulseaudio_role',`
|
|
gen_require(`
|
|
- attribute pulseaudio_tmpfsfile;
|
|
- type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t;
|
|
- type pulseaudio_tmp_t;
|
|
+ attribute pulseaudio_tmpfsfile;
|
|
+ type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t;
|
|
+ class dbus { acquire_svc send_msg };
|
|
')
|
|
|
|
- pulseaudio_run($2, $1)
|
|
+ role $1 types pulseaudio_t;
|
|
+
|
|
+ # Transition from the user domain to the derived domain.
|
|
+ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
|
|
|
|
- allow $2 pulseaudio_t:process { ptrace signal_perms };
|
|
ps_process_pattern($2, pulseaudio_t)
|
|
|
|
- allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
+ allow pulseaudio_t $2:process { signal signull };
|
|
+ allow $2 pulseaudio_t:process { signal signull sigkill };
|
|
+ ps_process_pattern(pulseaudio_t, $2)
|
|
+
|
|
+ allow pulseaudio_t $2:unix_stream_socket connectto;
|
|
+ allow $2 pulseaudio_t:unix_stream_socket connectto;
|
|
|
|
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
|
|
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
|
|
|
|
- allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
|
+ userdom_manage_tmp_role($1, pulseaudio_t)
|
|
+ userdom_manage_tmpfs_role($1, pulseaudio_t)
|
|
|
|
- allow pulseaudio_t $2:unix_stream_socket connectto;
|
|
+ allow $2 pulseaudio_t:dbus send_msg;
|
|
+ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
|
|
')
|
|
|
|
########################################
|
|
@@ -65,9 +70,8 @@ interface(`pulseaudio_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute pulseaudio in the pulseaudio
|
|
-## domain, and allow the specified role
|
|
-## the pulseaudio domain.
|
|
+## Execute pulseaudio in the pulseaudio domain, and
|
|
+## allow the specified role the pulseaudio domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -82,16 +86,16 @@ interface(`pulseaudio_domtrans',`
|
|
#
|
|
interface(`pulseaudio_run',`
|
|
gen_require(`
|
|
- attribute_role pulseaudio_roles;
|
|
+ type pulseaudio_t;
|
|
')
|
|
|
|
pulseaudio_domtrans($1)
|
|
- roleattribute $2 pulseaudio_roles;
|
|
+ role $2 types pulseaudio_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute pulseaudio in the caller domain.
|
|
+## Execute a pulseaudio in the current domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -104,13 +108,12 @@ interface(`pulseaudio_exec',`
|
|
type pulseaudio_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, pulseaudio_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to execute pulseaudio.
|
|
+## Do not audit to execute a pulseaudio.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -128,7 +131,7 @@ interface(`pulseaudio_dontaudit_exec',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send null signals to pulseaudio.
|
|
+## Send signull signal to pulseaudio
|
|
## processes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -147,8 +150,8 @@ interface(`pulseaudio_signull',`
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Connect to pulseaudio with a unix
|
|
-## domain stream socket.
|
|
+## Connect to pulseaudio over a unix domain
|
|
+## stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -158,11 +161,15 @@ interface(`pulseaudio_signull',`
|
|
#
|
|
interface(`pulseaudio_stream_connect',`
|
|
gen_require(`
|
|
- type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t;
|
|
+ type pulseaudio_t, pulseaudio_var_run_t;
|
|
+ type pulseaudio_home_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t)
|
|
+ allow $1 pulseaudio_t:process signull;
|
|
+ allow pulseaudio_t $1:process signull;
|
|
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
|
|
+ stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -188,9 +195,9 @@ interface(`pulseaudio_dbus_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Set attributes of pulseaudio home directories.
|
|
+## Set the attributes of the pulseaudio homedir.
|
|
## </summary>
|
|
-## <param name="domain">
|
|
+## <param name="user_domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
@@ -201,148 +208,190 @@ interface(`pulseaudio_setattr_home_dir',`
|
|
type pulseaudio_home_t;
|
|
')
|
|
|
|
- allow $1 pulseaudio_home_t:dir setattr_dir_perms;
|
|
+ allow $1 pulseaudio_home_t:dir setattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read pulseaudio home content.
|
|
+## Read pulseaudio homedir files.
|
|
## </summary>
|
|
-## <param name="domain">
|
|
+## <param name="user_domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`pulseaudio_read_home_files',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.')
|
|
- pulseaudio_read_home($1)
|
|
+ gen_require(`
|
|
+ type pulseaudio_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
|
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read pulseaudio home content.
|
|
+## Read and write Pulse Audio files.
|
|
## </summary>
|
|
-## <param name="domain">
|
|
+## <param name="user_domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`pulseaudio_read_home',`
|
|
+interface(`pulseaudio_rw_home_files',`
|
|
gen_require(`
|
|
type pulseaudio_home_t;
|
|
')
|
|
|
|
+ rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
|
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
|
userdom_search_user_home_dirs($1)
|
|
- allow $1 pulseaudio_home_t:dir list_dir_perms;
|
|
- allow $1 pulseaudio_home_t:file read_file_perms;
|
|
- allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write Pulse Audio files.
|
|
+## Create, read, write, and delete pulseaudio
|
|
+## home directories.
|
|
## </summary>
|
|
-## <param name="domain">
|
|
+## <param name="user_domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`pulseaudio_rw_home_files',`
|
|
+interface(`pulseaudio_manage_home_dirs',`
|
|
gen_require(`
|
|
type pulseaudio_home_t;
|
|
')
|
|
|
|
userdom_search_user_home_dirs($1)
|
|
- rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
|
- read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
|
+ manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## pulseaudio home content.
|
|
+## Create, read, write, and delete pulseaudio
|
|
+## home directory files.
|
|
## </summary>
|
|
-## <param name="domain">
|
|
+## <param name="user_domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`pulseaudio_manage_home_files',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
|
|
- pulseaudio_manage_home($1)
|
|
+ gen_require(`
|
|
+ type pulseaudio_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
|
+ read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
|
+ pulseaudio_filetrans_home_content($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## pulseaudio home content.
|
|
+## Create, read, write, and delete pulseaudio
|
|
+## home directory symlinks.
|
|
## </summary>
|
|
-## <param name="domain">
|
|
+## <param name="user_domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`pulseaudio_manage_home',`
|
|
+interface(`pulseaudio_manage_home_symlinks',`
|
|
gen_require(`
|
|
type pulseaudio_home_t;
|
|
')
|
|
|
|
userdom_search_user_home_dirs($1)
|
|
- allow $1 pulseaudio_home_t:dir manage_dir_perms;
|
|
- allow $1 pulseaudio_home_t:file manage_file_perms;
|
|
- allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
|
|
+ manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create objects in user home
|
|
-## directories with the pulseaudio
|
|
-## home type.
|
|
+## Create pulseaudio content in the user home directory
|
|
+## with an correct label.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
+#
|
|
+interface(`pulseaudio_filetrans_home_content',`
|
|
+ gen_require(`
|
|
+ type pulseaudio_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
|
|
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
|
|
+ userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
|
|
+ optional_policy(`
|
|
+ gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse")
|
|
+ ')
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create pulseaudio content in the admin home directory
|
|
+## with an correct label.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`pulseaudio_home_filetrans_pulseaudio_home',`
|
|
+interface(`pulseaudio_filetrans_admin_home_content',`
|
|
gen_require(`
|
|
type pulseaudio_home_t;
|
|
')
|
|
|
|
- userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3)
|
|
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse")
|
|
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie")
|
|
+ userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth")
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Make the specified tmpfs file type
|
|
-## pulseaudio tmpfs content.
|
|
+## Make the specified tmpfs file type
|
|
+## pulseaudio tmpfs content.
|
|
## </summary>
|
|
## <param name="file_type">
|
|
+## <summary>
|
|
+## File type to make pulseaudio tmpfs content.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`pulseaudio_tmpfs_content',`
|
|
+ gen_require(`
|
|
+ attribute pulseaudio_tmpfsfile;
|
|
+ ')
|
|
+
|
|
+ typeattribute $1 pulseaudio_tmpfsfile;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the domain to read pulseaudio state files in /proc.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## File type to make pulseaudio tmpfs content.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`pulseaudio_tmpfs_content',`
|
|
+interface(`pulseaudio_read_state',`
|
|
gen_require(`
|
|
- attribute pulseaudio_tmpfsfile;
|
|
+ type pulseaudio_t;
|
|
')
|
|
|
|
- typeattribute $1 pulseaudio_tmpfsfile;
|
|
+ kernel_search_proc($1)
|
|
+ ps_process_pattern($1, pulseaudio_t)
|
|
')
|
|
diff --git a/pulseaudio.te b/pulseaudio.te
|
|
index 6643b49..1d2470f 100644
|
|
--- a/pulseaudio.te
|
|
+++ b/pulseaudio.te
|
|
@@ -8,61 +8,49 @@ policy_module(pulseaudio, 1.6.0)
|
|
attribute pulseaudio_client;
|
|
attribute pulseaudio_tmpfsfile;
|
|
|
|
-attribute_role pulseaudio_roles;
|
|
-
|
|
type pulseaudio_t;
|
|
type pulseaudio_exec_t;
|
|
# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
|
|
userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
|
|
-role pulseaudio_roles types pulseaudio_t;
|
|
+role system_r types pulseaudio_t;
|
|
|
|
type pulseaudio_home_t;
|
|
userdom_user_home_content(pulseaudio_home_t)
|
|
|
|
-type pulseaudio_tmp_t;
|
|
-userdom_user_tmp_file(pulseaudio_tmp_t)
|
|
-
|
|
type pulseaudio_tmpfs_t;
|
|
userdom_user_tmpfs_file(pulseaudio_tmpfs_t)
|
|
|
|
type pulseaudio_var_lib_t;
|
|
files_type(pulseaudio_var_lib_t)
|
|
+ubac_constrained(pulseaudio_var_lib_t)
|
|
|
|
type pulseaudio_var_run_t;
|
|
files_pid_file(pulseaudio_var_run_t)
|
|
+ubac_constrained(pulseaudio_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# pulseaudio local policy
|
|
#
|
|
|
|
allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
|
|
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
|
|
-allow pulseaudio_t self:fifo_file rw_fifo_file_perms;
|
|
-allow pulseaudio_t self:unix_stream_socket { accept connectto listen };
|
|
-allow pulseaudio_t self:unix_dgram_socket sendto;
|
|
-allow pulseaudio_t self:tcp_socket { accept listen };
|
|
+allow pulseaudio_t self:fifo_file rw_file_perms;
|
|
+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
|
|
+allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
|
|
+allow pulseaudio_t self:udp_socket create_socket_perms;
|
|
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
-allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
|
|
-allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
|
|
-allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
|
|
-
|
|
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
|
|
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".esd_auth")
|
|
-userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, file, ".pulse-cookie")
|
|
-
|
|
-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
|
|
-manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
|
|
-manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t)
|
|
-files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir)
|
|
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid")
|
|
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket")
|
|
-userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
|
|
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
|
|
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
|
|
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
|
|
+userdom_search_user_home_dirs(pulseaudio_t)
|
|
+pulseaudio_filetrans_home_content(pulseaudio_t)
|
|
|
|
-manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
|
|
-manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
|
|
-fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
|
|
+# ~/.esd_auth - maybe we should label this pulseaudio_home_t?
|
|
+userdom_read_user_home_content_files(pulseaudio_t)
|
|
+userdom_search_admin_dir(pulseaudio_t)
|
|
|
|
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
|
|
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
|
|
@@ -72,10 +60,7 @@ files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
|
|
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
|
|
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
|
|
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
|
|
-files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
|
|
-
|
|
-allow pulseaudio_t pulseaudio_client:process signull;
|
|
-ps_process_pattern(pulseaudio_t, pulseaudio_client)
|
|
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { file dir })
|
|
|
|
can_exec(pulseaudio_t, pulseaudio_exec_t)
|
|
|
|
@@ -85,62 +70,56 @@ kernel_read_kernel_sysctls(pulseaudio_t)
|
|
|
|
corecmd_exec_bin(pulseaudio_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(pulseaudio_t)
|
|
corenet_all_recvfrom_netlabel(pulseaudio_t)
|
|
-corenet_tcp_sendrecv_generic_if(pulseaudio_t)
|
|
-corenet_udp_sendrecv_generic_if(pulseaudio_t)
|
|
-corenet_tcp_sendrecv_generic_node(pulseaudio_t)
|
|
-corenet_udp_sendrecv_generic_node(pulseaudio_t)
|
|
-
|
|
-corenet_sendrecv_pulseaudio_server_packets(pulseaudio_t)
|
|
corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
|
|
-corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_t)
|
|
-
|
|
-corenet_sendrecv_soundd_server_packets(pulseaudio_t)
|
|
corenet_tcp_bind_soundd_port(pulseaudio_t)
|
|
-corenet_tcp_sendrecv_soundd_port(pulseaudio_t)
|
|
-
|
|
-corenet_sendrecv_sap_server_packets(pulseaudio_t)
|
|
+corenet_tcp_sendrecv_generic_if(pulseaudio_t)
|
|
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
|
|
corenet_udp_bind_sap_port(pulseaudio_t)
|
|
-corenet_udp_sendrecv_sap_port(pulseaudio_t)
|
|
+corenet_udp_sendrecv_generic_if(pulseaudio_t)
|
|
+corenet_udp_sendrecv_generic_node(pulseaudio_t)
|
|
+corenet_dontaudit_tcp_connect_xserver_port(pulseaudio_t)
|
|
|
|
dev_read_sound(pulseaudio_t)
|
|
dev_write_sound(pulseaudio_t)
|
|
dev_read_sysfs(pulseaudio_t)
|
|
dev_read_urand(pulseaudio_t)
|
|
|
|
-files_read_usr_files(pulseaudio_t)
|
|
|
|
+fs_rw_anon_inodefs_files(pulseaudio_t)
|
|
fs_getattr_tmpfs(pulseaudio_t)
|
|
-fs_getattr_all_fs(pulseaudio_t)
|
|
fs_list_inotifyfs(pulseaudio_t)
|
|
-fs_rw_anon_inodefs_files(pulseaudio_t)
|
|
-fs_search_auto_mountpoints(pulseaudio_t)
|
|
|
|
-term_use_all_ttys(pulseaudio_t)
|
|
-term_use_all_ptys(pulseaudio_t)
|
|
+term_use_all_inherited_ttys(pulseaudio_t)
|
|
+term_use_all_inherited_ptys(pulseaudio_t)
|
|
|
|
auth_use_nsswitch(pulseaudio_t)
|
|
|
|
logging_send_syslog_msg(pulseaudio_t)
|
|
|
|
-miscfiles_read_localization(pulseaudio_t)
|
|
-
|
|
userdom_read_user_tmpfs_files(pulseaudio_t)
|
|
|
|
userdom_search_user_home_dirs(pulseaudio_t)
|
|
userdom_write_user_tmp_sockets(pulseaudio_t)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
+ fs_mount_nfs(pulseaudio_t)
|
|
+ fs_mounton_nfs(pulseaudio_t)
|
|
fs_manage_nfs_dirs(pulseaudio_t)
|
|
fs_manage_nfs_files(pulseaudio_t)
|
|
fs_manage_nfs_symlinks(pulseaudio_t)
|
|
+ fs_manage_nfs_named_sockets(pulseaudio_t)
|
|
+ fs_manage_nfs_named_pipes(pulseaudio_t)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
+ fs_mount_cifs(pulseaudio_t)
|
|
+ fs_mounton_cifs(pulseaudio_t)
|
|
fs_manage_cifs_dirs(pulseaudio_t)
|
|
fs_manage_cifs_files(pulseaudio_t)
|
|
fs_manage_cifs_symlinks(pulseaudio_t)
|
|
+ fs_manage_cifs_named_sockets(pulseaudio_t)
|
|
+ fs_manage_cifs_named_pipes(pulseaudio_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -153,8 +132,9 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
|
|
- dbus_all_session_bus_client(pulseaudio_t)
|
|
- dbus_connect_all_session_bus(pulseaudio_t)
|
|
+ dbus_system_bus_client(pulseaudio_t)
|
|
+ dbus_session_bus_client(pulseaudio_t)
|
|
+ dbus_connect_session_bus(pulseaudio_t)
|
|
|
|
optional_policy(`
|
|
consolekit_dbus_chat(pulseaudio_t)
|
|
@@ -174,16 +154,33 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_read_gkeyringd_state(pulseaudio_t)
|
|
+ gnome_signull_gkeyringd(pulseaudio_t)
|
|
+ gnome_manage_gstreamer_home_files(pulseaudio_t)
|
|
+ gnome_exec_gstreamer_home_files(pulseaudio_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
rtkit_scheduled(pulseaudio_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mozilla_plugin_delete_tmpfs_files(pulseaudio_t)
|
|
+ mozilla_plugin_read_tmpfs_files(pulseaudio_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
policykit_domtrans_auth(pulseaudio_t)
|
|
policykit_read_lib(pulseaudio_t)
|
|
policykit_read_reload(pulseaudio_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ systemd_read_logind_sessions_files(pulseaudio_t)
|
|
+ systemd_login_read_pid_files(pulseaudio_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
udev_read_state(pulseaudio_t)
|
|
udev_read_db(pulseaudio_t)
|
|
')
|
|
@@ -196,7 +193,11 @@ optional_policy(`
|
|
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
|
|
')
|
|
|
|
-########################################
|
|
+optional_policy(`
|
|
+ virt_manage_tmpfs_files(pulseaudio_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
#
|
|
# Client local policy
|
|
#
|
|
@@ -210,8 +211,6 @@ delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfi
|
|
|
|
fs_getattr_tmpfs(pulseaudio_client)
|
|
|
|
-corenet_all_recvfrom_unlabeled(pulseaudio_client)
|
|
-corenet_all_recvfrom_netlabel(pulseaudio_client)
|
|
corenet_tcp_sendrecv_generic_if(pulseaudio_client)
|
|
corenet_tcp_sendrecv_generic_node(pulseaudio_client)
|
|
|
|
@@ -220,38 +219,33 @@ corenet_tcp_connect_pulseaudio_port(pulseaudio_client)
|
|
corenet_tcp_sendrecv_pulseaudio_port(pulseaudio_client)
|
|
|
|
pulseaudio_stream_connect(pulseaudio_client)
|
|
-pulseaudio_manage_home(pulseaudio_client)
|
|
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, dir, ".pulse")
|
|
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth")
|
|
-pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie")
|
|
+pulseaudio_manage_home_files(pulseaudio_client)
|
|
pulseaudio_signull(pulseaudio_client)
|
|
|
|
-# TODO: ~/.cache
|
|
userdom_manage_user_home_content_files(pulseaudio_client)
|
|
|
|
userdom_read_user_tmpfs_files(pulseaudio_client)
|
|
-# userdom_delete_user_tmpfs_files(pulseaudio_client)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_getattr_nfs(pulseaudio_client)
|
|
- fs_manage_nfs_dirs(pulseaudio_client)
|
|
- fs_manage_nfs_files(pulseaudio_client)
|
|
- fs_read_nfs_symlinks(pulseaudio_client)
|
|
+ fs_getattr_nfs(pulseaudio_client)
|
|
+ fs_manage_nfs_dirs(pulseaudio_client)
|
|
+ fs_manage_nfs_files(pulseaudio_client)
|
|
+ fs_read_nfs_symlinks(pulseaudio_client)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
- fs_getattr_cifs(pulseaudio_client)
|
|
- fs_manage_cifs_dirs(pulseaudio_client)
|
|
- fs_manage_cifs_files(pulseaudio_client)
|
|
- fs_read_cifs_symlinks(pulseaudio_client)
|
|
+ fs_getattr_cifs(pulseaudio_client)
|
|
+ fs_manage_cifs_dirs(pulseaudio_client)
|
|
+ fs_manage_cifs_files(pulseaudio_client)
|
|
+ fs_read_cifs_symlinks(pulseaudio_client)
|
|
')
|
|
|
|
optional_policy(`
|
|
- pulseaudio_dbus_chat(pulseaudio_client)
|
|
+ pulseaudio_dbus_chat(pulseaudio_client)
|
|
')
|
|
|
|
optional_policy(`
|
|
- rtkit_scheduled(pulseaudio_client)
|
|
+ rtkit_scheduled(pulseaudio_client)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/puppet.fc b/puppet.fc
|
|
index d68e26d..8d566fb 100644
|
|
--- a/puppet.fc
|
|
+++ b/puppet.fc
|
|
@@ -1,7 +1,7 @@
|
|
-/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
|
|
+/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
|
|
|
|
/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
|
|
|
|
/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
|
|
/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
|
@@ -11,8 +11,6 @@
|
|
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
|
/usr/sbin/puppetmasterd -- gen_context(system_u:object_r:puppetmaster_exec_t,s0)
|
|
|
|
-/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
|
|
-
|
|
-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
|
|
-
|
|
-/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
|
|
+/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
|
|
+/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
|
|
+/var/run/puppet(/.*)? gen_context(system_u:object_r:puppet_var_run_t,s0)
|
|
diff --git a/puppet.if b/puppet.if
|
|
index 7cb8b1f..9422c90 100644
|
|
--- a/puppet.if
|
|
+++ b/puppet.if
|
|
@@ -1,4 +1,32 @@
|
|
-## <summary>Configuration management system.</summary>
|
|
+## <summary>Puppet client daemon</summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## Puppet is a configuration management system written in Ruby.
|
|
+## The client daemon is responsible for periodically requesting the
|
|
+## desired system state from the server and ensuring the state of
|
|
+## the client system matches.
|
|
+## </p>
|
|
+## </desc>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute puppet_master in the puppet_master
|
|
+## domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`puppet_domtrans_master',`
|
|
+ gen_require(`
|
|
+ type puppetmaster_t, puppetmaster_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, puppetmaster_exec_t, puppetmaster_t)
|
|
+')
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -40,16 +68,19 @@ interface(`puppet_domtrans_puppetca',`
|
|
#
|
|
interface(`puppet_run_puppetca',`
|
|
gen_require(`
|
|
- attribute_role puppetca_roles;
|
|
+ type puppetca_t, puppetca_exec_t;
|
|
')
|
|
|
|
puppet_domtrans_puppetca($1)
|
|
- roleattribute $2 puppetca_roles;
|
|
+ role $2 types puppetca_t;
|
|
')
|
|
|
|
-####################################
|
|
+################################################
|
|
## <summary>
|
|
-## Read puppet configuration content.
|
|
+## Read / Write to Puppet temp files. Puppet uses
|
|
+## some system binaries (groupadd, etc) that run in
|
|
+## a non-puppet domain and redirects output into temp
|
|
+## files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -57,15 +88,13 @@ interface(`puppet_run_puppetca',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`puppet_read_config',`
|
|
+interface(`puppet_rw_tmp', `
|
|
gen_require(`
|
|
- type puppet_etc_t;
|
|
+ type puppet_tmp_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
- allow $1 puppet_etc_t:dir list_dir_perms;
|
|
- allow $1 puppet_etc_t:file read_file_perms;
|
|
- allow $1 puppet_etc_t:lnk_file read_lnk_file_perms;
|
|
+ allow $1 puppet_tmp_t:file rw_inherited_file_perms;
|
|
+ files_search_tmp($1)
|
|
')
|
|
|
|
################################################
|
|
@@ -78,158 +107,164 @@ interface(`puppet_read_config',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`puppet_read_lib_files',`
|
|
+interface(`puppet_read_lib',`
|
|
gen_require(`
|
|
type puppet_var_lib_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
read_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
|
|
+ files_search_var_lib($1)
|
|
')
|
|
|
|
###############################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## puppet lib files.
|
|
+## Manage Puppet lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`puppet_manage_lib_files',`
|
|
- gen_require(`
|
|
- type puppet_var_lib_t;
|
|
- ')
|
|
+interface(`puppet_manage_lib',`
|
|
+ gen_require(`
|
|
+ type puppet_var_lib_t;
|
|
+ ')
|
|
|
|
- files_search_var_lib($1)
|
|
- manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
|
|
+ manage_files_pattern($1, puppet_var_lib_t, puppet_var_lib_t)
|
|
+ files_search_var_lib($1)
|
|
')
|
|
|
|
-#####################################
|
|
+######################################
|
|
## <summary>
|
|
-## Append puppet log files.
|
|
+## Allow the specified domain to search puppet's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`puppet_append_log_files',`
|
|
- gen_require(`
|
|
- type puppet_log_t;
|
|
- ')
|
|
+interface(`puppet_search_log',`
|
|
+ gen_require(`
|
|
+ type puppet_log_t;
|
|
+ ')
|
|
|
|
- logging_search_logs($1)
|
|
- append_files_pattern($1, puppet_log_t, puppet_log_t)
|
|
+ logging_search_logs($1)
|
|
+ allow $1 puppet_log_t:dir search_dir_perms;
|
|
')
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Create puppet log files.
|
|
+## Allow the specified domain to read puppet's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`puppet_create_log_files',`
|
|
- gen_require(`
|
|
- type puppet_log_t;
|
|
- ')
|
|
+interface(`puppet_read_log',`
|
|
+ gen_require(`
|
|
+ type puppet_log_t;
|
|
+ ')
|
|
|
|
- logging_search_logs($1)
|
|
- create_files_pattern($1, puppet_log_t, puppet_log_t)
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, puppet_log_t, puppet_log_t)
|
|
')
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Read puppet log files.
|
|
+## Allow the specified domain to create puppet's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`puppet_read_log_files',`
|
|
- gen_require(`
|
|
- type puppet_log_t;
|
|
- ')
|
|
+interface(`puppet_create_log',`
|
|
+ gen_require(`
|
|
+ type puppet_log_t;
|
|
+ ')
|
|
|
|
- logging_search_logs($1)
|
|
- read_files_pattern($1, puppet_log_t, puppet_log_t)
|
|
+ logging_search_logs($1)
|
|
+ create_files_pattern($1, puppet_log_t, puppet_log_t)
|
|
')
|
|
|
|
-################################################
|
|
+####################################
|
|
## <summary>
|
|
-## Read and write to puppet tempoprary files.
|
|
+## Allow the specified domain to append puppet's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`puppet_rw_tmp', `
|
|
- gen_require(`
|
|
- type puppet_tmp_t;
|
|
- ')
|
|
+interface(`puppet_append_log',`
|
|
+ gen_require(`
|
|
+ type puppet_log_t;
|
|
+ ')
|
|
|
|
- files_search_tmp($1)
|
|
- allow $1 puppet_tmp_t:file rw_file_perms;
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, puppet_log_t, puppet_log_t)
|
|
')
|
|
|
|
-########################################
|
|
+####################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an puppet environment.
|
|
+## Allow the specified domain to manage puppet's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`puppet_admin',`
|
|
- gen_require(`
|
|
- type puppet_initrc_exec_t, puppetmaster_initrc_exec_t, puppet_log_t;
|
|
- type puppet_var_lib_t, puppet_tmp_t, puppet_etc_t;
|
|
- type puppet_var_run_t, puppetmaster_tmp_t;
|
|
- type puppet_t, puppetca_t, puppetmaster_t;
|
|
- ')
|
|
-
|
|
- allow $1 { puppet_t puppetca_t puppetmaster_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { puppet_t puppetca_t puppetmaster_t })
|
|
+interface(`puppet_manage_log',`
|
|
+ gen_require(`
|
|
+ type puppet_log_t;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, { puppet_initrc_exec_t puppetmaster_initrc_exec_t })
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 { puppet_initrc_exec_t puppetmaster_initrc_exec_t } system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, puppet_etc_t)
|
|
+ logging_search_logs($1)
|
|
+ manage_files_pattern($1, puppet_log_t, puppet_log_t)
|
|
+')
|
|
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, puppet_log_t)
|
|
+####################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read puppet's config files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`puppet_read_config',`
|
|
+ gen_require(`
|
|
+ type puppet_etc_t;
|
|
+ ')
|
|
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, puppet_var_lib_t)
|
|
+ files_search_etc($1)
|
|
+ list_dirs_pattern($1, puppet_etc_t, puppet_etc_t)
|
|
+ read_files_pattern($1, puppet_etc_t, puppet_etc_t)
|
|
+')
|
|
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow the specified domain to search puppet's pid files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`puppet_search_pid',`
|
|
+ gen_require(`
|
|
+ type puppet_var_run_t;
|
|
+ ')
|
|
+
|
|
files_search_pids($1)
|
|
- admin_pattern($1, puppet_var_run_t)
|
|
-
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, { puppet_tmp_t puppetmaster_tmp_t })
|
|
-
|
|
- puppet_run_puppetca($1, $2)
|
|
+ allow $1 puppet_var_run_t:dir search_dir_perms;
|
|
')
|
|
diff --git a/puppet.te b/puppet.te
|
|
index 618dcfe..f81c59f 100644
|
|
--- a/puppet.te
|
|
+++ b/puppet.te
|
|
@@ -6,15 +6,19 @@ policy_module(puppet, 1.4.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether puppet can
|
|
-## manage all non-security files.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow Puppet client to manage all file
|
|
+## types.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(puppet_manage_all_files, false)
|
|
|
|
-attribute_role puppetca_roles;
|
|
-roleattribute system_r puppetca_roles;
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow Puppet master to use connect to MySQL and PostgreSQL database
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(puppetmaster_use_db, false)
|
|
|
|
type puppet_t;
|
|
type puppet_exec_t;
|
|
@@ -37,12 +41,11 @@ files_type(puppet_var_lib_t)
|
|
|
|
type puppet_var_run_t;
|
|
files_pid_file(puppet_var_run_t)
|
|
-init_daemon_run_dir(puppet_var_run_t, "puppet")
|
|
|
|
type puppetca_t;
|
|
type puppetca_exec_t;
|
|
application_domain(puppetca_t, puppetca_exec_t)
|
|
-role puppetca_roles types puppetca_t;
|
|
+role system_r types puppetca_t;
|
|
|
|
type puppetmaster_t;
|
|
type puppetmaster_exec_t;
|
|
@@ -56,33 +59,29 @@ files_tmp_file(puppetmaster_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# Puppet personal policy
|
|
#
|
|
|
|
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
|
|
+allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
|
|
allow puppet_t self:process { signal signull getsched setsched };
|
|
allow puppet_t self:fifo_file rw_fifo_file_perms;
|
|
allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
|
|
-allow puppet_t self:tcp_socket { accept listen };
|
|
+allow puppet_t self:tcp_socket create_stream_socket_perms;
|
|
allow puppet_t self:udp_socket create_socket_perms;
|
|
|
|
-allow puppet_t puppet_etc_t:dir list_dir_perms;
|
|
-allow puppet_t puppet_etc_t:file read_file_perms;
|
|
-allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
|
|
+read_files_pattern(puppet_t, puppet_etc_t, puppet_etc_t)
|
|
|
|
manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
-can_exec(puppet_t, puppet_var_lib_t)
|
|
+files_search_var_lib(puppet_t)
|
|
|
|
-setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
|
+manage_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
|
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
|
|
files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
|
|
|
|
-allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
|
|
-append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
|
+create_dirs_pattern(puppet_t, var_log_t, puppet_log_t)
|
|
create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
|
-read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
|
-setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
|
+append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
|
|
logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(puppet_t, puppet_tmp_t, puppet_tmp_t)
|
|
@@ -91,43 +90,37 @@ files_tmp_filetrans(puppet_t, puppet_tmp_t, { file dir })
|
|
|
|
kernel_dontaudit_search_sysctl(puppet_t)
|
|
kernel_dontaudit_search_kernel_sysctl(puppet_t)
|
|
+kernel_read_system_state(puppet_t)
|
|
kernel_read_crypto_sysctls(puppet_t)
|
|
kernel_read_kernel_sysctls(puppet_t)
|
|
-kernel_read_net_sysctls(puppet_t)
|
|
-kernel_read_network_state(puppet_t)
|
|
|
|
+corecmd_read_all_executables(puppet_t)
|
|
+corecmd_dontaudit_access_all_executables(puppet_t)
|
|
corecmd_exec_bin(puppet_t)
|
|
corecmd_exec_shell(puppet_t)
|
|
-corecmd_read_all_executables(puppet_t)
|
|
|
|
corenet_all_recvfrom_netlabel(puppet_t)
|
|
-corenet_all_recvfrom_unlabeled(puppet_t)
|
|
corenet_tcp_sendrecv_generic_if(puppet_t)
|
|
corenet_tcp_sendrecv_generic_node(puppet_t)
|
|
-
|
|
-corenet_sendrecv_puppet_client_packets(puppet_t)
|
|
+corenet_tcp_bind_generic_node(puppet_t)
|
|
corenet_tcp_connect_puppet_port(puppet_t)
|
|
-corenet_tcp_sendrecv_puppet_port(puppet_t)
|
|
+corenet_sendrecv_puppet_client_packets(puppet_t)
|
|
|
|
dev_read_rand(puppet_t)
|
|
dev_read_sysfs(puppet_t)
|
|
dev_read_urand(puppet_t)
|
|
|
|
-domain_interactive_fd(puppet_t)
|
|
domain_read_all_domains_state(puppet_t)
|
|
+domain_interactive_fd(puppet_t)
|
|
|
|
files_manage_config_files(puppet_t)
|
|
files_manage_config_dirs(puppet_t)
|
|
files_manage_etc_dirs(puppet_t)
|
|
files_manage_etc_files(puppet_t)
|
|
-files_read_usr_files(puppet_t)
|
|
files_read_usr_symlinks(puppet_t)
|
|
files_relabel_config_dirs(puppet_t)
|
|
files_relabel_config_files(puppet_t)
|
|
-files_search_var_lib(puppet_t)
|
|
|
|
-selinux_get_fs_mount(puppet_t)
|
|
-selinux_search_fs(puppet_t)
|
|
selinux_set_all_booleans(puppet_t)
|
|
selinux_set_generic_booleans(puppet_t)
|
|
selinux_validate_context(puppet_t)
|
|
@@ -135,6 +128,8 @@ selinux_validate_context(puppet_t)
|
|
term_dontaudit_getattr_unallocated_ttys(puppet_t)
|
|
term_dontaudit_getattr_all_ttys(puppet_t)
|
|
|
|
+auth_use_nsswitch(puppet_t)
|
|
+
|
|
init_all_labeled_script_domtrans(puppet_t)
|
|
init_domtrans_script(puppet_t)
|
|
init_read_utmp(puppet_t)
|
|
@@ -143,18 +138,19 @@ init_signull_script(puppet_t)
|
|
logging_send_syslog_msg(puppet_t)
|
|
|
|
miscfiles_read_hwdata(puppet_t)
|
|
-miscfiles_read_localization(puppet_t)
|
|
-
|
|
-mount_domtrans(puppet_t)
|
|
|
|
seutil_domtrans_setfiles(puppet_t)
|
|
seutil_domtrans_semanage(puppet_t)
|
|
+seutil_read_file_contexts(puppet_t)
|
|
|
|
sysnet_run_ifconfig(puppet_t, system_r)
|
|
-sysnet_use_ldap(puppet_t)
|
|
+
|
|
+usermanage_access_check_groupadd(puppet_t)
|
|
+usermanage_access_check_passwd(puppet_t)
|
|
+usermanage_access_check_useradd(puppet_t)
|
|
|
|
tunable_policy(`puppet_manage_all_files',`
|
|
- files_manage_non_auth_files(puppet_t)
|
|
+ files_manage_non_security_files(puppet_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -196,21 +192,86 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- usermanage_domtrans_groupadd(puppet_t)
|
|
- usermanage_domtrans_useradd(puppet_t)
|
|
+ auth_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ alsa_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ bootloader_filetrans_config(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ devicekit_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dnsmasq_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ kerberos_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ libs_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ miscfiles_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mta_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ modules_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ networkmanager_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nx_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ postfix_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ openshift_initrc_domtrans(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ quota_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_filetrans_named_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ virt_filetrans_home_content(puppet_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_filetrans_admin_home_content(puppet_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Ca local policy
|
|
+# PuppetCA personal policy
|
|
#
|
|
|
|
allow puppetca_t self:capability { dac_override setgid setuid };
|
|
allow puppetca_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
-allow puppetca_t puppet_etc_t:dir list_dir_perms;
|
|
-allow puppetca_t puppet_etc_t:file read_file_perms;
|
|
-allow puppetca_t puppet_etc_t:lnk_file read_lnk_file_perms;
|
|
+read_files_pattern(puppetca_t, puppet_etc_t, puppet_etc_t)
|
|
|
|
allow puppetca_t puppet_var_lib_t:dir list_dir_perms;
|
|
manage_files_pattern(puppetca_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
@@ -221,6 +282,7 @@ allow puppetca_t puppet_log_t:dir search_dir_perms;
|
|
allow puppetca_t puppet_var_run_t:dir search_dir_perms;
|
|
|
|
kernel_read_system_state(puppetca_t)
|
|
+# Maybe dontaudit this like we did with other puppet domains?
|
|
kernel_read_kernel_sysctls(puppetca_t)
|
|
|
|
corecmd_exec_bin(puppetca_t)
|
|
@@ -229,15 +291,12 @@ corecmd_exec_shell(puppetca_t)
|
|
dev_read_urand(puppetca_t)
|
|
dev_search_sysfs(puppetca_t)
|
|
|
|
-files_read_etc_files(puppetca_t)
|
|
-files_search_pids(puppetca_t)
|
|
files_search_var_lib(puppetca_t)
|
|
|
|
selinux_validate_context(puppetca_t)
|
|
|
|
logging_search_logs(puppetca_t)
|
|
|
|
-miscfiles_read_localization(puppetca_t)
|
|
miscfiles_read_generic_certs(puppetca_t)
|
|
|
|
seutil_read_file_contexts(puppetca_t)
|
|
@@ -246,38 +305,47 @@ optional_policy(`
|
|
hostname_exec(puppetca_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ mta_sendmail_access_check(puppetca_t)
|
|
+')
|
|
+
|
|
+
|
|
########################################
|
|
#
|
|
-# Master local policy
|
|
+# Pupper master personal policy
|
|
#
|
|
|
|
allow puppetmaster_t self:capability { dac_read_search dac_override setuid setgid fowner chown fsetid sys_tty_config };
|
|
allow puppetmaster_t self:process { signal_perms getsched setsched };
|
|
allow puppetmaster_t self:fifo_file rw_fifo_file_perms;
|
|
-allow puppetmaster_t self:netlink_route_socket nlmsg_write;
|
|
+allow puppetmaster_t self:netlink_route_socket create_netlink_socket_perms;
|
|
allow puppetmaster_t self:socket create;
|
|
-allow puppetmaster_t self:tcp_socket { accept listen };
|
|
+allow puppetmaster_t self:tcp_socket create_stream_socket_perms;
|
|
+allow puppetmaster_t self:udp_socket create_socket_perms;
|
|
|
|
-allow puppetmaster_t puppet_etc_t:dir list_dir_perms;
|
|
-allow puppetmaster_t puppet_etc_t:file read_file_perms;
|
|
-allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
|
|
+list_dirs_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
|
+read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
|
|
|
|
-allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
|
|
-append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
|
-create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
|
-setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
|
|
+allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr_dir_perms };
|
|
+allow puppetmaster_t puppet_log_t:file { rw_file_perms create_file_perms setattr_file_perms };
|
|
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
|
|
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
|
|
|
|
-allow puppetmaster_t puppet_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
|
|
-allow puppetmaster_t puppet_var_lib_t:file { manage_file_perms relabel_file_perms };
|
|
+manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
+manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
|
|
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
|
|
+allow puppetmaster_t puppet_var_lib_t:file relabel_file_perms;
|
|
|
|
-allow puppetmaster_t puppet_var_run_t:dir { create_dir_perms setattr_dir_perms relabel_dir_perms };
|
|
-allow puppetmaster_t puppet_var_run_t:file manage_file_perms;
|
|
+setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
|
+create_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
|
+manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
|
|
files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
|
|
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
|
|
|
|
-allow puppetmaster_t puppetmaster_tmp_t:dir { manage_dir_perms relabel_dir_perms };
|
|
-allow puppetmaster_t puppetmaster_tmp_t:file manage_file_perms;
|
|
+manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
|
+manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
|
|
files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
|
|
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
|
|
|
|
kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
|
|
kernel_read_network_state(puppetmaster_t)
|
|
@@ -289,23 +357,24 @@ corecmd_exec_bin(puppetmaster_t)
|
|
corecmd_exec_shell(puppetmaster_t)
|
|
|
|
corenet_all_recvfrom_netlabel(puppetmaster_t)
|
|
-corenet_all_recvfrom_unlabeled(puppetmaster_t)
|
|
corenet_tcp_sendrecv_generic_if(puppetmaster_t)
|
|
corenet_tcp_sendrecv_generic_node(puppetmaster_t)
|
|
corenet_tcp_bind_generic_node(puppetmaster_t)
|
|
-
|
|
-corenet_sendrecv_puppet_server_packets(puppetmaster_t)
|
|
corenet_tcp_bind_puppet_port(puppetmaster_t)
|
|
-corenet_tcp_sendrecv_puppet_port(puppetmaster_t)
|
|
+corenet_sendrecv_puppet_server_packets(puppetmaster_t)
|
|
+corenet_tcp_connect_ntop_port(puppetmaster_t)
|
|
+
|
|
+# This needs investigation. Puppermasterd is confirmed to bind udp sockets to random high ports.
|
|
+corenet_udp_bind_generic_node(puppetmaster_t)
|
|
+corenet_udp_bind_generic_port(puppetmaster_t)
|
|
|
|
dev_read_rand(puppetmaster_t)
|
|
dev_read_urand(puppetmaster_t)
|
|
dev_search_sysfs(puppetmaster_t)
|
|
|
|
-domain_obj_id_change_exemption(puppetmaster_t)
|
|
domain_read_all_domains_state(puppetmaster_t)
|
|
+domain_obj_id_change_exemption(puppetmaster_t)
|
|
|
|
-files_read_usr_files(puppetmaster_t)
|
|
|
|
selinux_validate_context(puppetmaster_t)
|
|
|
|
@@ -314,26 +383,31 @@ auth_use_nsswitch(puppetmaster_t)
|
|
logging_send_syslog_msg(puppetmaster_t)
|
|
|
|
miscfiles_read_generic_certs(puppetmaster_t)
|
|
-miscfiles_read_localization(puppetmaster_t)
|
|
|
|
seutil_read_file_contexts(puppetmaster_t)
|
|
|
|
sysnet_run_ifconfig(puppetmaster_t, system_r)
|
|
|
|
+mta_send_mail(puppetmaster_t)
|
|
+
|
|
optional_policy(`
|
|
- hostname_exec(puppetmaster_t)
|
|
+ tunable_policy(`puppetmaster_use_db',`
|
|
+ mysql_stream_connect(puppetmaster_t)
|
|
+ ')
|
|
')
|
|
|
|
optional_policy(`
|
|
- mta_send_mail(puppetmaster_t)
|
|
+ tunable_policy(`puppetmaster_use_db',`
|
|
+ postgresql_stream_connect(puppetmaster_t)
|
|
+ ')
|
|
')
|
|
|
|
optional_policy(`
|
|
- mysql_stream_connect(puppetmaster_t)
|
|
+ systemd_dbus_chat_timedated(puppetmaster_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- postgresql_stream_connect(puppetmaster_t)
|
|
+ hostname_exec(puppetmaster_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -342,3 +416,9 @@ optional_policy(`
|
|
rpm_exec(puppetmaster_t)
|
|
rpm_read_db(puppetmaster_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ usermanage_access_check_groupadd(puppetmaster_t)
|
|
+ usermanage_access_check_passwd(puppetmaster_t)
|
|
+ usermanage_access_check_useradd(puppetmaster_t)
|
|
+')
|
|
diff --git a/pwauth.fc b/pwauth.fc
|
|
index 7e7b444..e2f8687 100644
|
|
--- a/pwauth.fc
|
|
+++ b/pwauth.fc
|
|
@@ -1,3 +1,3 @@
|
|
-/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
|
|
+/usr/bin/pwauth -- gen_context(system_u:object_r:pwauth_exec_t,s0)
|
|
|
|
-/var/run/pwauth\.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
|
|
+/var/run/pwauth.lock -- gen_context(system_u:object_r:pwauth_var_run_t,s0)
|
|
diff --git a/pwauth.if b/pwauth.if
|
|
index 1148dce..86d25ea 100644
|
|
--- a/pwauth.if
|
|
+++ b/pwauth.if
|
|
@@ -1,72 +1,74 @@
|
|
-## <summary>External plugin for mod_authnz_external authenticator.</summary>
|
|
+
|
|
+## <summary>policy for pwauth</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for pwauth.
|
|
+## Transition to pwauth.
|
|
## </summary>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## User domain for the role.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`pwauth_role',`
|
|
+interface(`pwauth_domtrans',`
|
|
gen_require(`
|
|
- type pwauth_t;
|
|
+ type pwauth_t, pwauth_exec_t;
|
|
')
|
|
|
|
- pwauth_run($2, $1)
|
|
-
|
|
- ps_process_pattern($2, pwauth_t)
|
|
- allow $2 pwauth_t:process { ptrace signal_perms };
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, pwauth_exec_t, pwauth_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute pwauth in the pwauth domain.
|
|
+## Execute pwauth in the pwauth domain, and
|
|
+## allow the specified role the pwauth domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed to transition
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the pwauth domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`pwauth_domtrans',`
|
|
+interface(`pwauth_run',`
|
|
gen_require(`
|
|
- type pwauth_t, pwauth_exec_t;
|
|
+ type pwauth_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, pwauth_exec_t, pwauth_t)
|
|
+ pwauth_domtrans($1)
|
|
+ role $2 types pwauth_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute pwauth in the pwauth
|
|
-## domain, and allow the specified
|
|
-## role the pwauth domain.
|
|
+## Role access for pwauth
|
|
## </summary>
|
|
-## <param name="domain">
|
|
+## <param name="role">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`pwauth_run',`
|
|
+interface(`pwauth_role',`
|
|
gen_require(`
|
|
- attribute_role pwauth_roles;
|
|
+ type pwauth_t;
|
|
')
|
|
|
|
- pwauth_domtrans($1)
|
|
- roleattribute $2 pwauth_roles;
|
|
+ role $1 types pwauth_t;
|
|
+
|
|
+ pwauth_domtrans($2)
|
|
+
|
|
+ ps_process_pattern($2, pwauth_t)
|
|
+ allow $2 pwauth_t:process signal;
|
|
')
|
|
diff --git a/pwauth.te b/pwauth.te
|
|
index 3078e34..215df88 100644
|
|
--- a/pwauth.te
|
|
+++ b/pwauth.te
|
|
@@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute_role pwauth_roles;
|
|
-roleattribute system_r pwauth_roles;
|
|
-
|
|
type pwauth_t;
|
|
type pwauth_exec_t;
|
|
application_domain(pwauth_t, pwauth_exec_t)
|
|
-role pwauth_roles types pwauth_t;
|
|
+role system_r types pwauth_t;
|
|
|
|
type pwauth_var_run_t;
|
|
files_pid_file(pwauth_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# pwauth local policy
|
|
#
|
|
-
|
|
allow pwauth_t self:capability setuid;
|
|
allow pwauth_t self:process setrlimit;
|
|
+
|
|
allow pwauth_t self:fifo_file manage_fifo_file_perms;
|
|
-allow pwauth_t self:unix_stream_socket { accept listen };
|
|
+allow pwauth_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
|
|
files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
|
|
@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t)
|
|
|
|
auth_domtrans_chkpwd(pwauth_t)
|
|
auth_use_nsswitch(pwauth_t)
|
|
+auth_read_shadow(pwauth_t)
|
|
+auth_rw_lastlog(pwauth_t)
|
|
|
|
init_read_utmp(pwauth_t)
|
|
|
|
logging_send_syslog_msg(pwauth_t)
|
|
logging_send_audit_msgs(pwauth_t)
|
|
-
|
|
-miscfiles_read_localization(pwauth_t)
|
|
diff --git a/pxe.te b/pxe.te
|
|
index 06bec9b..1b32632 100644
|
|
--- a/pxe.te
|
|
+++ b/pxe.te
|
|
@@ -50,15 +50,12 @@ dev_read_sysfs(pxe_t)
|
|
|
|
domain_use_interactive_fds(pxe_t)
|
|
|
|
-files_read_etc_files(pxe_t)
|
|
|
|
fs_getattr_all_fs(pxe_t)
|
|
fs_search_auto_mountpoints(pxe_t)
|
|
|
|
logging_send_syslog_msg(pxe_t)
|
|
|
|
-miscfiles_read_localization(pxe_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(pxe_t)
|
|
userdom_dontaudit_search_user_home_dirs(pxe_t)
|
|
|
|
diff --git a/pyicqt.fc b/pyicqt.fc
|
|
deleted file mode 100644
|
|
index 0c143e3..0000000
|
|
--- a/pyicqt.fc
|
|
+++ /dev/null
|
|
@@ -1,11 +0,0 @@
|
|
-/etc/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_conf_t,s0)
|
|
-
|
|
-/etc/rc\.d/init\.d/pyicq-t -- gen_context(system_u:object_r:pyicqt_initrc_exec_t,s0)
|
|
-
|
|
-/usr/share/pyicq-t/PyICQt\.py -- gen_context(system_u:object_r:pyicqt_exec_t,s0)
|
|
-
|
|
-/var/log/pyicq-t\.log.* -- gen_context(system_u:object_r:pyicqt_log_t,s0)
|
|
-
|
|
-/var/run/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_var_run_t,s0)
|
|
-
|
|
-/var/spool/pyicq-t(/.*)? gen_context(system_u:object_r:pyicqt_spool_t,s0)
|
|
diff --git a/pyicqt.if b/pyicqt.if
|
|
deleted file mode 100644
|
|
index 0ccea82..0000000
|
|
--- a/pyicqt.if
|
|
+++ /dev/null
|
|
@@ -1,45 +0,0 @@
|
|
-## <summary>ICQ transport for XMPP server.</summary>
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an pyicqt environment.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
-#
|
|
-interface(`pyicqt_admin',`
|
|
- gen_require(`
|
|
- type pyicqt_t, pyicqt_log_t, pyicqt_spool_t;
|
|
- type pyicqt_var_run_t, pyicqt_initrc_exec_t, pyicqt_conf_t;
|
|
- ')
|
|
-
|
|
- allow $1 pyicqt_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, pyicqt_t)
|
|
-
|
|
- init_labeled_script_domtrans($1, pyicqt_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 pyicqt_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, pyicqt_conf_t)
|
|
-
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, pyicqt_log_t)
|
|
-
|
|
- files_search_spool($1)
|
|
- admin_pattern($1, pyicqt_spool_t)
|
|
-
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, pyicqt_var_run_t)
|
|
-')
|
|
diff --git a/pyicqt.te b/pyicqt.te
|
|
deleted file mode 100644
|
|
index f2863de..0000000
|
|
--- a/pyicqt.te
|
|
+++ /dev/null
|
|
@@ -1,92 +0,0 @@
|
|
-policy_module(pyicqt, 1.1.0)
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Declarations
|
|
-#
|
|
-
|
|
-type pyicqt_t;
|
|
-type pyicqt_exec_t;
|
|
-init_daemon_domain(pyicqt_t, pyicqt_exec_t)
|
|
-
|
|
-type pyicqt_initrc_exec_t;
|
|
-init_script_file(pyicqt_initrc_exec_t)
|
|
-
|
|
-type pyicqt_conf_t;
|
|
-files_config_file(pyicqt_conf_t)
|
|
-
|
|
-type pyicqt_log_t;
|
|
-logging_log_file(pyicqt_log_t)
|
|
-
|
|
-type pyicqt_spool_t;
|
|
-files_type(pyicqt_spool_t)
|
|
-
|
|
-type pyicqt_var_run_t;
|
|
-files_pid_file(pyicqt_var_run_t)
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Local policy
|
|
-#
|
|
-
|
|
-allow pyicqt_t self:process signal_perms;
|
|
-allow pyicqt_t self:fifo_file rw_fifo_file_perms;
|
|
-allow pyicqt_t self:tcp_socket { accept listen };
|
|
-
|
|
-read_files_pattern(pyicqt_t, pyicqt_conf_t, pyicqt_conf_t)
|
|
-
|
|
-allow pyicqt_t pyicqt_log_t:file append_file_perms;
|
|
-allow pyicqt_t pyicqt_log_t:file create_file_perms;
|
|
-allow pyicqt_t pyicqt_log_t:file setattr_file_perms;
|
|
-logging_log_filetrans(pyicqt_t, pyicqt_log_t, file)
|
|
-
|
|
-manage_dirs_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
|
|
-manage_files_pattern(pyicqt_t, pyicqt_spool_t, pyicqt_spool_t)
|
|
-files_spool_filetrans(pyicqt_t, pyicqt_spool_t, dir)
|
|
-
|
|
-manage_files_pattern(pyicqt_t, pyicqt_var_run_t, pyicqt_var_run_t)
|
|
-files_pid_filetrans(pyicqt_t, pyicqt_var_run_t, file)
|
|
-
|
|
-kernel_read_system_state(pyicqt_t)
|
|
-
|
|
-corecmd_exec_bin(pyicqt_t)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(pyicqt_t)
|
|
-corenet_all_recvfrom_netlabel(pyicqt_t)
|
|
-corenet_tcp_sendrecv_generic_if(pyicqt_t)
|
|
-corenet_tcp_sendrecv_generic_node(pyicqt_t)
|
|
-corenet_tcp_bind_generic_node(pyicqt_t)
|
|
-
|
|
-# corenet_sendrecv_jabber_router_server_packets(pyicqt_t)
|
|
-# corenet_tcp_bind_jabber_router_port(pyicqt_t)
|
|
-# corenet_sendrecv_jabber_router_client_packets(pyicqt_t)
|
|
-# corenet_tcp_connect_jabber_router_port(pyicqt_t)
|
|
-# corenet_tcp_sendrecv_jabber_router_port(pyicqt_t)
|
|
-
|
|
-dev_read_sysfs(pyicqt_t)
|
|
-dev_read_urand(pyicqt_t)
|
|
-
|
|
-files_read_usr_files(pyicqt_t)
|
|
-
|
|
-fs_getattr_all_fs(pyicqt_t)
|
|
-
|
|
-auth_use_nsswitch(pyicqt_t)
|
|
-
|
|
-libs_read_lib_files(pyicqt_t)
|
|
-
|
|
-logging_send_syslog_msg(pyicqt_t)
|
|
-
|
|
-miscfiles_read_localization(pyicqt_t)
|
|
-
|
|
-optional_policy(`
|
|
- jabber_manage_lib_files(pyicqt_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- mysql_stream_connect(pyicqt_t)
|
|
- mysql_tcp_connect(pyicqt_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- seutil_sigchld_newrole(pyicqt_t)
|
|
-')
|
|
diff --git a/pyzor.fc b/pyzor.fc
|
|
index af13139..a927c5a 100644
|
|
--- a/pyzor.fc
|
|
+++ b/pyzor.fc
|
|
@@ -1,12 +1,13 @@
|
|
-HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
|
|
-
|
|
-/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
|
|
-
|
|
+/etc/pyzor(/.*)? gen_context(system_u:object_r:pyzor_etc_t, s0)
|
|
/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:pyzord_initrc_exec_t,s0)
|
|
|
|
-/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
|
|
-/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
|
|
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
|
|
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
|
|
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
|
|
+/root/\.spamd(/.*)? gen_context(system_u:object_r:pyzor_home_t,s0)
|
|
|
|
-/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
|
|
+/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
|
|
+/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
|
|
|
|
+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:pyzor_var_lib_t,s0)
|
|
/var/log/pyzord\.log.* -- gen_context(system_u:object_r:pyzord_log_t,s0)
|
|
diff --git a/pyzor.if b/pyzor.if
|
|
index 593c03d..2c411af 100644
|
|
--- a/pyzor.if
|
|
+++ b/pyzor.if
|
|
@@ -2,7 +2,7 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for pyzor.
|
|
+## Role access for pyzor
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
@@ -14,31 +14,30 @@
|
|
## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
interface(`pyzor_role',`
|
|
gen_require(`
|
|
- attribute_role pyzor_roles;
|
|
- type pyzor_t, pyzor_exec_t, pyzor_home_t;
|
|
- type pyzor_tmp_t;
|
|
+ type pyzor_t, pyzor_exec_t;
|
|
+ type pyzor_home_t, pyzor_var_lib_t, pyzor_tmp_t;
|
|
')
|
|
|
|
- roleattribute $1 pyzor_roles;
|
|
+ role $1 types pyzor_t;
|
|
|
|
+ # Transition from the user domain to the derived domain.
|
|
domtrans_pattern($2, pyzor_exec_t, pyzor_t)
|
|
|
|
- allow $2 pyzor_t:process { ptrace signal_perms };
|
|
+ # allow ps to show pyzor and allow the user to kill it
|
|
ps_process_pattern($2, pyzor_t)
|
|
-
|
|
- allow $2 { pyzor_home_t pyzor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 { pyzor_home_t pyzor_tmp_t }:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 pyzor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
-
|
|
- userdom_user_home_dir_filetrans($2, pyzor_home_t, dir, ".pyzor")
|
|
+ allow $2 pyzor_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 pyzor_t:process ptrace;
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to pyzor.
|
|
+## Send generic signals to pyzor
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -69,6 +68,7 @@ interface(`pyzor_domtrans',`
|
|
type pyzor_exec_t, pyzor_t;
|
|
')
|
|
|
|
+ files_search_usr($1)
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, pyzor_exec_t, pyzor_t)
|
|
')
|
|
@@ -88,14 +88,15 @@ interface(`pyzor_exec',`
|
|
type pyzor_exec_t;
|
|
')
|
|
|
|
+ files_search_usr($1)
|
|
corecmd_search_bin($1)
|
|
can_exec($1, pyzor_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an pyzor environment.
|
|
+## All of the rules required to administrate
|
|
+## an pyzor environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -104,33 +105,37 @@ interface(`pyzor_exec',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the pyzor domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`pyzor_admin',`
|
|
gen_require(`
|
|
- type pyzord_t, pyzord_initrc_exec_t, pyzord_log_t;
|
|
- type pyzor_var_lib_t, pyzor_etc_t;
|
|
+ type pyzord_t, pyzor_tmp_t, pyzord_log_t;
|
|
+ type pyzor_etc_t, pyzor_var_lib_t, pyzord_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 pyzord_t:process { ptrace signal_perms };
|
|
+ allow $1 pyzord_t:process signal_perms;
|
|
ps_process_pattern($1, pyzord_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 pyzord_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, pyzord_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 pyzord_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, pyzor_etc_t)
|
|
+ files_list_tmp($1)
|
|
+ admin_pattern($1, pyzor_tmp_t)
|
|
|
|
- logging_search_logs($1)
|
|
+ logging_list_logs($1)
|
|
admin_pattern($1, pyzord_log_t)
|
|
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, pyzor_var_lib_t)
|
|
+ files_list_etc($1)
|
|
+ admin_pattern($1, pyzor_etc_t)
|
|
|
|
- pyzor_role($2, $1)
|
|
+ files_list_var_lib($1)
|
|
+ admin_pattern($1, pyzor_var_lib_t)
|
|
')
|
|
diff --git a/pyzor.te b/pyzor.te
|
|
index 2439d13..d7bd6e9 100644
|
|
--- a/pyzor.te
|
|
+++ b/pyzor.te
|
|
@@ -5,57 +5,78 @@ policy_module(pyzor, 2.3.0)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute_role pyzor_roles;
|
|
-roleattribute system_r pyzor_roles;
|
|
-
|
|
-type pyzor_t;
|
|
-type pyzor_exec_t;
|
|
-typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
|
|
-typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
|
|
-userdom_user_application_domain(pyzor_t, pyzor_exec_t)
|
|
-role pyzor_roles types pyzor_t;
|
|
-
|
|
-type pyzor_etc_t;
|
|
-files_type(pyzor_etc_t)
|
|
-
|
|
-type pyzor_home_t;
|
|
-typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
|
|
-typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
|
|
-userdom_user_home_content(pyzor_home_t)
|
|
-
|
|
-type pyzor_tmp_t;
|
|
-typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
|
|
-typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
|
|
-userdom_user_tmp_file(pyzor_tmp_t)
|
|
-
|
|
-type pyzor_var_lib_t;
|
|
-typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
|
|
-typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
|
|
-files_type(pyzor_var_lib_t)
|
|
-ubac_constrained(pyzor_var_lib_t)
|
|
-
|
|
-type pyzord_t;
|
|
-type pyzord_exec_t;
|
|
-init_daemon_domain(pyzord_t, pyzord_exec_t)
|
|
-
|
|
-type pyzord_initrc_exec_t;
|
|
-init_script_file(pyzord_initrc_exec_t)
|
|
-
|
|
-type pyzord_log_t;
|
|
-logging_log_file(pyzord_log_t)
|
|
+ifdef(`distro_redhat',`
|
|
+ gen_require(`
|
|
+ type spamc_t, spamc_exec_t, spamd_t;
|
|
+ type spamd_initrc_exec_t, spamd_exec_t, spamc_tmp_t;
|
|
+ type spamd_log_t, spamd_var_lib_t, spamd_etc_t;
|
|
+ type spamc_tmp_t, spamc_home_t;
|
|
+ ')
|
|
+
|
|
+ typealias spamc_t alias pyzor_t;
|
|
+ typealias spamc_exec_t alias pyzor_exec_t;
|
|
+ typealias spamd_t alias pyzord_t;
|
|
+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
|
|
+ typealias spamd_exec_t alias pyzord_exec_t;
|
|
+ typealias spamc_tmp_t alias pyzor_tmp_t;
|
|
+ typealias spamd_log_t alias pyzor_log_t;
|
|
+ typealias spamd_log_t alias pyzord_log_t;
|
|
+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
|
|
+ typealias spamd_etc_t alias pyzor_etc_t;
|
|
+ typealias spamc_home_t alias pyzor_home_t;
|
|
+ typealias spamc_home_t alias user_pyzor_home_t;
|
|
+',`
|
|
+ type pyzor_t;
|
|
+ type pyzor_exec_t;
|
|
+ typealias pyzor_t alias { user_pyzor_t staff_pyzor_t sysadm_pyzor_t };
|
|
+ typealias pyzor_t alias { auditadm_pyzor_t secadm_pyzor_t };
|
|
+ application_domain(pyzor_t, pyzor_exec_t)
|
|
+ ubac_constrained(pyzor_t)
|
|
+ role system_r types pyzor_t;
|
|
+
|
|
+ type pyzor_etc_t;
|
|
+ files_config_file(pyzor_etc_t)
|
|
+
|
|
+ type pyzor_home_t;
|
|
+ typealias pyzor_home_t alias { user_pyzor_home_t staff_pyzor_home_t sysadm_pyzor_home_t };
|
|
+ typealias pyzor_home_t alias { auditadm_pyzor_home_t secadm_pyzor_home_t };
|
|
+ userdom_user_home_content(pyzor_home_t)
|
|
+
|
|
+ type pyzor_tmp_t;
|
|
+ typealias pyzor_tmp_t alias { user_pyzor_tmp_t staff_pyzor_tmp_t sysadm_pyzor_tmp_t };
|
|
+ typealias pyzor_tmp_t alias { auditadm_pyzor_tmp_t secadm_pyzor_tmp_t };
|
|
+ files_tmp_file(pyzor_tmp_t)
|
|
+ ubac_constrained(pyzor_tmp_t)
|
|
+
|
|
+ type pyzor_var_lib_t;
|
|
+ typealias pyzor_var_lib_t alias { user_pyzor_var_lib_t staff_pyzor_var_lib_t sysadm_pyzor_var_lib_t };
|
|
+ typealias pyzor_var_lib_t alias { auditadm_pyzor_var_lib_t secadm_pyzor_var_lib_t };
|
|
+ files_type(pyzor_var_lib_t)
|
|
+ ubac_constrained(pyzor_var_lib_t)
|
|
+
|
|
+ type pyzord_t;
|
|
+ type pyzord_exec_t;
|
|
+ init_daemon_domain(pyzord_t, pyzord_exec_t)
|
|
+
|
|
+ type pyzord_log_t;
|
|
+ logging_log_file(pyzord_log_t)
|
|
+')
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# Pyzor client local policy
|
|
#
|
|
|
|
+allow pyzor_t self:udp_socket create_socket_perms;
|
|
+
|
|
manage_dirs_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
|
|
manage_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
|
|
manage_lnk_files_pattern(pyzor_t, pyzor_home_t, pyzor_home_t)
|
|
-userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, dir, ".pyzor")
|
|
+userdom_user_home_dir_filetrans(pyzor_t, pyzor_home_t, { dir file lnk_file })
|
|
|
|
allow pyzor_t pyzor_var_lib_t:dir list_dir_perms;
|
|
read_files_pattern(pyzor_t, pyzor_var_lib_t, pyzor_var_lib_t)
|
|
+files_search_var_lib(pyzor_t)
|
|
|
|
manage_files_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
|
|
manage_dirs_pattern(pyzor_t, pyzor_tmp_t, pyzor_tmp_t)
|
|
@@ -67,41 +88,28 @@ kernel_read_system_state(pyzor_t)
|
|
corecmd_list_bin(pyzor_t)
|
|
corecmd_getattr_bin_files(pyzor_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(pyzor_t)
|
|
-corenet_all_recvfrom_netlabel(pyzor_t)
|
|
corenet_tcp_sendrecv_generic_if(pyzor_t)
|
|
+corenet_udp_sendrecv_generic_if(pyzor_t)
|
|
corenet_tcp_sendrecv_generic_node(pyzor_t)
|
|
-
|
|
-corenet_sendrecv_http_client_packets(pyzor_t)
|
|
+corenet_udp_sendrecv_generic_node(pyzor_t)
|
|
+corenet_tcp_sendrecv_all_ports(pyzor_t)
|
|
+corenet_udp_sendrecv_all_ports(pyzor_t)
|
|
corenet_tcp_connect_http_port(pyzor_t)
|
|
-corenet_tcp_sendrecv_http_port(pyzor_t)
|
|
|
|
dev_read_urand(pyzor_t)
|
|
|
|
-fs_getattr_all_fs(pyzor_t)
|
|
-fs_search_auto_mountpoints(pyzor_t)
|
|
+fs_getattr_xattr_fs(pyzor_t)
|
|
+
|
|
|
|
auth_use_nsswitch(pyzor_t)
|
|
|
|
-miscfiles_read_localization(pyzor_t)
|
|
|
|
mta_read_queue(pyzor_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(pyzor_t)
|
|
- fs_manage_nfs_files(pyzor_t)
|
|
- fs_manage_nfs_symlinks(pyzor_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(pyzor_t)
|
|
- fs_manage_cifs_files(pyzor_t)
|
|
- fs_manage_cifs_symlinks(pyzor_t)
|
|
-')
|
|
+userdom_dontaudit_search_user_home_dirs(pyzor_t)
|
|
|
|
optional_policy(`
|
|
- amavis_manage_lib_files(pyzor_t)
|
|
- amavis_manage_spool_files(pyzor_t)
|
|
+ antivirus_manage_db(pyzor_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -111,25 +119,24 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Daemon local policy
|
|
+# Pyzor server local policy
|
|
#
|
|
|
|
-allow pyzord_t pyzor_var_lib_t:dir setattr_dir_perms;
|
|
+allow pyzord_t self:udp_socket create_socket_perms;
|
|
+
|
|
manage_files_pattern(pyzord_t, pyzor_var_lib_t, pyzor_var_lib_t)
|
|
+allow pyzord_t pyzor_var_lib_t:dir setattr;
|
|
files_var_lib_filetrans(pyzord_t, pyzor_var_lib_t, { file dir })
|
|
|
|
+read_files_pattern(pyzord_t, pyzor_etc_t, pyzor_etc_t)
|
|
allow pyzord_t pyzor_etc_t:dir list_dir_perms;
|
|
-allow pyzord_t pyzor_etc_t:file read_file_perms;
|
|
-allow pyzord_t pyzor_etc_t:lnk_file read_lnk_file_perms;
|
|
|
|
+can_exec(pyzord_t, pyzor_exec_t)
|
|
+
|
|
+manage_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
|
|
allow pyzord_t pyzord_log_t:dir setattr_dir_perms;
|
|
-append_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
|
|
-create_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
|
|
-setattr_files_pattern(pyzord_t, pyzord_log_t, pyzord_log_t)
|
|
logging_log_filetrans(pyzord_t, pyzord_log_t, { file dir })
|
|
|
|
-can_exec(pyzord_t, pyzor_exec_t)
|
|
-
|
|
kernel_read_kernel_sysctls(pyzord_t)
|
|
kernel_read_system_state(pyzord_t)
|
|
|
|
@@ -137,24 +144,25 @@ dev_read_urand(pyzord_t)
|
|
|
|
corecmd_exec_bin(pyzord_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(pyzord_t)
|
|
corenet_all_recvfrom_netlabel(pyzord_t)
|
|
corenet_udp_sendrecv_generic_if(pyzord_t)
|
|
corenet_udp_sendrecv_generic_node(pyzord_t)
|
|
+corenet_udp_sendrecv_all_ports(pyzord_t)
|
|
corenet_udp_bind_generic_node(pyzord_t)
|
|
-
|
|
-corenet_sendrecv_pyzor_server_packets(pyzord_t)
|
|
corenet_udp_bind_pyzor_port(pyzord_t)
|
|
-corenet_udp_sendrecv_pyzor_port(pyzord_t)
|
|
+corenet_sendrecv_pyzor_server_packets(pyzord_t)
|
|
|
|
-auth_use_nsswitch(pyzord_t)
|
|
|
|
-logging_send_syslog_msg(pyzord_t)
|
|
+auth_use_nsswitch(pyzord_t)
|
|
|
|
locallogin_dontaudit_use_fds(pyzord_t)
|
|
|
|
-miscfiles_read_localization(pyzord_t)
|
|
|
|
+# Do not audit attempts to access /root.
|
|
userdom_dontaudit_search_user_home_dirs(pyzord_t)
|
|
|
|
mta_manage_spool(pyzord_t)
|
|
+
|
|
+optional_policy(`
|
|
+ logging_send_syslog_msg(pyzord_t)
|
|
+')
|
|
diff --git a/qemu.fc b/qemu.fc
|
|
index 86ea53c..a2dcf7b 100644
|
|
--- a/qemu.fc
|
|
+++ b/qemu.fc
|
|
@@ -1,4 +1,4 @@
|
|
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
|
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
|
/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
|
/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
|
/usr/bin/kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
|
diff --git a/qemu.if b/qemu.if
|
|
index eaf56b8..580f9ee 100644
|
|
--- a/qemu.if
|
|
+++ b/qemu.if
|
|
@@ -1,19 +1,21 @@
|
|
-## <summary>QEMU machine emulator and virtualizer.</summary>
|
|
+## <summary>QEMU machine emulator and virtualizer</summary>
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## The template to define a qemu domain.
|
|
+## Creates types and rules for a basic
|
|
+## qemu process domain.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## Prefix for the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`qemu_domain_template',`
|
|
+
|
|
##############################
|
|
#
|
|
- # Declarations
|
|
+ # Local Policy
|
|
#
|
|
|
|
type $1_t;
|
|
@@ -24,7 +26,7 @@ template(`qemu_domain_template',`
|
|
|
|
##############################
|
|
#
|
|
- # Policy
|
|
+ # Local Policy
|
|
#
|
|
|
|
allow $1_t self:capability { dac_read_search dac_override };
|
|
@@ -41,7 +43,6 @@ template(`qemu_domain_template',`
|
|
|
|
kernel_read_system_state($1_t)
|
|
|
|
- corenet_all_recvfrom_unlabeled($1_t)
|
|
corenet_all_recvfrom_netlabel($1_t)
|
|
corenet_tcp_sendrecv_generic_if($1_t)
|
|
corenet_tcp_sendrecv_generic_node($1_t)
|
|
@@ -70,11 +71,10 @@ template(`qemu_domain_template',`
|
|
term_getattr_pty_fs($1_t)
|
|
term_use_generic_ptys($1_t)
|
|
|
|
- miscfiles_read_localization($1_t)
|
|
|
|
sysnet_read_config($1_t)
|
|
|
|
- userdom_use_user_terminals($1_t)
|
|
+ userdom_use_inherited_user_terminals($1_t)
|
|
userdom_attach_admin_tun_iface($1_t)
|
|
|
|
optional_policy(`
|
|
@@ -98,38 +98,12 @@ template(`qemu_domain_template',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for qemu.
|
|
-## </summary>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## User domain for the role.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-template(`qemu_role',`
|
|
- gen_require(`
|
|
- type qemu_t;
|
|
- ')
|
|
-
|
|
- qemu_run($2, $1)
|
|
-
|
|
- allow $2 qemu_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($2, qemu_t)
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
## Execute a domain transition to run qemu.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`qemu_domtrans',`
|
|
@@ -137,18 +111,17 @@ interface(`qemu_domtrans',`
|
|
type qemu_t, qemu_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, qemu_exec_t, qemu_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a qemu in the caller domain.
|
|
+## Execute a qemu in the callers domain
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`qemu_exec',`
|
|
@@ -156,15 +129,12 @@ interface(`qemu_exec',`
|
|
type qemu_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, qemu_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute qemu in the qemu domain,
|
|
-## and allow the specified role the
|
|
-## qemu domain.
|
|
+## Execute qemu in the qemu domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -173,23 +143,25 @@ interface(`qemu_exec',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to allow the qemu domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`qemu_run',`
|
|
gen_require(`
|
|
- attribute_role qemu_roles;
|
|
+ type qemu_t;
|
|
')
|
|
|
|
qemu_domtrans($1)
|
|
- roleattribute $2 qemu_roles;
|
|
+ role $2 types qemu_t;
|
|
+ allow qemu_t $1:process signull;
|
|
+ allow $1 qemu_t:process signull;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read qemu process state files.
|
|
+## Allow the domain to read state files in /proc.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -202,15 +174,12 @@ interface(`qemu_read_state',`
|
|
type qemu_t;
|
|
')
|
|
|
|
- kernel_search_proc($1)
|
|
- allow $1 qemu_t:dir list_dir_perms;
|
|
- allow $1 qemu_t:file read_file_perms;
|
|
- allow $1 qemu_t:lnk_file read_lnk_file_perms;
|
|
+ read_files_pattern($1, qemu_t, qemu_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Set qemu scheduler.
|
|
+## Set the schedule on qemu.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -228,7 +197,7 @@ interface(`qemu_setsched',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to qemu.
|
|
+## Send a signal to qemu.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -246,7 +215,7 @@ interface(`qemu_signal',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send kill signals to qemu.
|
|
+## Send a sigill to qemu
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -264,48 +233,68 @@ interface(`qemu_kill',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run qemu unconfined.
|
|
+## Execute qemu_exec_t
|
|
+## in the specified domain but do not
|
|
+## do it automatically. This is an explicit
|
|
+## transition, requiring the caller to use setexeccon().
|
|
## </summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## Execute qemu_exec_t
|
|
+## in the specified domain. This allows
|
|
+## the specified domain to qemu programs
|
|
+## on these filesystems in the specified
|
|
+## domain.
|
|
+## </p>
|
|
+## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="target_domain">
|
|
+## <summary>
|
|
+## The type of the new process.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`qemu_domtrans_unconfined',`
|
|
+interface(`qemu_spec_domtrans',`
|
|
gen_require(`
|
|
- type unconfined_qemu_t, qemu_exec_t;
|
|
+ type qemu_exec_t;
|
|
')
|
|
-
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, qemu_exec_t, unconfined_qemu_t)
|
|
+
|
|
+ read_lnk_files_pattern($1, qemu_exec_t, qemu_exec_t)
|
|
+ domain_transition_pattern($1, qemu_exec_t, $2)
|
|
+ domain_entry_file($2,qemu_exec_t)
|
|
+ can_exec($1,qemu_exec_t)
|
|
+
|
|
+ allow $2 $1:fd use;
|
|
+ allow $2 $1:fifo_file rw_fifo_file_perms;
|
|
+ allow $2 $1:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## qemu temporary directories.
|
|
+## Execute qemu unconfined programs in the role.
|
|
## </summary>
|
|
-## <param name="domain">
|
|
+## <param name="role">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## The role to allow the qemu unconfined domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`qemu_manage_tmp_dirs',`
|
|
+interface(`qemu_unconfined_role',`
|
|
gen_require(`
|
|
- type qemu_tmp_t;
|
|
+ type unconfined_qemu_t;
|
|
+ type qemu_t;
|
|
')
|
|
-
|
|
- files_search_tmp($1)
|
|
- manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
|
|
+ role $1 types unconfined_qemu_t;
|
|
+ role $1 types qemu_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## qemu temporary files.
|
|
+## Manage qemu temporary dirs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -313,58 +302,41 @@ interface(`qemu_manage_tmp_dirs',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`qemu_manage_tmp_files',`
|
|
+interface(`qemu_manage_tmp_dirs',`
|
|
gen_require(`
|
|
type qemu_tmp_t;
|
|
')
|
|
|
|
- files_search_tmp($1)
|
|
- manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
|
|
+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute qemu in a specified domain.
|
|
+## Manage qemu temporary files.
|
|
## </summary>
|
|
-## <desc>
|
|
-## <p>
|
|
-## Execute qemu in a specified domain.
|
|
-## </p>
|
|
-## <p>
|
|
-## No interprocess communication (signals, pipes,
|
|
-## etc.) is provided by this interface since
|
|
-## the domains are not owned by this module.
|
|
-## </p>
|
|
-## </desc>
|
|
-## <param name="source_domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="target_domain">
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Domain to transition to.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`qemu_spec_domtrans',`
|
|
+interface(`qemu_manage_tmp_files',`
|
|
gen_require(`
|
|
- type qemu_exec_t;
|
|
+ type qemu_tmp_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domain_auto_trans($1, qemu_exec_t, $2)
|
|
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
|
|
')
|
|
|
|
-######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Make qemu executable files an
|
|
-## entrypoint for the specified domain.
|
|
+## Make qemu_exec_t an entrypoint for
|
|
+## the specified domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## The domain for which qemu_exec_t is an entrypoint.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## The domain for which qemu_exec_t is an entrypoint.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`qemu_entry_type',`
|
|
diff --git a/qemu.te b/qemu.te
|
|
index 4f90743..8c1e989 100644
|
|
--- a/qemu.te
|
|
+++ b/qemu.te
|
|
@@ -6,28 +6,58 @@ policy_module(qemu, 1.8.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether qemu has full
|
|
-## access to the network.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow qemu to connect fully to the network
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(qemu_full_network, false)
|
|
|
|
-attribute_role qemu_roles;
|
|
-roleattribute system_r qemu_roles;
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow qemu to use cifs/Samba file systems
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(qemu_use_cifs, true)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow qemu to use serial/parallel communication ports
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(qemu_use_comm, false)
|
|
|
|
-type qemu_exec_t;
|
|
-application_executable_file(qemu_exec_t)
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow qemu to use nfs file systems
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(qemu_use_nfs, true)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow qemu to use usb devices
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(qemu_use_usb, true)
|
|
|
|
virt_domain_template(qemu)
|
|
-role qemu_roles types qemu_t;
|
|
+role system_r types qemu_t;
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# qemu local policy
|
|
#
|
|
|
|
+storage_raw_write_removable_device(qemu_t)
|
|
+storage_raw_read_removable_device(qemu_t)
|
|
+
|
|
+userdom_search_user_home_content(qemu_t)
|
|
+userdom_read_user_tmpfs_files(qemu_t)
|
|
+userdom_stream_connect(qemu_t)
|
|
+
|
|
tunable_policy(`qemu_full_network',`
|
|
+ allow qemu_t self:udp_socket create_socket_perms;
|
|
+
|
|
corenet_udp_sendrecv_generic_if(qemu_t)
|
|
corenet_udp_sendrecv_generic_node(qemu_t)
|
|
corenet_udp_sendrecv_all_ports(qemu_t)
|
|
@@ -37,21 +67,57 @@ tunable_policy(`qemu_full_network',`
|
|
corenet_tcp_connect_all_ports(qemu_t)
|
|
')
|
|
|
|
+tunable_policy(`qemu_use_cifs',`
|
|
+ fs_manage_cifs_dirs(qemu_t)
|
|
+ fs_manage_cifs_files(qemu_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`qemu_use_comm',`
|
|
+ term_use_unallocated_ttys(qemu_t)
|
|
+ dev_rw_printer(qemu_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`qemu_use_nfs',`
|
|
+ fs_manage_nfs_dirs(qemu_t)
|
|
+ fs_manage_nfs_files(qemu_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`qemu_use_usb',`
|
|
+ dev_rw_usbfs(qemu_t)
|
|
+ fs_manage_dos_dirs(qemu_t)
|
|
+ fs_manage_dos_files(qemu_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
- xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
|
|
+ dbus_read_lib_files(qemu_t)
|
|
')
|
|
|
|
-########################################
|
|
-#
|
|
-# Unconfined local policy
|
|
-#
|
|
+optional_policy(`
|
|
+ pulseaudio_manage_home_files(qemu_t)
|
|
+ pulseaudio_stream_connect(qemu_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`qemu_use_cifs',`
|
|
+ samba_domtrans_smbd(qemu_t)
|
|
+ ')
|
|
+')
|
|
|
|
optional_policy(`
|
|
- type unconfined_qemu_t;
|
|
- typealias unconfined_qemu_t alias qemu_unconfined_t;
|
|
- application_type(unconfined_qemu_t)
|
|
- unconfined_domain(unconfined_qemu_t)
|
|
+ virt_domtrans_bridgehelper(qemu_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ virt_manage_home_files(qemu_t)
|
|
+ virt_manage_images(qemu_t)
|
|
+ virt_append_log(qemu_t)
|
|
+')
|
|
|
|
- allow unconfined_qemu_t self:process { execstack execmem };
|
|
- allow unconfined_qemu_t qemu_exec_t:file execmod;
|
|
+optional_policy(`
|
|
+ xen_rw_image_files(qemu_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_read_xdm_pid(qemu_t)
|
|
+ xserver_stream_connect(qemu_t)
|
|
')
|
|
diff --git a/qmail.fc b/qmail.fc
|
|
index e53fe5a..edee505 100644
|
|
--- a/qmail.fc
|
|
+++ b/qmail.fc
|
|
@@ -1,22 +1,6 @@
|
|
-/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
|
|
-
|
|
-/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
|
|
-
|
|
-/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
|
|
-/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
|
|
-/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
|
|
-/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
|
|
-/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
|
|
-/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
|
|
-/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
|
|
-/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
|
|
-/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
|
|
-/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
|
|
-/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
|
|
-/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
|
|
-
|
|
-/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
|
|
-/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
|
|
+
|
|
+/var/qmail/alias -d gen_context(system_u:object_r:qmail_alias_home_t,s0)
|
|
+/var/qmail/alias(/.*)? gen_context(system_u:object_r:qmail_alias_home_t,s0)
|
|
|
|
/var/qmail/bin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
|
|
/var/qmail/bin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
|
|
@@ -29,9 +13,36 @@
|
|
/var/qmail/bin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
|
|
/var/qmail/bin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
|
|
/var/qmail/bin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
|
|
-/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
|
|
-/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
|
|
+/var/qmail/bin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
|
|
+/var/qmail/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
|
|
+
|
|
+/var/qmail/control(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
|
|
+/var/qmail/owners(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
|
|
+
|
|
+/var/qmail/queue(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
|
|
+
|
|
+ifdef(`distro_debian', `
|
|
+/etc/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
|
|
+
|
|
+/usr/bin/tcp-env -- gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
|
|
+
|
|
+#/usr/bin/serialmail/.* -- gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
|
|
+
|
|
+/usr/sbin/qmail-clean -- gen_context(system_u:object_r:qmail_clean_exec_t,s0)
|
|
+/usr/sbin/qmail-getpw -- gen_context(system_u:object_r:qmail_exec_t,s0)
|
|
+/usr/sbin/qmail-inject -- gen_context(system_u:object_r:qmail_inject_exec_t,s0)
|
|
+/usr/sbin/qmail-local -- gen_context(system_u:object_r:qmail_local_exec_t,s0)
|
|
+/usr/sbin/qmail-lspawn -- gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
|
|
+/usr/sbin/qmail-queue -- gen_context(system_u:object_r:qmail_queue_exec_t,s0)
|
|
+/usr/sbin/qmail-remote -- gen_context(system_u:object_r:qmail_remote_exec_t,s0)
|
|
+/usr/sbin/qmail-rspawn -- gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
|
|
+/usr/sbin/qmail-send -- gen_context(system_u:object_r:qmail_send_exec_t,s0)
|
|
+/usr/sbin/qmail-smtpd -- gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
|
|
+/usr/sbin/qmail-start -- gen_context(system_u:object_r:qmail_start_exec_t,s0)
|
|
+/usr/sbin/splogger -- gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
|
|
+
|
|
+/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
|
|
|
|
-/var/qmail(/.*)? gen_context(system_u:object_r:qmail_etc_t,s0)
|
|
+/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
|
|
+')
|
|
|
|
-/var/spool/qmail(/.*)? gen_context(system_u:object_r:qmail_spool_t,s0)
|
|
diff --git a/qmail.if b/qmail.if
|
|
index e4f0000..05e219e 100644
|
|
--- a/qmail.if
|
|
+++ b/qmail.if
|
|
@@ -1,12 +1,12 @@
|
|
-## <summary>Qmail Mail Server.</summary>
|
|
+## <summary>Qmail Mail Server</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Template for qmail parent/sub-domain pairs.
|
|
+## Template for qmail parent/sub-domain pairs
|
|
## </summary>
|
|
## <param name="child_prefix">
|
|
## <summary>
|
|
-## The prefix of the child domain.
|
|
+## The prefix of the child domain
|
|
## </summary>
|
|
## </param>
|
|
## <param name="parent_domain">
|
|
@@ -16,35 +16,39 @@
|
|
## </param>
|
|
#
|
|
template(`qmail_child_domain_template',`
|
|
- gen_require(`
|
|
- attribute qmail_child_domain;
|
|
- ')
|
|
-
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
- type $1_t, qmail_child_domain;
|
|
- type $1_exec_t;
|
|
+ type $1_t;
|
|
domain_type($1_t)
|
|
+ type $1_exec_t;
|
|
domain_entry_file($1_t, $1_exec_t)
|
|
-
|
|
+ domain_auto_trans($2, $1_exec_t, $1_t)
|
|
role system_r types $1_t;
|
|
|
|
- ########################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
+ allow $1_t self:process signal_perms;
|
|
+
|
|
+ allow $1_t $2:fd use;
|
|
+ allow $1_t $2:fifo_file rw_file_perms;
|
|
+ allow $1_t $2:process sigchld;
|
|
+
|
|
+ allow $1_t qmail_etc_t:dir list_dir_perms;
|
|
+ allow $1_t qmail_etc_t:file read_file_perms;
|
|
+ allow $1_t qmail_etc_t:lnk_file read_lnk_file_perms;
|
|
+
|
|
+ allow $1_t qmail_start_t:fd use;
|
|
+
|
|
+ kernel_list_proc($2)
|
|
+ kernel_read_proc_symlinks($2)
|
|
|
|
- domtrans_pattern($2, $1_exec_t, $1_t)
|
|
+ corecmd_search_bin($1_t)
|
|
+
|
|
+ files_search_var($1_t)
|
|
+
|
|
+ fs_getattr_xattr_fs($1_t)
|
|
|
|
- kernel_read_system_state($2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Transition to qmail_inject_t.
|
|
+## Transition to qmail_inject_t
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -57,11 +61,11 @@ interface(`qmail_domtrans_inject',`
|
|
type qmail_inject_t, qmail_inject_exec_t;
|
|
')
|
|
|
|
+ corecmd_search_bin($1)
|
|
domtrans_pattern($1, qmail_inject_exec_t, qmail_inject_t)
|
|
|
|
ifdef(`distro_debian',`
|
|
files_search_usr($1)
|
|
- corecmd_search_bin($1)
|
|
',`
|
|
files_search_var($1)
|
|
')
|
|
@@ -69,7 +73,7 @@ interface(`qmail_domtrans_inject',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Transition to qmail_queue_t.
|
|
+## Transition to qmail_queue_t
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -82,11 +86,11 @@ interface(`qmail_domtrans_queue',`
|
|
type qmail_queue_t, qmail_queue_exec_t;
|
|
')
|
|
|
|
+ corecmd_search_bin($1)
|
|
domtrans_pattern($1, qmail_queue_exec_t, qmail_queue_t)
|
|
|
|
ifdef(`distro_debian',`
|
|
files_search_usr($1)
|
|
- corecmd_search_bin($1)
|
|
',`
|
|
files_search_var($1)
|
|
')
|
|
@@ -108,20 +112,21 @@ interface(`qmail_read_config',`
|
|
type qmail_etc_t;
|
|
')
|
|
|
|
- files_search_var($1)
|
|
allow $1 qmail_etc_t:dir list_dir_perms;
|
|
allow $1 qmail_etc_t:file read_file_perms;
|
|
allow $1 qmail_etc_t:lnk_file read_lnk_file_perms;
|
|
+ files_search_var($1)
|
|
|
|
ifdef(`distro_debian',`
|
|
+ # handle /etc/qmail
|
|
files_search_etc($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Define the specified domain as a
|
|
-## qmail-smtp service.
|
|
+## Define the specified domain as a qmail-smtp service.
|
|
+## Needed by antivirus/antispam filters.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -141,3 +146,59 @@ interface(`qmail_smtpd_service_domain',`
|
|
|
|
domtrans_pattern(qmail_smtpd_t, $2, $1)
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete qmail
|
|
+## spool directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`qmail_manage_spool_dirs',`
|
|
+ gen_require(`
|
|
+ type qmail_spool_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, qmail_spool_t, qmail_spool_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete qmail
|
|
+## spool files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`qmail_manage_spool_files',`
|
|
+ gen_require(`
|
|
+ type qmail_spool_t;
|
|
+ ')
|
|
+
|
|
+ manage_files_pattern($1, qmail_spool_t, qmail_spool_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read and write to qmail spool pipes.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`qmail_rw_spool_pipes',`
|
|
+ gen_require(`
|
|
+ type qmail_spool_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 qmail_spool_t:fifo_file rw_fifo_file_perms;
|
|
+')
|
|
diff --git a/qmail.te b/qmail.te
|
|
index 8742944..53a2fe5 100644
|
|
--- a/qmail.te
|
|
+++ b/qmail.te
|
|
@@ -5,7 +5,7 @@ policy_module(qmail, 1.6.1)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute qmail_child_domain;
|
|
+attribute qmail_user_domains;
|
|
|
|
type qmail_alias_home_t;
|
|
files_type(qmail_alias_home_t)
|
|
@@ -18,7 +18,7 @@ files_config_file(qmail_etc_t)
|
|
type qmail_exec_t;
|
|
files_type(qmail_exec_t)
|
|
|
|
-type qmail_inject_t;
|
|
+type qmail_inject_t, qmail_user_domains;
|
|
type qmail_inject_exec_t;
|
|
domain_type(qmail_inject_t)
|
|
domain_entry_file(qmail_inject_t, qmail_inject_exec_t)
|
|
@@ -32,21 +32,25 @@ qmail_child_domain_template(qmail_lspawn, qmail_start_t)
|
|
mta_mailserver_delivery(qmail_lspawn_t)
|
|
|
|
qmail_child_domain_template(qmail_queue, qmail_inject_t)
|
|
+typeattribute qmail_queue_t qmail_user_domains;
|
|
mta_mailserver_user_agent(qmail_queue_t)
|
|
|
|
qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
|
|
mta_mailserver_sender(qmail_remote_t)
|
|
|
|
qmail_child_domain_template(qmail_rspawn, qmail_start_t)
|
|
+
|
|
qmail_child_domain_template(qmail_send, qmail_start_t)
|
|
+
|
|
qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
|
|
+
|
|
qmail_child_domain_template(qmail_splogger, qmail_start_t)
|
|
|
|
type qmail_keytab_t;
|
|
files_type(qmail_keytab_t)
|
|
|
|
type qmail_spool_t;
|
|
-files_type(qmail_spool_t)
|
|
+files_spool_file(qmail_spool_t)
|
|
|
|
type qmail_start_t;
|
|
type qmail_start_exec_t;
|
|
@@ -58,28 +62,8 @@ application_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
|
|
|
|
########################################
|
|
#
|
|
-# Common qmail child domain local policy
|
|
-#
|
|
-
|
|
-allow qmail_child_domain self:process signal_perms;
|
|
-
|
|
-allow qmail_child_domain qmail_etc_t:dir list_dir_perms;
|
|
-allow qmail_child_domain qmail_etc_t:file read_file_perms;
|
|
-allow qmail_child_domain qmail_etc_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
-allow qmail_child_domain qmail_start_t:fd use;
|
|
-
|
|
-corecmd_search_bin(qmail_child_domain)
|
|
-
|
|
-files_search_var(qmail_child_domain)
|
|
-
|
|
-fs_getattr_xattr_fs(qmail_child_domain)
|
|
-
|
|
-miscfiles_read_localization(qmail_child_domain)
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Clean local policy
|
|
+# qmail-clean local policy
|
|
+# this component cleans up the queue directory
|
|
#
|
|
|
|
read_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
|
|
@@ -87,11 +71,12 @@ delete_files_pattern(qmail_clean_t, qmail_spool_t, qmail_spool_t)
|
|
|
|
########################################
|
|
#
|
|
-# Inject local policy
|
|
+# qmail-inject local policy
|
|
+# this component preprocesses mail from stdin and invokes qmail-queue
|
|
#
|
|
|
|
-allow qmail_inject_t self:fifo_file write_fifo_file_perms;
|
|
allow qmail_inject_t self:process signal_perms;
|
|
+allow qmail_inject_t self:fifo_file write_fifo_file_perms;
|
|
|
|
allow qmail_inject_t qmail_queue_exec_t:file read_file_perms;
|
|
|
|
@@ -99,18 +84,18 @@ corecmd_search_bin(qmail_inject_t)
|
|
|
|
files_search_var(qmail_inject_t)
|
|
|
|
-miscfiles_read_localization(qmail_inject_t)
|
|
|
|
qmail_read_config(qmail_inject_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local local policy
|
|
+# qmail-local local policy
|
|
+# this component delivers a mail message
|
|
#
|
|
|
|
-allow qmail_local_t self:fifo_file write_fifo_file_perms;
|
|
allow qmail_local_t self:process signal_perms;
|
|
-allow qmail_local_t self:unix_stream_socket { accept listen };
|
|
+allow qmail_local_t self:fifo_file write_file_perms;
|
|
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
manage_dirs_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
|
|
manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
|
|
@@ -137,12 +122,17 @@ mta_append_spool(qmail_local_t)
|
|
qmail_domtrans_queue(qmail_local_t)
|
|
|
|
optional_policy(`
|
|
+ uucp_domtrans(qmail_local_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
spamassassin_domtrans_client(qmail_local_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Lspawn local policy
|
|
+# qmail-lspawn local policy
|
|
+# this component schedules local deliveries
|
|
#
|
|
|
|
allow qmail_lspawn_t self:capability { setuid setgid };
|
|
@@ -156,21 +146,23 @@ allow qmail_lspawn_t qmail_local_exec_t:file read_file_perms;
|
|
|
|
read_files_pattern(qmail_lspawn_t, qmail_spool_t, qmail_spool_t)
|
|
|
|
-files_read_etc_files(qmail_lspawn_t)
|
|
+corecmd_search_bin(qmail_lspawn_t)
|
|
+
|
|
files_search_pids(qmail_lspawn_t)
|
|
files_search_tmp(qmail_lspawn_t)
|
|
|
|
########################################
|
|
#
|
|
-# Queue local policy
|
|
+# qmail-queue local policy
|
|
+# this component places a mail in a delivery queue, later to be processed by qmail-send
|
|
#
|
|
|
|
allow qmail_queue_t qmail_lspawn_t:fd use;
|
|
allow qmail_queue_t qmail_lspawn_t:fifo_file write_fifo_file_perms;
|
|
|
|
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
|
|
allow qmail_queue_t qmail_smtpd_t:fd use;
|
|
allow qmail_queue_t qmail_smtpd_t:fifo_file read_fifo_file_perms;
|
|
-allow qmail_queue_t qmail_smtpd_t:process sigchld;
|
|
|
|
manage_dirs_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
|
|
manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
|
|
@@ -186,28 +178,34 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Remote local policy
|
|
+# qmail-remote local policy
|
|
+# this component sends mail via SMTP
|
|
#
|
|
|
|
+allow qmail_remote_t self:tcp_socket create_socket_perms;
|
|
+allow qmail_remote_t self:udp_socket create_socket_perms;
|
|
+
|
|
rw_files_pattern(qmail_remote_t, qmail_spool_t, qmail_spool_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(qmail_remote_t)
|
|
corenet_all_recvfrom_netlabel(qmail_remote_t)
|
|
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
|
|
+corenet_udp_sendrecv_generic_if(qmail_remote_t)
|
|
corenet_tcp_sendrecv_generic_node(qmail_remote_t)
|
|
-
|
|
-corenet_sendrecv_smtp_client_packets(qmail_remote_t)
|
|
-corenet_tcp_connect_smtp_port(qmail_remote_t)
|
|
+corenet_udp_sendrecv_generic_node(qmail_remote_t)
|
|
corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
|
|
+corenet_udp_sendrecv_dns_port(qmail_remote_t)
|
|
+corenet_tcp_connect_smtp_port(qmail_remote_t)
|
|
+corenet_sendrecv_smtp_client_packets(qmail_remote_t)
|
|
|
|
dev_read_rand(qmail_remote_t)
|
|
dev_read_urand(qmail_remote_t)
|
|
|
|
-sysnet_dns_name_resolve(qmail_remote_t)
|
|
+sysnet_read_config(qmail_remote_t)
|
|
|
|
########################################
|
|
#
|
|
-# Rspawn local policy
|
|
+# qmail-rspawn local policy
|
|
+# this component scedules remote deliveries
|
|
#
|
|
|
|
allow qmail_rspawn_t self:process signal_perms;
|
|
@@ -217,9 +215,12 @@ allow qmail_rspawn_t qmail_remote_exec_t:file read_file_perms;
|
|
|
|
rw_files_pattern(qmail_rspawn_t, qmail_spool_t, qmail_spool_t)
|
|
|
|
+corecmd_search_bin(qmail_rspawn_t)
|
|
+
|
|
########################################
|
|
#
|
|
-# Send local policy
|
|
+# qmail-send local policy
|
|
+# this component delivers mail messages from the queue
|
|
#
|
|
|
|
allow qmail_send_t self:process signal_perms;
|
|
@@ -237,7 +238,8 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Smtpd local policy
|
|
+# qmail-smtpd local policy
|
|
+# this component receives mails via SMTP
|
|
#
|
|
|
|
allow qmail_smtpd_t self:process signal_perms;
|
|
@@ -268,26 +270,26 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Splogger local policy
|
|
+# splogger local policy
|
|
+# this component creates entries in syslog
|
|
#
|
|
|
|
allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
-files_read_etc_files(qmail_splogger_t)
|
|
|
|
init_dontaudit_use_script_fds(qmail_splogger_t)
|
|
|
|
-miscfiles_read_localization(qmail_splogger_t)
|
|
|
|
########################################
|
|
#
|
|
-# Start local policy
|
|
+# qmail-start local policy
|
|
+# this component starts up the mail delivery component
|
|
#
|
|
|
|
allow qmail_start_t self:capability { setgid setuid };
|
|
dontaudit qmail_start_t self:capability sys_tty_config;
|
|
-allow qmail_start_t self:fifo_file rw_fifo_file_perms;
|
|
allow qmail_start_t self:process signal_perms;
|
|
+allow qmail_start_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
can_exec(qmail_start_t, qmail_start_exec_t)
|
|
|
|
@@ -304,7 +306,8 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Tcp-env local policy
|
|
+# tcp-env local policy
|
|
+# this component sets up TCP-related environment variables
|
|
#
|
|
|
|
allow qmail_tcp_env_t qmail_smtpd_exec_t:file read_file_perms;
|
|
diff --git a/qpid.if b/qpid.if
|
|
index fe2adf8..f7e9c70 100644
|
|
--- a/qpid.if
|
|
+++ b/qpid.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Apache QPID AMQP messaging server.</summary>
|
|
+## <summary>policy for qpidd</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,13 +15,12 @@ interface(`qpidd_domtrans',`
|
|
type qpidd_t, qpidd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, qpidd_exec_t, qpidd_t)
|
|
')
|
|
|
|
-#####################################
|
|
+########################################
|
|
## <summary>
|
|
-## Read and write access qpidd semaphores.
|
|
+## Execute qpidd server in the qpidd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -29,17 +28,17 @@ interface(`qpidd_domtrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`qpidd_rw_semaphores',`
|
|
+interface(`qpidd_initrc_domtrans',`
|
|
gen_require(`
|
|
- type qpidd_t;
|
|
+ type qpidd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 qpidd_t:sem rw_sem_perms;
|
|
+ init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write qpidd shared memory.
|
|
+## Read qpidd PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -47,36 +46,39 @@ interface(`qpidd_rw_semaphores',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`qpidd_rw_shm',`
|
|
+interface(`qpidd_read_pid_files',`
|
|
gen_require(`
|
|
- type qpidd_t;
|
|
+ type qpidd_var_run_t;
|
|
')
|
|
|
|
- allow $1 qpidd_t:shm rw_shm_perms;
|
|
+ files_search_pids($1)
|
|
+ allow $1 qpidd_var_run_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute qpidd init script in
|
|
-## the initrc domain.
|
|
+## Manage qpidd var_run files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`qpidd_initrc_domtrans',`
|
|
+interface(`qpidd_manage_var_run',`
|
|
gen_require(`
|
|
- type qpidd_initrc_exec_t;
|
|
+ type qpidd_var_run_t;
|
|
')
|
|
|
|
- init_labeled_script_domtrans($1, qpidd_initrc_exec_t)
|
|
+ files_search_pids($1)
|
|
+ manage_dirs_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
|
|
+ manage_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
|
|
+ manage_lnk_files_pattern($1, qpidd_var_run_t, qpidd_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read qpidd pid files.
|
|
+## Search qpidd lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -84,18 +86,18 @@ interface(`qpidd_initrc_domtrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`qpidd_read_pid_files',`
|
|
+interface(`qpidd_search_lib',`
|
|
gen_require(`
|
|
- type qpidd_var_run_t;
|
|
+ type qpidd_var_lib_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- allow $1 qpidd_var_run_t:file read_file_perms;
|
|
+ allow $1 qpidd_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search qpidd lib directories.
|
|
+## Read qpidd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -103,18 +105,19 @@ interface(`qpidd_read_pid_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`qpidd_search_lib',`
|
|
+interface(`qpidd_read_lib_files',`
|
|
gen_require(`
|
|
type qpidd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
- allow $1 qpidd_var_lib_t:dir search_dir_perms;
|
|
+ read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read qpidd lib files.
|
|
+## Create, read, write, and delete
|
|
+## qpidd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -122,19 +125,18 @@ interface(`qpidd_search_lib',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`qpidd_read_lib_files',`
|
|
+interface(`qpidd_manage_lib_files',`
|
|
gen_require(`
|
|
type qpidd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
- read_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
|
|
+ manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## qpidd lib files.
|
|
+## Manage qpidd var_lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -142,49 +144,94 @@ interface(`qpidd_read_lib_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`qpidd_manage_lib_files',`
|
|
+interface(`qpidd_manage_var_lib',`
|
|
gen_require(`
|
|
type qpidd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
|
|
manage_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
|
|
+ manage_lnk_files_pattern($1, qpidd_var_lib_t, qpidd_var_lib_t)
|
|
')
|
|
|
|
-########################################
|
|
+#####################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an qpidd environment.
|
|
+## Allow read and write access to qpidd semaphores.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+#
|
|
+interface(`qpidd_rw_semaphores',`
|
|
+ gen_require(`
|
|
+ type qpidd_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 qpidd_t:sem rw_sem_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read and write to qpidd shared memory.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`qpidd_rw_shm',`
|
|
+ gen_require(`
|
|
+ type qpidd_t;
|
|
+ type qpidd_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 qpidd_t:shm rw_shm_perms;
|
|
+ fs_search_tmpfs($1)
|
|
+ manage_files_pattern($1, qpidd_tmpfs_t, qpidd_tmpfs_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## All of the rules required to
|
|
+## administrate an qpidd environment.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`qpidd_admin',`
|
|
- gen_require(`
|
|
- type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
|
|
- type qpidd_var_run_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type qpidd_t, qpidd_initrc_exec_t, qpidd_var_lib_t;
|
|
+ type qpidd_var_run_t;
|
|
+ ')
|
|
|
|
- allow $1 qpidd_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, qpidd_t)
|
|
+ allow $1 qpidd_t:process { signal_perms };
|
|
+ ps_process_pattern($1, qpidd_t)
|
|
|
|
- qpidd_initrc_domtrans($1)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 qpidd_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 qpidd_t:process ptrace;
|
|
+ ')
|
|
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, qpidd_var_lib_t)
|
|
+ qpidd_initrc_domtrans($1)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 qpidd_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, qpidd_var_run_t)
|
|
+ files_search_var_lib($1)
|
|
+ admin_pattern($1, qpidd_var_lib_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, qpidd_var_run_t)
|
|
')
|
|
diff --git a/qpid.te b/qpid.te
|
|
index 83eb09e..b48c931 100644
|
|
--- a/qpid.te
|
|
+++ b/qpid.te
|
|
@@ -12,6 +12,9 @@ init_daemon_domain(qpidd_t, qpidd_exec_t)
|
|
type qpidd_initrc_exec_t;
|
|
init_script_file(qpidd_initrc_exec_t)
|
|
|
|
+type qpidd_tmp_t;
|
|
+files_tmp_file(qpidd_tmp_t)
|
|
+
|
|
type qpidd_tmpfs_t;
|
|
files_tmpfs_file(qpidd_tmpfs_t)
|
|
|
|
@@ -33,41 +36,52 @@ allow qpidd_t self:shm create_shm_perms;
|
|
allow qpidd_t self:tcp_socket { accept listen };
|
|
allow qpidd_t self:unix_stream_socket { accept listen };
|
|
|
|
+manage_dirs_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
|
|
+manage_files_pattern(qpidd_t, qpidd_tmp_t, qpidd_tmp_t)
|
|
+files_tmp_filetrans(qpidd_t, qpidd_tmp_t, { dir file })
|
|
+
|
|
manage_dirs_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
|
|
manage_files_pattern(qpidd_t, qpidd_tmpfs_t, qpidd_tmpfs_t)
|
|
fs_tmpfs_filetrans(qpidd_t, qpidd_tmpfs_t, { dir file })
|
|
|
|
-manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
|
|
-manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
|
|
+manage_dirs_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
|
|
+manage_files_pattern(qpidd_t, qpidd_var_lib_t, qpidd_var_lib_t)
|
|
files_var_lib_filetrans(qpidd_t, qpidd_var_lib_t, { file dir })
|
|
|
|
-manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
|
|
-manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
|
|
+manage_dirs_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
|
|
+manage_files_pattern(qpidd_t, qpidd_var_run_t, qpidd_var_run_t)
|
|
files_pid_filetrans(qpidd_t, qpidd_var_run_t, { file dir })
|
|
|
|
kernel_read_system_state(qpidd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(qpidd_t)
|
|
corenet_all_recvfrom_netlabel(qpidd_t)
|
|
+corenet_tcp_bind_generic_node(qpidd_t)
|
|
corenet_tcp_sendrecv_generic_if(qpidd_t)
|
|
corenet_tcp_sendrecv_generic_node(qpidd_t)
|
|
-corenet_tcp_bind_generic_node(qpidd_t)
|
|
|
|
corenet_sendrecv_amqp_server_packets(qpidd_t)
|
|
corenet_tcp_bind_amqp_port(qpidd_t)
|
|
corenet_tcp_sendrecv_amqp_port(qpidd_t)
|
|
|
|
+corenet_tcp_bind_matahari_port(qpidd_t)
|
|
+corenet_tcp_connect_matahari_port(qpidd_t)
|
|
+
|
|
dev_read_sysfs(qpidd_t)
|
|
dev_read_urand(qpidd_t)
|
|
+dev_read_rand(qpidd_t)
|
|
|
|
-files_read_etc_files(qpidd_t)
|
|
+# needed by ssl
|
|
+files_list_tmp(qpidd_t)
|
|
|
|
logging_send_syslog_msg(qpidd_t)
|
|
|
|
-miscfiles_read_localization(qpidd_t)
|
|
-
|
|
sysnet_dns_name_resolve(qpidd_t)
|
|
|
|
optional_policy(`
|
|
- corosync_stream_connect(qpidd_t)
|
|
+ kerberos_use(qpidd_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ rhcs_stream_connect_cluster(qpidd_t)
|
|
+')
|
|
+
|
|
diff --git a/quantum.fc b/quantum.fc
|
|
index 70ab68b..1de192b 100644
|
|
--- a/quantum.fc
|
|
+++ b/quantum.fc
|
|
@@ -1,10 +1,26 @@
|
|
-/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:quantum_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/neutron.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/quantum.* -- gen_context(system_u:object_r:neutron_initrc_exec_t,s0)
|
|
|
|
-/usr/bin/quantum-server -- gen_context(system_u:object_r:quantum_exec_t,s0)
|
|
-/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
|
|
-/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
|
|
-/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:quantum_exec_t,s0)
|
|
+/usr/bin/neutron-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/neutron-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/neutron-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/neutron-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/neutron-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/neutron-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/neutron-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/quantum-dhcp-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/quantum-l3-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/quantum-linuxbridge-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/quantum-openvswitch-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/quantum-ovs-cleanup -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/quantum-ryu-agent -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
+/usr/bin/quantum-server -- gen_context(system_u:object_r:neutron_exec_t,s0)
|
|
|
|
-/var/lib/quantum(/.*)? gen_context(system_u:object_r:quantum_var_lib_t,s0)
|
|
+/usr/lib/systemd/system/neutron.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/quantum.* -- gen_context(system_u:object_r:neutron_unit_file_t,s0)
|
|
|
|
-/var/log/quantum(/.*)? gen_context(system_u:object_r:quantum_log_t,s0)
|
|
+/var/lib/neutron(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
|
|
+/var/lib/quantum(/.*)? gen_context(system_u:object_r:neutron_var_lib_t,s0)
|
|
+
|
|
+/var/log/neutron(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
|
|
+/var/log/quantum(/.*)? gen_context(system_u:object_r:neutron_log_t,s0)
|
|
diff --git a/quantum.if b/quantum.if
|
|
index afc0068..3105104 100644
|
|
--- a/quantum.if
|
|
+++ b/quantum.if
|
|
@@ -2,41 +2,293 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an quantum environment.
|
|
+## Transition to neutron.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`neutron_domtrans',`
|
|
+ gen_require(`
|
|
+ type neutron_t, neutron_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, neutron_exec_t, neutron_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow read/write neutron pipes
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`neutron_rw_inherited_pipes',`
|
|
+ gen_require(`
|
|
+ type neutron_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send sigchld to neutron.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+#
|
|
+interface(`neutron_sigchld',`
|
|
+ gen_require(`
|
|
+ type neutron_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 neutron_t:process sigchld;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read neutron's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
-interface(`quantum_admin',`
|
|
+interface(`neutron_read_log',`
|
|
+ gen_require(`
|
|
+ type neutron_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, neutron_log_t, neutron_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to neutron log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`neutron_append_log',`
|
|
+ gen_require(`
|
|
+ type neutron_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, neutron_log_t, neutron_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage neutron log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`neutron_manage_log',`
|
|
+ gen_require(`
|
|
+ type neutron_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, neutron_log_t, neutron_log_t)
|
|
+ manage_files_pattern($1, neutron_log_t, neutron_log_t)
|
|
+ manage_lnk_files_pattern($1, neutron_log_t, neutron_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search neutron lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`neutron_search_lib',`
|
|
+ gen_require(`
|
|
+ type neutron_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 neutron_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read neutron lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`neutron_read_lib_files',`
|
|
gen_require(`
|
|
- type quantum_t, quantum_initrc_exec_t, quantum_log_t;
|
|
- type quantum_var_lib_t, quantum_tmp_t;
|
|
+ type neutron_var_lib_t;
|
|
')
|
|
|
|
- allow $1 quantum_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, quantum_t)
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage neutron lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`neutron_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type neutron_var_lib_t;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, quantum_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 quantum_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage neutron lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`neutron_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type neutron_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, neutron_var_lib_t, neutron_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read and write neutron fifo files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`neutron_rw_fifo_file',`
|
|
+ gen_require(`
|
|
+ type neutron_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 neutron_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Connect to neutron over a unix domain
|
|
+## stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`neutron_stream_connect',`
|
|
+ gen_require(`
|
|
+ type neutron_t;
|
|
+ type neutron_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, neutron_var_lib_t, neutron_var_lib_t, neutron_t )
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute neutron server in the neutron domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`neutron_systemctl',`
|
|
+ gen_require(`
|
|
+ type neutron_t;
|
|
+ type neutron_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 neutron_unit_file_t:file read_file_perms;
|
|
+ allow $1 neutron_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, neutron_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an neutron environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`neutron_admin',`
|
|
+ gen_require(`
|
|
+ type neutron_t;
|
|
+ type neutron_log_t;
|
|
+ type neutron_var_lib_t;
|
|
+ type neutron_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 neutron_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, neutron_t)
|
|
|
|
logging_search_logs($1)
|
|
- admin_pattern($1, quantum_log_t)
|
|
+ admin_pattern($1, neutron_log_t)
|
|
|
|
files_search_var_lib($1)
|
|
- admin_pattern($1, quantum_var_lib_t)
|
|
+ admin_pattern($1, neutron_var_lib_t)
|
|
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, quantum_tmp_t)
|
|
+ neutron_systemctl($1)
|
|
+ admin_pattern($1, neutron_unit_file_t)
|
|
+ allow $1 neutron_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/quantum.te b/quantum.te
|
|
index 8644d8b..d850703 100644
|
|
--- a/quantum.te
|
|
+++ b/quantum.te
|
|
@@ -5,92 +5,105 @@ policy_module(quantum, 1.1.0)
|
|
# Declarations
|
|
#
|
|
|
|
-type quantum_t;
|
|
-type quantum_exec_t;
|
|
-init_daemon_domain(quantum_t, quantum_exec_t)
|
|
+type neutron_t alias quantum_t;
|
|
+type neutron_exec_t alias quantum_exec_t;
|
|
+init_daemon_domain(neutron_t, neutron_exec_t)
|
|
|
|
-type quantum_initrc_exec_t;
|
|
-init_script_file(quantum_initrc_exec_t)
|
|
+type neutron_initrc_exec_t alias quantum_initrc_exec_t;
|
|
+init_script_file(neutron_initrc_exec_t)
|
|
|
|
-type quantum_log_t;
|
|
-logging_log_file(quantum_log_t)
|
|
+type neutron_log_t alias quantum_log_t;
|
|
+logging_log_file(neutron_log_t)
|
|
|
|
-type quantum_tmp_t;
|
|
-files_tmp_file(quantum_tmp_t)
|
|
+type neutron_tmp_t alias quantum_tmp_t;
|
|
+files_tmp_file(neutron_tmp_t)
|
|
|
|
-type quantum_var_lib_t;
|
|
-files_type(quantum_var_lib_t)
|
|
+type neutron_var_lib_t alias quantum_var_lib_t;
|
|
+files_type(neutron_var_lib_t)
|
|
+
|
|
+type neutron_unit_file_t alias quantum_unit_file_t;
|
|
+systemd_unit_file(neutron_unit_file_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
-allow quantum_t self:capability { setgid setuid sys_resource };
|
|
-allow quantum_t self:process { setsched setrlimit };
|
|
-allow quantum_t self:fifo_file rw_fifo_file_perms;
|
|
-allow quantum_t self:key manage_key_perms;
|
|
-allow quantum_t self:tcp_socket { accept listen };
|
|
-allow quantum_t self:unix_stream_socket { accept listen };
|
|
+allow neutron_t self:capability { setgid setuid sys_resource };
|
|
+allow neutron_t self:process { setsched setrlimit };
|
|
+allow neutron_t self:fifo_file rw_fifo_file_perms;
|
|
+allow neutron_t self:key manage_key_perms;
|
|
+allow neutron_t self:tcp_socket { accept listen };
|
|
+allow neutron_t self:unix_stream_socket { accept listen };
|
|
|
|
-manage_dirs_pattern(quantum_t, quantum_log_t, quantum_log_t)
|
|
-append_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
|
|
-create_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
|
|
-setattr_files_pattern(quantum_t, quantum_log_t, quantum_log_t)
|
|
-logging_log_filetrans(quantum_t, quantum_log_t, dir)
|
|
+manage_dirs_pattern(neutron_t, neutron_log_t, neutron_log_t)
|
|
+append_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
|
|
+create_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
|
|
+setattr_files_pattern(neutron_t, neutron_log_t, neutron_log_t)
|
|
+logging_log_filetrans(neutron_t, neutron_log_t, dir)
|
|
|
|
-manage_files_pattern(quantum_t, quantum_tmp_t, quantum_tmp_t)
|
|
-files_tmp_filetrans(quantum_t, quantum_tmp_t, file)
|
|
+manage_files_pattern(neutron_t, neutron_tmp_t, neutron_tmp_t)
|
|
+files_tmp_filetrans(neutron_t, neutron_tmp_t, file)
|
|
|
|
-manage_dirs_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
|
|
-manage_files_pattern(quantum_t, quantum_var_lib_t, quantum_var_lib_t)
|
|
-files_var_lib_filetrans(quantum_t, quantum_var_lib_t, dir)
|
|
+manage_dirs_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
|
|
+manage_files_pattern(neutron_t, neutron_var_lib_t, neutron_var_lib_t)
|
|
+files_var_lib_filetrans(neutron_t, neutron_var_lib_t, dir)
|
|
|
|
-can_exec(quantum_t, quantum_tmp_t)
|
|
+can_exec(neutron_t, neutron_tmp_t)
|
|
|
|
-kernel_read_kernel_sysctls(quantum_t)
|
|
-kernel_read_system_state(quantum_t)
|
|
+kernel_read_kernel_sysctls(neutron_t)
|
|
+kernel_read_system_state(neutron_t)
|
|
|
|
-corecmd_exec_shell(quantum_t)
|
|
-corecmd_exec_bin(quantum_t)
|
|
+corecmd_exec_shell(neutron_t)
|
|
+corecmd_exec_bin(neutron_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(quantum_t)
|
|
-corenet_all_recvfrom_netlabel(quantum_t)
|
|
-corenet_tcp_sendrecv_generic_if(quantum_t)
|
|
-corenet_tcp_sendrecv_generic_node(quantum_t)
|
|
-corenet_tcp_sendrecv_all_ports(quantum_t)
|
|
-corenet_tcp_bind_generic_node(quantum_t)
|
|
+corenet_all_recvfrom_unlabeled(neutron_t)
|
|
+corenet_all_recvfrom_netlabel(neutron_t)
|
|
+corenet_tcp_sendrecv_generic_if(neutron_t)
|
|
+corenet_tcp_sendrecv_generic_node(neutron_t)
|
|
+corenet_tcp_sendrecv_all_ports(neutron_t)
|
|
+corenet_tcp_bind_generic_node(neutron_t)
|
|
|
|
-dev_list_sysfs(quantum_t)
|
|
-dev_read_urand(quantum_t)
|
|
+corenet_tcp_bind_neutron_port(neutron_t)
|
|
+corenet_tcp_connect_keystone_port(neutron_t)
|
|
+corenet_tcp_connect_amqp_port(neutron_t)
|
|
+corenet_tcp_connect_mysqld_port(neutron_t)
|
|
|
|
-files_read_usr_files(quantum_t)
|
|
+dev_list_sysfs(neutron_t)
|
|
+dev_read_urand(neutron_t)
|
|
|
|
-auth_use_nsswitch(quantum_t)
|
|
+auth_use_nsswitch(neutron_t)
|
|
|
|
-libs_exec_ldconfig(quantum_t)
|
|
+libs_exec_ldconfig(neutron_t)
|
|
|
|
-logging_send_audit_msgs(quantum_t)
|
|
-logging_send_syslog_msg(quantum_t)
|
|
+logging_send_audit_msgs(neutron_t)
|
|
+logging_send_syslog_msg(neutron_t)
|
|
|
|
-miscfiles_read_localization(quantum_t)
|
|
+sysnet_domtrans_ifconfig(neutron_t)
|
|
|
|
-sysnet_domtrans_ifconfig(quantum_t)
|
|
+optional_policy(`
|
|
+ brctl_domtrans(neutron_t)
|
|
+')
|
|
|
|
optional_policy(`
|
|
- brctl_domtrans(quantum_t)
|
|
+ mysql_stream_connect(neutron_t)
|
|
+ mysql_read_config(neutron_t)
|
|
+
|
|
+ mysql_tcp_connect(neutron_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mysql_stream_connect(quantum_t)
|
|
- mysql_read_config(quantum_t)
|
|
+ postgresql_stream_connect(neutron_t)
|
|
+ postgresql_unpriv_client(neutron_t)
|
|
|
|
- mysql_tcp_connect(quantum_t)
|
|
+ postgresql_tcp_connect(neutron_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- postgresql_stream_connect(quantum_t)
|
|
- postgresql_unpriv_client(quantum_t)
|
|
+ openvswitch_domtrans(neutron_t)
|
|
+ openvswitch_stream_connect(neutron_t)
|
|
+')
|
|
|
|
- postgresql_tcp_connect(quantum_t)
|
|
+optional_policy(`
|
|
+ sudo_exec(neutron_t)
|
|
')
|
|
diff --git a/quota.fc b/quota.fc
|
|
index cadabe3..0ee2489 100644
|
|
--- a/quota.fc
|
|
+++ b/quota.fc
|
|
@@ -1,6 +1,5 @@
|
|
HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
-
|
|
-HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
+HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
|
|
/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
|
|
@@ -8,24 +7,23 @@ HOME_DIR/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
|
|
/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/quota_nld -- gen_context(system_u:object_r:quota_nld_initrc_exec_t,s0)
|
|
-
|
|
-/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
|
|
-/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
|
|
+/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
|
|
|
|
-/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
|
|
/usr/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
|
|
-/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
|
|
|
|
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
+/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
|
|
+/var/spool/(.*/)?a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
|
|
-/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
|
|
+ifdef(`distro_redhat',`
|
|
+/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
|
|
+',`
|
|
+/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
|
|
+')
|
|
|
|
-/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
|
|
+/usr/sbin/quota_nld -- gen_context(system_u:object_r:quota_nld_exec_t,s0)
|
|
|
|
-/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
+/var/lib/stickshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
+/var/lib/openshift/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
|
|
-/var/spool/imap/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
-/var/spool/(client)?mqueue/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
-/var/spool/mqueue\.in/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
-/var/spool/mail/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
|
|
+/var/run/quota_nld\.pid -- gen_context(system_u:object_r:quota_nld_var_run_t,s0)
|
|
diff --git a/quota.if b/quota.if
|
|
index da64218..3fb8575 100644
|
|
--- a/quota.if
|
|
+++ b/quota.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>File system quota management.</summary>
|
|
+## <summary>File system quota management</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -21,9 +21,8 @@ interface(`quota_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute quota management tools in
|
|
-## the quota domain, and allow the
|
|
-## specified role the quota domain.
|
|
+## Execute quota management tools in the quota domain, and
|
|
+## allow the specified role the quota domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -39,90 +38,54 @@ interface(`quota_domtrans',`
|
|
#
|
|
interface(`quota_run',`
|
|
gen_require(`
|
|
- attribute_role quota_roles;
|
|
+ type quota_t;
|
|
')
|
|
|
|
quota_domtrans($1)
|
|
- roleattribute $2 quota_roles;
|
|
+ role $2 types quota_t;
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Execute quota nld in the quota nld domain.
|
|
+## Alow to read of filesystem quota data files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`quota_domtrans_nld',`
|
|
- gen_require(`
|
|
- type quota_nld_t, quota_nld_exec_t;
|
|
- ')
|
|
+interface(`quota_read_db',`
|
|
+ gen_require(`
|
|
+ type quota_db_t;
|
|
+ ')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
|
|
+ allow $1 quota_db_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## quota db files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`quota_manage_db_files',`
|
|
- gen_require(`
|
|
- type quota_db_t;
|
|
- ')
|
|
-
|
|
- allow $1 quota_db_t:file manage_file_perms;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Create specified objects in specified
|
|
-## directories with a type transition to
|
|
-## the quota db file type.
|
|
+## Do not audit attempts to get the attributes
|
|
+## of filesystem quota data files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="file_type">
|
|
-## <summary>
|
|
-## Directory to transition on.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object">
|
|
-## <summary>
|
|
-## The object class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`quota_spec_filetrans_db',`
|
|
+interface(`quota_dontaudit_getattr_db',`
|
|
gen_require(`
|
|
type quota_db_t;
|
|
')
|
|
|
|
- filetrans_pattern($1, $2, quota_db_t, $3, $4)
|
|
+ dontaudit $1 quota_db_t:file getattr_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to get attributes
|
|
-## of filesystem quota data files.
|
|
+## Create, read, write, and delete quota
|
|
+## db files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -130,18 +93,18 @@ interface(`quota_spec_filetrans_db',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`quota_dontaudit_getattr_db',`
|
|
+interface(`quota_manage_db',`
|
|
gen_require(`
|
|
type quota_db_t;
|
|
')
|
|
|
|
- dontaudit $1 quota_db_t:file getattr_file_perms;
|
|
+ allow $1 quota_db_t:file manage_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## quota flag files.
|
|
+## Create, read, write, and delete quota
|
|
+## flag files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -160,37 +123,56 @@ interface(`quota_manage_flags',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an quota environment.
|
|
+## Transition to quota named content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`quota_admin',`
|
|
+interface(`quota_filetrans_named_content',`
|
|
gen_require(`
|
|
- type quota_nld_t, quota_t, quota_db_t;
|
|
- type quota_nld_initrc_exec_t, quota_flag_t, quota_nld_var_run_t;
|
|
+ type quota_db_t;
|
|
')
|
|
|
|
- allow $1 { quota_nld_t quota_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { quota_nld_t quota_t })
|
|
-
|
|
- init_labeled_script_domtrans($1, quota_nld_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 quota_nld_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ files_root_filetrans($1, quota_db_t, file, "aquota.user")
|
|
+ files_root_filetrans($1, quota_db_t, file, "aquota.group")
|
|
+ files_boot_filetrans($1, quota_db_t, file, "aquota.user")
|
|
+ files_boot_filetrans($1, quota_db_t, file, "aquota.group")
|
|
+ files_etc_filetrans($1, quota_db_t, file, "aquota.user")
|
|
+ files_etc_filetrans($1, quota_db_t, file, "aquota.group")
|
|
+ files_tmp_filetrans($1, quota_db_t, file, "aquota.user")
|
|
+ files_tmp_filetrans($1, quota_db_t, file, "aquota.group")
|
|
+ files_home_filetrans($1, quota_db_t, file, "aquota.user")
|
|
+ files_home_filetrans($1, quota_db_t, file, "aquota.group")
|
|
+ files_usr_filetrans($1, quota_db_t, file, "aquota.user")
|
|
+ files_usr_filetrans($1, quota_db_t, file, "aquota.group")
|
|
+ files_var_filetrans($1, quota_db_t, file, "aquota.user")
|
|
+ files_var_filetrans($1, quota_db_t, file, "aquota.group")
|
|
+ files_spool_filetrans($1, quota_db_t, file, "aquota.user")
|
|
+ files_spool_filetrans($1, quota_db_t, file, "aquota.group")
|
|
+ mta_spool_filetrans($1, quota_db_t, file, "aquota.user")
|
|
+ mta_spool_filetrans($1, quota_db_t, file, "aquota.group")
|
|
+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.user")
|
|
+ mta_spool_filetrans_queue($1, quota_db_t, file, "aquota.group")
|
|
+')
|
|
|
|
- files_list_all($1)
|
|
- admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t })
|
|
+#######################################
|
|
+## <summary>
|
|
+## Transition to quota_nld.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`quota_domtrans_nld',`
|
|
+ gen_require(`
|
|
+ type quota_nld_t, quota_nld_exec_t;
|
|
+ ')
|
|
|
|
- quota_run($1, $2)
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, quota_nld_exec_t, quota_nld_t)
|
|
')
|
|
diff --git a/quota.te b/quota.te
|
|
index f47c8e8..a0251fe 100644
|
|
--- a/quota.te
|
|
+++ b/quota.te
|
|
@@ -5,12 +5,10 @@ policy_module(quota, 1.6.0)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute_role quota_roles;
|
|
-
|
|
type quota_t;
|
|
type quota_exec_t;
|
|
-init_system_domain(quota_t, quota_exec_t)
|
|
-role quota_roles types quota_t;
|
|
+application_domain(quota_t, quota_exec_t)
|
|
+#init_system_domain(quota_t, quota_exec_t)
|
|
|
|
type quota_db_t;
|
|
files_type(quota_db_t)
|
|
@@ -22,9 +20,6 @@ type quota_nld_t;
|
|
type quota_nld_exec_t;
|
|
init_daemon_domain(quota_nld_t, quota_nld_exec_t)
|
|
|
|
-type quota_nld_initrc_exec_t;
|
|
-init_script_file(quota_nld_initrc_exec_t)
|
|
-
|
|
type quota_nld_var_run_t;
|
|
files_pid_file(quota_nld_var_run_t)
|
|
|
|
@@ -37,6 +32,7 @@ allow quota_t self:capability { sys_admin dac_override };
|
|
dontaudit quota_t self:capability sys_tty_config;
|
|
allow quota_t self:process signal_perms;
|
|
|
|
+# for /quota.*
|
|
allow quota_t quota_db_t:file { manage_file_perms quotaon };
|
|
files_root_filetrans(quota_t, quota_db_t, file)
|
|
files_boot_filetrans(quota_t, quota_db_t, file)
|
|
@@ -48,7 +44,6 @@ files_var_filetrans(quota_t, quota_db_t, file)
|
|
files_spool_filetrans(quota_t, quota_db_t, file)
|
|
userdom_user_home_dir_filetrans(quota_t, quota_db_t, file)
|
|
|
|
-kernel_request_load_module(quota_t)
|
|
kernel_list_proc(quota_t)
|
|
kernel_read_proc_symlinks(quota_t)
|
|
kernel_read_kernel_sysctls(quota_t)
|
|
@@ -58,14 +53,6 @@ dev_read_sysfs(quota_t)
|
|
dev_getattr_all_blk_files(quota_t)
|
|
dev_getattr_all_chr_files(quota_t)
|
|
|
|
-files_list_all(quota_t)
|
|
-files_read_all_files(quota_t)
|
|
-files_read_all_symlinks(quota_t)
|
|
-files_getattr_all_pipes(quota_t)
|
|
-files_getattr_all_sockets(quota_t)
|
|
-files_getattr_all_file_type_fs(quota_t)
|
|
-files_read_etc_runtime_files(quota_t)
|
|
-
|
|
fs_get_xattr_fs_quotas(quota_t)
|
|
fs_set_xattr_fs_quotas(quota_t)
|
|
fs_getattr_xattr_fs(quota_t)
|
|
@@ -80,17 +67,28 @@ term_dontaudit_use_console(quota_t)
|
|
|
|
domain_use_interactive_fds(quota_t)
|
|
|
|
+files_list_all(quota_t)
|
|
+files_read_all_files(quota_t)
|
|
+files_read_all_symlinks(quota_t)
|
|
+files_getattr_all_pipes(quota_t)
|
|
+files_getattr_all_sockets(quota_t)
|
|
+files_getattr_all_file_type_fs(quota_t)
|
|
+# Read /etc/mtab.
|
|
+files_read_etc_runtime_files(quota_t)
|
|
+
|
|
init_use_fds(quota_t)
|
|
init_use_script_ptys(quota_t)
|
|
|
|
logging_send_syslog_msg(quota_t)
|
|
|
|
-userdom_use_user_terminals(quota_t)
|
|
+mta_spool_filetrans(quota_t, quota_db_t, file)
|
|
+mta_spool_filetrans_queue(quota_t, quota_db_t, file)
|
|
+
|
|
+userdom_use_inherited_user_terminals(quota_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(quota_t)
|
|
|
|
optional_policy(`
|
|
- mta_queue_filetrans(quota_t, quota_db_t, file)
|
|
- mta_spool_filetrans(quota_t, quota_db_t, file)
|
|
+ openshift_lib_filetrans(quota_t, quota_db_t, file)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -103,12 +101,12 @@ optional_policy(`
|
|
|
|
#######################################
|
|
#
|
|
-# Nld local policy
|
|
+# Local policy
|
|
#
|
|
|
|
allow quota_nld_t self:fifo_file rw_fifo_file_perms;
|
|
allow quota_nld_t self:netlink_socket create_socket_perms;
|
|
-allow quota_nld_t self:unix_stream_socket { accept listen };
|
|
+allow quota_nld_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
manage_files_pattern(quota_nld_t, quota_nld_var_run_t, quota_nld_var_run_t)
|
|
files_pid_filetrans(quota_nld_t, quota_nld_var_run_t, { file })
|
|
@@ -121,11 +119,9 @@ init_read_utmp(quota_nld_t)
|
|
|
|
logging_send_syslog_msg(quota_nld_t)
|
|
|
|
-miscfiles_read_localization(quota_nld_t)
|
|
-
|
|
userdom_use_user_terminals(quota_nld_t)
|
|
|
|
optional_policy(`
|
|
- dbus_system_bus_client(quota_nld_t)
|
|
- dbus_connect_system_bus(quota_nld_t)
|
|
+ dbus_system_bus_client(quota_nld_t)
|
|
+ dbus_connect_system_bus(quota_nld_t)
|
|
')
|
|
diff --git a/rabbitmq.fc b/rabbitmq.fc
|
|
index c5ad6de..a48c318 100644
|
|
--- a/rabbitmq.fc
|
|
+++ b/rabbitmq.fc
|
|
@@ -4,7 +4,11 @@
|
|
/usr/lib/erlang/erts.*/bin/epmd -- gen_context(system_u:object_r:rabbitmq_epmd_exec_t,s0)
|
|
|
|
/var/lib/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
|
|
+/var/lib/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_lib_t,s0)
|
|
+
|
|
+/var/lock/ejabberdctl(/.*)? gen_context(system_u:object_r:rabbitmq_var_lock_t,s0)
|
|
|
|
/var/log/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
|
|
+/var/log/ejabberd(/.*)? gen_context(system_u:object_r:rabbitmq_var_log_t,s0)
|
|
|
|
/var/run/rabbitmq(/.*)? gen_context(system_u:object_r:rabbitmq_var_run_t,s0)
|
|
diff --git a/rabbitmq.if b/rabbitmq.if
|
|
index 2c3d338..cf3e5ad 100644
|
|
--- a/rabbitmq.if
|
|
+++ b/rabbitmq.if
|
|
@@ -10,13 +10,13 @@
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rabbitmq_domtrans',`
|
|
+interface(`rabbitmq_domtrans_beam',`
|
|
gen_require(`
|
|
- type rabbitmq_t, rabbitmq_exec_t;
|
|
+ type rabbitmq_beam_t, rabbitmq_beam_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
- domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
|
|
+ domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t)
|
|
')
|
|
|
|
########################################
|
|
diff --git a/rabbitmq.te b/rabbitmq.te
|
|
index dc3b0ed..750df0e 100644
|
|
--- a/rabbitmq.te
|
|
+++ b/rabbitmq.te
|
|
@@ -19,6 +19,9 @@ init_script_file(rabbitmq_initrc_exec_t)
|
|
type rabbitmq_var_lib_t;
|
|
files_type(rabbitmq_var_lib_t)
|
|
|
|
+type rabbitmq_var_lock_t;
|
|
+files_lock_file(rabbitmq_var_lock_t)
|
|
+
|
|
type rabbitmq_var_log_t;
|
|
logging_log_file(rabbitmq_var_log_t)
|
|
|
|
@@ -30,6 +33,8 @@ files_pid_file(rabbitmq_var_run_t)
|
|
# Beam local policy
|
|
#
|
|
|
|
+allow rabbitmq_beam_t self:capability setuid;
|
|
+
|
|
allow rabbitmq_beam_t self:process { setsched signal signull };
|
|
allow rabbitmq_beam_t self:fifo_file rw_fifo_file_perms;
|
|
allow rabbitmq_beam_t self:tcp_socket { accept listen };
|
|
@@ -38,13 +43,17 @@ manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
|
|
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lib_t, rabbitmq_var_lib_t)
|
|
|
|
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
|
|
-append_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
|
|
-create_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
|
|
-setattr_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
|
|
+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_log_t, rabbitmq_var_log_t)
|
|
+
|
|
+manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
|
|
+manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_lock_t, rabbitmq_var_lock_t)
|
|
+files_lock_filetrans(rabbitmq_beam_t, rabbitmq_var_lock_t, file)
|
|
|
|
manage_dirs_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
|
|
manage_files_pattern(rabbitmq_beam_t, rabbitmq_var_run_t, rabbitmq_var_run_t)
|
|
|
|
+ps_process_pattern(rabbitmq_beam_t, rabbitmq_epmd_t)
|
|
+
|
|
can_exec(rabbitmq_beam_t, rabbitmq_beam_exec_t)
|
|
|
|
domtrans_pattern(rabbitmq_beam_t, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
|
|
@@ -55,11 +64,14 @@ kernel_read_fs_sysctls(rabbitmq_beam_t)
|
|
corecmd_exec_bin(rabbitmq_beam_t)
|
|
corecmd_exec_shell(rabbitmq_beam_t)
|
|
|
|
+corenet_tcp_bind_generic_node(rabbitmq_beam_t)
|
|
+corenet_udp_bind_generic_node(rabbitmq_beam_t)
|
|
corenet_all_recvfrom_unlabeled(rabbitmq_beam_t)
|
|
corenet_all_recvfrom_netlabel(rabbitmq_beam_t)
|
|
corenet_tcp_sendrecv_generic_if(rabbitmq_beam_t)
|
|
corenet_tcp_sendrecv_generic_node(rabbitmq_beam_t)
|
|
corenet_tcp_bind_generic_node(rabbitmq_beam_t)
|
|
+corenet_tcp_connect_all_ephemeral_ports(rabbitmq_beam_t)
|
|
|
|
corenet_sendrecv_amqp_server_packets(rabbitmq_beam_t)
|
|
corenet_tcp_bind_amqp_port(rabbitmq_beam_t)
|
|
@@ -69,37 +81,50 @@ corenet_sendrecv_epmd_client_packets(rabbitmq_beam_t)
|
|
corenet_tcp_connect_epmd_port(rabbitmq_beam_t)
|
|
corenet_tcp_sendrecv_epmd_port(rabbitmq_beam_t)
|
|
|
|
-corenet_sendrecv_couchdb_server_packets(rabbitmq_beam_t)
|
|
corenet_tcp_bind_couchdb_port(rabbitmq_beam_t)
|
|
-corenet_tcp_sendrecv_couchdb_port(rabbitmq_beam_t)
|
|
|
|
-dev_read_sysfs(rabbitmq_beam_t)
|
|
-dev_read_urand(rabbitmq_beam_t)
|
|
+corenet_tcp_bind_jabber_client_port(rabbitmq_beam_t)
|
|
+corenet_tcp_bind_jabber_interserver_port(rabbitmq_beam_t)
|
|
+
|
|
+domain_read_all_domains_state(rabbitmq_beam_t)
|
|
+
|
|
+files_getattr_all_mountpoints(rabbitmq_beam_t)
|
|
|
|
fs_getattr_all_fs(rabbitmq_beam_t)
|
|
+fs_getattr_all_dirs(rabbitmq_beam_t)
|
|
+fs_getattr_cgroup(rabbitmq_beam_t)
|
|
fs_search_cgroup_dirs(rabbitmq_beam_t)
|
|
|
|
-files_read_etc_files(rabbitmq_beam_t)
|
|
+corenet_tcp_connect_couchdb_port(rabbitmq_beam_t)
|
|
+
|
|
+dev_read_sysfs(rabbitmq_beam_t)
|
|
+dev_read_urand(rabbitmq_beam_t)
|
|
|
|
storage_getattr_fixed_disk_dev(rabbitmq_beam_t)
|
|
|
|
-miscfiles_read_localization(rabbitmq_beam_t)
|
|
+auth_read_passwd(rabbitmq_beam_t)
|
|
+auth_use_pam(rabbitmq_beam_t)
|
|
|
|
sysnet_dns_name_resolve(rabbitmq_beam_t)
|
|
|
|
- optional_policy(`
|
|
- couchdb_manage_lib_files(rabbitmq_beam_t)
|
|
- couchdb_read_conf_files(rabbitmq_beam_t)
|
|
- couchdb_read_log_files(rabbitmq_beam_t)
|
|
- couchdb_read_pid_files(rabbitmq_beam_t)
|
|
- ')
|
|
+logging_send_syslog_msg(rabbitmq_beam_t)
|
|
+
|
|
+optional_policy(`
|
|
+ couchdb_manage_lib_files(rabbitmq_beam_t)
|
|
+ couchdb_read_conf_files(rabbitmq_beam_t)
|
|
+ couchdb_read_log_files(rabbitmq_beam_t)
|
|
+ couchdb_search_pid_dirs(rabbitmq_beam_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(rabbitmq_beam_t)
|
|
+')
|
|
|
|
########################################
|
|
#
|
|
# Epmd local policy
|
|
#
|
|
|
|
-
|
|
allow rabbitmq_epmd_t self:process signal;
|
|
allow rabbitmq_epmd_t self:fifo_file rw_fifo_file_perms;
|
|
allow rabbitmq_epmd_t self:tcp_socket create_stream_socket_perms;
|
|
@@ -117,8 +142,5 @@ corenet_sendrecv_epmd_server_packets(rabbitmq_epmd_t)
|
|
corenet_tcp_bind_epmd_port(rabbitmq_epmd_t)
|
|
corenet_tcp_sendrecv_epmd_port(rabbitmq_epmd_t)
|
|
|
|
-files_read_etc_files(rabbitmq_epmd_t)
|
|
-
|
|
logging_send_syslog_msg(rabbitmq_epmd_t)
|
|
|
|
-miscfiles_read_localization(rabbitmq_epmd_t)
|
|
diff --git a/radius.fc b/radius.fc
|
|
index d447e85..008ee02 100644
|
|
--- a/radius.fc
|
|
+++ b/radius.fc
|
|
@@ -9,6 +9,8 @@
|
|
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
|
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/radiusd.* -- gen_context(system_u:object_r:radiusd_unit_file_t,s0)
|
|
+
|
|
/var/lib/radiousd(/.*)? gen_context(system_u:object_r:radiusd_var_lib_t,s0)
|
|
|
|
/var/log/freeradius(/.*)? gen_context(system_u:object_r:radiusd_log_t,s0)
|
|
diff --git a/radius.if b/radius.if
|
|
index 4460582..60cf556 100644
|
|
--- a/radius.if
|
|
+++ b/radius.if
|
|
@@ -14,6 +14,29 @@ interface(`radius_use',`
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute radiusd server in the radiusd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`radiusd_systemctl',`
|
|
+ gen_require(`
|
|
+ type radiusd_unit_file_t;
|
|
+ type radiusd_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 radiusd_unit_file_t:file read_file_perms;
|
|
+ allow $1 radiusd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, radiusd_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
@@ -35,11 +58,14 @@ interface(`radius_admin',`
|
|
gen_require(`
|
|
type radiusd_t, radiusd_etc_t, radiusd_log_t;
|
|
type radiusd_etc_rw_t, radiusd_var_lib_t, radiusd_var_run_t;
|
|
- type radiusd_initrc_exec_t;
|
|
+ type radiusd_initrc_exec_t, radiusd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 radiusd_t:process { ptrace signal_perms };
|
|
+ allow $1 radiusd_t:process signal_perms;
|
|
ps_process_pattern($1, radiusd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 radiusd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, radiusd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -57,4 +83,9 @@ interface(`radius_admin',`
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, radiusd_var_run_t)
|
|
+
|
|
+ admin_pattern($1, radiusd_unit_file_t)
|
|
+ bind_systemctl($1)
|
|
+ allow $1 radiusd_unit_file_t:service all_service_perms;
|
|
+
|
|
')
|
|
diff --git a/radius.te b/radius.te
|
|
index 403a4fe..0ae6dc6 100644
|
|
--- a/radius.te
|
|
+++ b/radius.te
|
|
@@ -27,6 +27,9 @@ files_type(radiusd_var_lib_t)
|
|
type radiusd_var_run_t;
|
|
files_pid_file(radiusd_var_run_t)
|
|
|
|
+type radiusd_unit_file_t;
|
|
+systemd_unit_file(radiusd_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -60,11 +63,11 @@ manage_sock_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
|
|
manage_dirs_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
|
|
manage_files_pattern(radiusd_t, radiusd_var_run_t, radiusd_var_run_t)
|
|
files_pid_filetrans(radiusd_t, radiusd_var_run_t, { file sock_file dir })
|
|
+files_dontaudit_list_tmp(radiusd_t)
|
|
|
|
kernel_read_kernel_sysctls(radiusd_t)
|
|
kernel_read_system_state(radiusd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(radiusd_t)
|
|
corenet_all_recvfrom_netlabel(radiusd_t)
|
|
corenet_tcp_sendrecv_generic_if(radiusd_t)
|
|
corenet_udp_sendrecv_generic_if(radiusd_t)
|
|
@@ -74,6 +77,8 @@ corenet_tcp_sendrecv_all_ports(radiusd_t)
|
|
corenet_udp_sendrecv_all_ports(radiusd_t)
|
|
corenet_udp_bind_generic_node(radiusd_t)
|
|
|
|
+corenet_tcp_connect_postgresql_port(radiusd_t)
|
|
+
|
|
corenet_sendrecv_radacct_server_packets(radiusd_t)
|
|
corenet_udp_bind_radacct_port(radiusd_t)
|
|
|
|
@@ -97,7 +102,6 @@ domain_use_interactive_fds(radiusd_t)
|
|
fs_getattr_all_fs(radiusd_t)
|
|
fs_search_auto_mountpoints(radiusd_t)
|
|
|
|
-files_read_usr_files(radiusd_t)
|
|
files_read_etc_runtime_files(radiusd_t)
|
|
files_dontaudit_list_tmp(radiusd_t)
|
|
|
|
@@ -109,7 +113,6 @@ libs_exec_lib_files(radiusd_t)
|
|
|
|
logging_send_syslog_msg(radiusd_t)
|
|
|
|
-miscfiles_read_localization(radiusd_t)
|
|
miscfiles_read_generic_certs(radiusd_t)
|
|
|
|
sysnet_use_ldap(radiusd_t)
|
|
@@ -122,6 +125,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ kerberos_tmp_filetrans_host_rcache(radiusd_t, "host_0")
|
|
+ kerberos_manage_host_rcache(radiusd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
logrotate_exec(radiusd_t)
|
|
')
|
|
|
|
diff --git a/radvd.if b/radvd.if
|
|
index ac7058d..48739ac 100644
|
|
--- a/radvd.if
|
|
+++ b/radvd.if
|
|
@@ -1,5 +1,24 @@
|
|
## <summary>IPv6 router advertisement daemon.</summary>
|
|
|
|
+######################################
|
|
+## <summary>
|
|
+## Read radvd PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`radvd_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type radvd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, radvd_var_run_t, radvd_var_run_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
@@ -23,8 +42,11 @@ interface(`radvd_admin',`
|
|
type radvd_var_run_t;
|
|
')
|
|
|
|
- allow $1 radvd_t:process { ptrace signal_perms };
|
|
+ allow $1 radvd_t:process signal_perms;
|
|
ps_process_pattern($1, radvd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 radvd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, radvd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/radvd.te b/radvd.te
|
|
index 6d162e4..889c0ed 100644
|
|
--- a/radvd.te
|
|
+++ b/radvd.te
|
|
@@ -65,8 +65,6 @@ auth_use_nsswitch(radvd_t)
|
|
|
|
logging_send_syslog_msg(radvd_t)
|
|
|
|
-miscfiles_read_localization(radvd_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(radvd_t)
|
|
userdom_dontaudit_search_user_home_dirs(radvd_t)
|
|
|
|
diff --git a/raid.fc b/raid.fc
|
|
index 5806046..5578653 100644
|
|
--- a/raid.fc
|
|
+++ b/raid.fc
|
|
@@ -3,6 +3,9 @@
|
|
|
|
/etc/rc\.d/init\.d/mdmonitor -- gen_context(system_u:object_r:mdadm_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/mdmon@.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/mdmonitor.* -- gen_context(system_u:object_r:mdadm_unit_file_t,s0)
|
|
+
|
|
/sbin/iprdump -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
|
/sbin/iprinit -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
|
/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
|
@@ -16,6 +19,7 @@
|
|
/usr/sbin/iprupdate -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
|
/usr/sbin/mdadm -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
|
/usr/sbin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
|
+/usr/sbin/mdmon -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
|
/usr/sbin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
|
|
|
|
/var/run/mdadm(/.*)? gen_context(system_u:object_r:mdadm_var_run_t,s0)
|
|
diff --git a/raid.if b/raid.if
|
|
index 951db7f..98a0758 100644
|
|
--- a/raid.if
|
|
+++ b/raid.if
|
|
@@ -1,9 +1,8 @@
|
|
-## <summary>RAID array management tools.</summary>
|
|
+## <summary>RAID array management tools</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute software raid tools in
|
|
-## the mdadm domain.
|
|
+## Execute software raid tools in the mdadm domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -22,34 +21,56 @@ interface(`raid_domtrans_mdadm',`
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Execute mdadm in the mdadm
|
|
-## domain, and allow the specified
|
|
-## role the mdadm domain.
|
|
+## Execute a domain transition to mdadm_t for the
|
|
+## specified role, allowing it to use the mdadm_t
|
|
+## domain
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Role allowed to access mdadm_t domain
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed to transition to mdadm_t
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`raid_run_mdadm',`
|
|
gen_require(`
|
|
- attribute_role mdadm_roles;
|
|
+ type mdadm_t;
|
|
')
|
|
|
|
+ role $1 types mdadm_t;
|
|
raid_domtrans_mdadm($2)
|
|
- roleattribute $1 mdadm_roles;
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Execute mdadm server in the mdadm domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`mdadm_systemctl',`
|
|
+ gen_require(`
|
|
+ type mdadm_t;
|
|
+ type mdadm_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 mdadm_unit_file_t:file read_file_perms;
|
|
+ allow $1 mdadm_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, mdadm_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## mdadm pid files.
|
|
+## read the mdadm pid files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -57,47 +78,94 @@ interface(`raid_run_mdadm',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`raid_manage_mdadm_pid',`
|
|
+interface(`raid_read_mdadm_pid',`
|
|
gen_require(`
|
|
type mdadm_var_run_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- allow $1 mdadm_var_run_t:file manage_file_perms;
|
|
+ read_files_pattern($1, mdadm_var_run_t, mdadm_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an mdadm environment.
|
|
+## Create, read, write, and delete the mdadm pid files.
|
|
## </summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## Create, read, write, and delete the mdadm pid files.
|
|
+## </p>
|
|
+## <p>
|
|
+## Added for use in the init module.
|
|
+## </p>
|
|
+## </desc>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`raid_manage_mdadm_pid',`
|
|
+ gen_require(`
|
|
+ type mdadm_var_run_t;
|
|
+ ')
|
|
+
|
|
+ # FIXME: maybe should have a type_transition. not
|
|
+ # clear what this is doing, from the original
|
|
+ # mdadm policy
|
|
+ allow $1 mdadm_var_run_t:file manage_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Check access to the mdadm executable.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`raid_access_check_mdadm',`
|
|
+ gen_require(`
|
|
+ type mdadm_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ allow $1 mdadm_exec_t:file { getattr_file_perms execute };
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage mdadm config files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`raid_admin_mdadm',`
|
|
+interface(`raid_manage_conf_files',`
|
|
gen_require(`
|
|
- type mdadm_t, mdadm_initrc_exec_t, mdadm_var_run_t;
|
|
+ type mdadm_conf_t;
|
|
')
|
|
|
|
- allow $1 mdadm_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, mdadm_t)
|
|
-
|
|
- init_labeled_script_domtrans($1, mdadm_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 mdadm_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ manage_files_pattern($1, mdadm_conf_t, mdadm_conf_t)
|
|
+')
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, mdadm_var_run_t)
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to mdadm named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`raid_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type mdadm_conf_t;
|
|
+ ')
|
|
|
|
- raid_run_mdadm($2, $1)
|
|
+ files_etc_filetrans($1, mdadm_conf_t, file, "mdadm.conf")
|
|
')
|
|
diff --git a/raid.te b/raid.te
|
|
index c99753f..5e27523 100644
|
|
--- a/raid.te
|
|
+++ b/raid.te
|
|
@@ -15,6 +15,15 @@ role mdadm_roles types mdadm_t;
|
|
type mdadm_initrc_exec_t;
|
|
init_script_file(mdadm_initrc_exec_t)
|
|
|
|
+type mdadm_conf_t;
|
|
+files_config_file(mdadm_conf_t)
|
|
+
|
|
+type mdadm_unit_file_t;
|
|
+systemd_unit_file(mdadm_unit_file_t)
|
|
+
|
|
+type mdadm_tmp_t;
|
|
+files_tmpfs_file(mdadm_tmp_t)
|
|
+
|
|
type mdadm_var_run_t alias mdadm_map_t;
|
|
files_pid_file(mdadm_var_run_t)
|
|
dev_associate(mdadm_var_run_t)
|
|
@@ -25,23 +34,34 @@ dev_associate(mdadm_var_run_t)
|
|
#
|
|
|
|
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
|
|
-dontaudit mdadm_t self:capability sys_tty_config;
|
|
-allow mdadm_t self:process { getsched setsched signal_perms };
|
|
+dontaudit mdadm_t self:capability { sys_tty_config sys_ptrace };
|
|
+allow mdadm_t self:process { getsched setsched sigchld sigkill sigstop signull signal };
|
|
allow mdadm_t self:fifo_file rw_fifo_file_perms;
|
|
allow mdadm_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
+allow mdadm_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+
|
|
+manage_files_pattern(mdadm_t, mdadm_conf_t, mdadm_conf_t)
|
|
+files_etc_filetrans(mdadm_t, mdadm_conf_t, file, "mdadm.conf")
|
|
+
|
|
+manage_files_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
|
|
+manage_dirs_pattern(mdadm_t, mdadm_tmp_t, mdadm_tmp_t)
|
|
+files_tmp_filetrans(mdadm_t, mdadm_tmp_t, file)
|
|
|
|
manage_dirs_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
|
manage_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
|
manage_lnk_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
|
manage_sock_files_pattern(mdadm_t, mdadm_var_run_t, mdadm_var_run_t)
|
|
-dev_filetrans(mdadm_t, mdadm_var_run_t, file)
|
|
-files_pid_filetrans(mdadm_t, mdadm_var_run_t, { dir file })
|
|
+files_pid_filetrans(mdadm_t, mdadm_var_run_t, { file dir })
|
|
+dev_filetrans(mdadm_t, mdadm_var_run_t, { file dir sock_file })
|
|
+
|
|
+can_exec(mdadm_t, mdadm_exec_t)
|
|
|
|
kernel_getattr_core_if(mdadm_t)
|
|
kernel_read_system_state(mdadm_t)
|
|
kernel_read_kernel_sysctls(mdadm_t)
|
|
kernel_request_load_module(mdadm_t)
|
|
kernel_rw_software_raid_state(mdadm_t)
|
|
+kernel_setsched(mdadm_t)
|
|
|
|
corecmd_exec_bin(mdadm_t)
|
|
corecmd_exec_shell(mdadm_t)
|
|
@@ -49,20 +69,29 @@ corecmd_exec_shell(mdadm_t)
|
|
dev_rw_sysfs(mdadm_t)
|
|
dev_dontaudit_getattr_all_blk_files(mdadm_t)
|
|
dev_dontaudit_getattr_all_chr_files(mdadm_t)
|
|
+dev_read_crash(mdadm_t)
|
|
+dev_read_framebuffer(mdadm_t)
|
|
dev_read_realtime_clock(mdadm_t)
|
|
dev_read_raw_memory(mdadm_t)
|
|
-
|
|
+dev_read_kvm(mdadm_t)
|
|
+dev_read_mei(mdadm_t)
|
|
+dev_read_nvram(mdadm_t)
|
|
+dev_read_generic_files(mdadm_t)
|
|
+dev_read_generic_usb_dev(mdadm_t)
|
|
+dev_read_urand(mdadm_t)
|
|
+
|
|
+domain_read_all_domains_state(mdadm_t)
|
|
domain_use_interactive_fds(mdadm_t)
|
|
|
|
-files_read_etc_files(mdadm_t)
|
|
files_read_etc_runtime_files(mdadm_t)
|
|
-files_dontaudit_getattr_all_files(mdadm_t)
|
|
+files_dontaudit_getattr_tmpfs_files(mdadm_t)
|
|
|
|
fs_getattr_all_fs(mdadm_t)
|
|
fs_list_auto_mountpoints(mdadm_t)
|
|
fs_list_hugetlbfs(mdadm_t)
|
|
fs_rw_cgroup_files(mdadm_t)
|
|
fs_dontaudit_list_tmpfs(mdadm_t)
|
|
+fs_manage_cgroup_files(mdadm_t)
|
|
|
|
mls_file_read_all_levels(mdadm_t)
|
|
mls_file_write_all_levels(mdadm_t)
|
|
@@ -71,15 +100,20 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
|
|
storage_manage_fixed_disk(mdadm_t)
|
|
storage_read_scsi_generic(mdadm_t)
|
|
storage_write_scsi_generic(mdadm_t)
|
|
+storage_raw_read_removable_device(mdadm_t)
|
|
|
|
term_dontaudit_list_ptys(mdadm_t)
|
|
term_dontaudit_use_unallocated_ttys(mdadm_t)
|
|
|
|
+auth_use_nsswitch(mdadm_t)
|
|
+
|
|
init_dontaudit_getattr_initctl(mdadm_t)
|
|
|
|
+logging_dontaudit_getattr_all_logs(mdadm_t)
|
|
logging_send_syslog_msg(mdadm_t)
|
|
|
|
-miscfiles_read_localization(mdadm_t)
|
|
+systemd_exec_systemctl(mdadm_t)
|
|
+systemd_start_systemd_services(mdadm_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
|
|
userdom_dontaudit_search_user_home_content(mdadm_t)
|
|
@@ -94,13 +128,30 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ kdump_manage_kdumpctl_tmp_files(mdadm_t)
|
|
+ kdump_rw_lock(mdadm_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
mta_send_mail(mdadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mdadm_systemctl(mdadm_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
seutil_sigchld_newrole(mdadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(mdadm_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ virt_read_blk_images(mdadm_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_dontaudit_search_log(mdadm_t)
|
|
+')
|
|
diff --git a/razor.fc b/razor.fc
|
|
index 6723f4d..6e26673 100644
|
|
--- a/razor.fc
|
|
+++ b/razor.fc
|
|
@@ -1,9 +1,9 @@
|
|
-HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
|
|
+#/root/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
|
|
+#HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:razor_home_t,s0)
|
|
|
|
-/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
|
|
+#/etc/razor(/.*)? gen_context(system_u:object_r:razor_etc_t,s0)
|
|
|
|
-/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
|
|
+#/usr/bin/razor.* -- gen_context(system_u:object_r:razor_exec_t,s0)
|
|
|
|
-/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
|
|
-
|
|
-/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
|
|
+#/var/lib/razor(/.*)? gen_context(system_u:object_r:razor_var_lib_t,s0)
|
|
+#/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:razor_log_t,s0)
|
|
diff --git a/razor.if b/razor.if
|
|
index 1e4b523..fee3b7c 100644
|
|
--- a/razor.if
|
|
+++ b/razor.if
|
|
@@ -1,72 +1,147 @@
|
|
## <summary>A distributed, collaborative, spam detection and filtering network.</summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## A distributed, collaborative, spam detection and filtering network.
|
|
+## </p>
|
|
+## <p>
|
|
+## This policy will work with either the ATrpms provided config
|
|
+## file in /etc/razor, or with the default of dumping everything into
|
|
+## $HOME/.razor.
|
|
+## </p>
|
|
+## </desc>
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## The template to define a razor domain.
|
|
+## Template to create types and rules common to
|
|
+## all razor domains.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## The prefix of the domain (e.g., user
|
|
+## is the prefix for user_t).
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`razor_common_domain_template',`
|
|
gen_require(`
|
|
- attribute razor_domain;
|
|
- type razor_exec_t;
|
|
+ type razor_exec_t, razor_etc_t, razor_log_t, razor_var_lib_t;
|
|
')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
- type $1_t, razor_domain;
|
|
+ type $1_t;
|
|
domain_type($1_t)
|
|
domain_entry_file($1_t, razor_exec_t)
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
- auth_use_nsswitch($1_t)
|
|
+ allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
+ allow $1_t self:fd use;
|
|
+ allow $1_t self:fifo_file rw_fifo_file_perms;
|
|
+ allow $1_t self:unix_dgram_socket create_socket_perms;
|
|
+ allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
|
+ allow $1_t self:unix_dgram_socket sendto;
|
|
+ allow $1_t self:unix_stream_socket connectto;
|
|
+ allow $1_t self:shm create_shm_perms;
|
|
+ allow $1_t self:sem create_sem_perms;
|
|
+ allow $1_t self:msgq create_msgq_perms;
|
|
+ allow $1_t self:msg { send receive };
|
|
+ allow $1_t self:tcp_socket create_socket_perms;
|
|
+
|
|
+ # Read system config file
|
|
+ allow $1_t razor_etc_t:dir list_dir_perms;
|
|
+ allow $1_t razor_etc_t:file read_file_perms;
|
|
+ allow $1_t razor_etc_t:lnk_file read_lnk_file_perms;
|
|
+
|
|
+ manage_dirs_pattern($1_t, razor_log_t, razor_log_t)
|
|
+ manage_files_pattern($1_t, razor_log_t, razor_log_t)
|
|
+ manage_lnk_files_pattern($1_t, razor_log_t, razor_log_t)
|
|
+ logging_log_filetrans($1_t, razor_log_t, file)
|
|
+
|
|
+ manage_dirs_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
|
|
+ manage_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
|
|
+ manage_lnk_files_pattern($1_t, razor_var_lib_t, razor_var_lib_t)
|
|
+ files_search_var_lib($1_t)
|
|
+
|
|
+ # Razor is one executable and several symlinks
|
|
+ allow $1_t razor_exec_t:file read_file_perms;
|
|
+ allow $1_t razor_exec_t:lnk_file read_lnk_file_perms;
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+ kernel_read_network_state($1_t)
|
|
+ kernel_read_software_raid_state($1_t)
|
|
+ kernel_getattr_core_if($1_t)
|
|
+ kernel_getattr_message_if($1_t)
|
|
+ kernel_read_kernel_sysctls($1_t)
|
|
+
|
|
+ corecmd_exec_bin($1_t)
|
|
+
|
|
+ corenet_all_recvfrom_unlabeled($1_t)
|
|
+ corenet_all_recvfrom_netlabel($1_t)
|
|
+ corenet_tcp_sendrecv_generic_if($1_t)
|
|
+ corenet_raw_sendrecv_generic_if($1_t)
|
|
+ corenet_tcp_sendrecv_generic_node($1_t)
|
|
+ corenet_raw_sendrecv_generic_node($1_t)
|
|
+ corenet_tcp_sendrecv_razor_port($1_t)
|
|
+
|
|
+ # mktemp and other randoms
|
|
+ dev_read_rand($1_t)
|
|
+ dev_read_urand($1_t)
|
|
+
|
|
+ files_search_pids($1_t)
|
|
+ # Allow access to various files in the /etc/directory including mtab
|
|
+ # and nsswitch
|
|
+ files_read_etc_files($1_t)
|
|
+ files_read_etc_runtime_files($1_t)
|
|
+
|
|
+ fs_search_auto_mountpoints($1_t)
|
|
+
|
|
+ libs_read_lib_files($1_t)
|
|
+
|
|
+
|
|
+ sysnet_read_config($1_t)
|
|
+ sysnet_dns_name_resolve($1_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ nis_use_ypbind($1_t)
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for razor.
|
|
+## Role access for razor
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
interface(`razor_role',`
|
|
gen_require(`
|
|
- attribute_role razor_roles;
|
|
type razor_t, razor_exec_t, razor_home_t;
|
|
- type razor_tmp_t;
|
|
')
|
|
|
|
- roleattribute $1 razor_roles;
|
|
+ role $1 types razor_t;
|
|
|
|
+ # Transition from the user domain to the derived domain.
|
|
domtrans_pattern($2, razor_exec_t, razor_t)
|
|
|
|
+ # allow ps to show razor and allow the user to kill it
|
|
ps_process_pattern($2, razor_t)
|
|
- allow $2 razor_t:process signal;
|
|
-
|
|
- allow $2 { razor_home_t razor_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 { razor_home_t razor_tmp_t }:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 razor_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
+ allow $2 razor_t:process signal_perms;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 razor_t:process ptrace;
|
|
+ ')
|
|
|
|
- userdom_user_home_dir_filetrans($2, razor_home_t, dir, ".razor")
|
|
+ manage_dirs_pattern($2, razor_home_t, razor_home_t)
|
|
+ manage_files_pattern($2, razor_home_t, razor_home_t)
|
|
+ manage_lnk_files_pattern($2, razor_home_t, razor_home_t)
|
|
+ relabel_dirs_pattern($2, razor_home_t, razor_home_t)
|
|
+ relabel_files_pattern($2, razor_home_t, razor_home_t)
|
|
+ relabel_lnk_files_pattern($2, razor_home_t, razor_home_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -81,17 +156,16 @@ interface(`razor_role',`
|
|
#
|
|
interface(`razor_domtrans',`
|
|
gen_require(`
|
|
- type system_razor_t, razor_exec_t;
|
|
+ type razor_t, razor_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, razor_exec_t, system_razor_t)
|
|
+ domtrans_pattern($1, razor_exec_t, razor_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## razor home content.
|
|
+## Create, read, write, and delete razor files
|
|
+## in a user home subdirectory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -99,20 +173,19 @@ interface(`razor_domtrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`razor_manage_home_content',`
|
|
+interface(`razor_manage_user_home_files',`
|
|
gen_require(`
|
|
type razor_home_t;
|
|
')
|
|
|
|
userdom_search_user_home_dirs($1)
|
|
- allow $1 razor_home_t:dir manage_dir_perms;
|
|
- allow $1 razor_home_t:file manage_file_perms;
|
|
- allow $1 razor_home_t:lnk_file manage_lnk_file_perms;
|
|
+ manage_files_pattern($1, razor_home_t, razor_home_t)
|
|
+ read_lnk_files_pattern($1, razor_home_t, razor_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read razor lib files.
|
|
+## read razor lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
diff --git a/razor.te b/razor.te
|
|
index 68455f9..38f6968 100644
|
|
--- a/razor.te
|
|
+++ b/razor.te
|
|
@@ -5,135 +5,124 @@ policy_module(razor, 2.4.0)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute razor_domain;
|
|
+ifdef(`distro_redhat',`
|
|
+ gen_require(`
|
|
+ type spamc_t, spamc_exec_t, spamd_log_t;
|
|
+ type spamd_spool_t, spamd_var_lib_t, spamd_etc_t;
|
|
+ type spamc_home_t, spamc_tmp_t;
|
|
+ ')
|
|
+
|
|
+ typealias spamc_t alias razor_t;
|
|
+ typealias spamc_exec_t alias razor_exec_t;
|
|
+ typealias spamd_log_t alias razor_log_t;
|
|
+ typealias spamd_var_lib_t alias razor_var_lib_t;
|
|
+ typealias spamd_etc_t alias razor_etc_t;
|
|
+ typealias spamc_home_t alias razor_home_t;
|
|
+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
|
|
+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
|
|
+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
|
|
+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
|
|
+',`
|
|
+ type razor_exec_t;
|
|
+ corecmd_executable_file(razor_exec_t)
|
|
+
|
|
+ type razor_etc_t;
|
|
+ files_config_file(razor_etc_t)
|
|
+
|
|
+ type razor_home_t;
|
|
+ typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
|
|
+ typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
|
|
+ userdom_user_home_content(razor_home_t)
|
|
+
|
|
+ type razor_log_t;
|
|
+ logging_log_file(razor_log_t)
|
|
+
|
|
+ type razor_tmp_t;
|
|
+ typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
|
|
+ typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
|
|
+ files_tmp_file(razor_tmp_t)
|
|
+ ubac_constrained(razor_tmp_t)
|
|
+
|
|
+ type razor_var_lib_t;
|
|
+ files_type(razor_var_lib_t)
|
|
+
|
|
+ # these are here due to ordering issues:
|
|
+ razor_common_domain_template(razor)
|
|
+ typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
|
|
+ typealias razor_t alias { auditadm_razor_t secadm_razor_t };
|
|
+ ubac_constrained(razor_t)
|
|
+
|
|
+ razor_common_domain_template(system_razor)
|
|
+ role system_r types system_razor_t;
|
|
+
|
|
+ ########################################
|
|
+ #
|
|
+ # System razor local policy
|
|
+ #
|
|
+
|
|
+ # this version of razor is invoked typically
|
|
+ # via the system spam filter
|
|
+
|
|
+ allow system_razor_t self:tcp_socket create_socket_perms;
|
|
+
|
|
+ manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
|
+ manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
|
+ manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
|
+ files_search_etc(system_razor_t)
|
|
+
|
|
+ allow system_razor_t razor_log_t:file manage_file_perms;
|
|
+ logging_log_filetrans(system_razor_t, razor_log_t, file)
|
|
+
|
|
+ manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
|
|
+ files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
|
|
+
|
|
+ corenet_all_recvfrom_netlabel(system_razor_t)
|
|
+ corenet_tcp_sendrecv_generic_if(system_razor_t)
|
|
+ corenet_raw_sendrecv_generic_if(system_razor_t)
|
|
+ corenet_tcp_sendrecv_generic_node(system_razor_t)
|
|
+ corenet_raw_sendrecv_generic_node(system_razor_t)
|
|
+ corenet_tcp_sendrecv_razor_port(system_razor_t)
|
|
+ corenet_tcp_connect_razor_port(system_razor_t)
|
|
+ corenet_sendrecv_razor_client_packets(system_razor_t)
|
|
+
|
|
+ auth_use_nsswitch(system_razor_t)
|
|
+
|
|
+ # cjp: this shouldn't be needed
|
|
+ userdom_use_unpriv_users_fds(system_razor_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ logging_send_syslog_msg(system_razor_t)
|
|
+ ')
|
|
+
|
|
+ ########################################
|
|
+ #
|
|
+ # User razor local policy
|
|
+ #
|
|
+
|
|
+ # Allow razor to be run by hand. Needed by any action other than
|
|
+ # invocation from a spam filter.
|
|
+
|
|
+ allow razor_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+ manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
|
|
+ manage_files_pattern(razor_t, razor_home_t, razor_home_t)
|
|
+ manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
|
|
+ userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir)
|
|
+
|
|
+ manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
|
+ manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
|
+ files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
|
|
+
|
|
+ auth_use_nsswitch(razor_t)
|
|
|
|
-attribute_role razor_roles;
|
|
+ logging_send_syslog_msg(razor_t)
|
|
|
|
-type razor_exec_t;
|
|
-corecmd_executable_file(razor_exec_t)
|
|
+ userdom_search_user_home_dirs(razor_t)
|
|
+ userdom_use_inherited_user_terminals(razor_t)
|
|
|
|
-type razor_etc_t;
|
|
-files_config_file(razor_etc_t)
|
|
+ userdom_home_manager(razor_t)
|
|
|
|
-type razor_home_t;
|
|
-typealias razor_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
|
|
-typealias razor_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
|
|
-userdom_user_home_content(razor_home_t)
|
|
-
|
|
-type razor_log_t;
|
|
-logging_log_file(razor_log_t)
|
|
-
|
|
-type razor_tmp_t;
|
|
-typealias razor_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
|
|
-typealias razor_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
|
|
-userdom_user_tmp_file(razor_tmp_t)
|
|
-
|
|
-type razor_var_lib_t;
|
|
-files_type(razor_var_lib_t)
|
|
-
|
|
-razor_common_domain_template(razor)
|
|
-typealias razor_t alias { user_razor_t staff_razor_t sysadm_razor_t };
|
|
-typealias razor_t alias { auditadm_razor_t secadm_razor_t };
|
|
-userdom_user_application_type(razor_t)
|
|
-role razor_roles types razor_t;
|
|
-
|
|
-razor_common_domain_template(system_razor)
|
|
-role system_r types system_razor_t;
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Common razor domain local policy
|
|
-#
|
|
-
|
|
-allow razor_domain self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
-allow razor_domain self:fd use;
|
|
-allow razor_domain self:fifo_file rw_fifo_file_perms;
|
|
-allow razor_domain self:unix_dgram_socket sendto;
|
|
-allow razor_domain self:unix_stream_socket { accept connectto listen };
|
|
-
|
|
-allow razor_domain razor_etc_t:dir list_dir_perms;
|
|
-allow razor_domain razor_etc_t:file read_file_perms;
|
|
-allow razor_domain razor_etc_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
-allow razor_domain razor_exec_t:file read_file_perms;
|
|
-allow razor_domain razor_exec_t:lnk_file read_lnk_file_perms;
|
|
-
|
|
-kernel_read_system_state(razor_domain)
|
|
-kernel_read_network_state(razor_domain)
|
|
-kernel_read_software_raid_state(razor_domain)
|
|
-kernel_getattr_core_if(razor_domain)
|
|
-kernel_getattr_message_if(razor_domain)
|
|
-kernel_read_kernel_sysctls(razor_domain)
|
|
-
|
|
-corecmd_exec_bin(razor_domain)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(razor_domain)
|
|
-corenet_all_recvfrom_netlabel(razor_domain)
|
|
-corenet_tcp_sendrecv_generic_if(razor_domain)
|
|
-corenet_tcp_sendrecv_generic_node(razor_domain)
|
|
-
|
|
-corenet_tcp_sendrecv_razor_port(razor_domain)
|
|
-corenet_tcp_connect_razor_port(razor_domain)
|
|
-corenet_sendrecv_razor_client_packets(razor_domain)
|
|
-
|
|
-dev_read_rand(razor_domain)
|
|
-dev_read_urand(razor_domain)
|
|
-
|
|
-files_read_etc_runtime_files(razor_domain)
|
|
-
|
|
-libs_read_lib_files(razor_domain)
|
|
-
|
|
-miscfiles_read_localization(razor_domain)
|
|
-
|
|
-########################################
|
|
-#
|
|
-# System local policy
|
|
-#
|
|
-
|
|
-manage_dirs_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
|
-manage_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
|
-manage_lnk_files_pattern(system_razor_t, razor_etc_t, razor_etc_t)
|
|
-
|
|
-manage_dirs_pattern(system_razor_t, razor_log_t, razor_log_t)
|
|
-append_files_pattern(system_razor_t, razor_log_t, razor_log_t)
|
|
-create_files_pattern(system_razor_t, razor_log_t, razor_log_t)
|
|
-setattr_files_pattern(system_razor_t, razor_log_t, razor_log_t)
|
|
-manage_lnk_files_pattern(system_razor_t, razor_log_t, razor_log_t)
|
|
-logging_log_filetrans(system_razor_t, razor_log_t, file)
|
|
-
|
|
-manage_dirs_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
|
|
-manage_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
|
|
-manage_lnk_files_pattern(system_razor_t, razor_var_lib_t, razor_var_lib_t)
|
|
-files_var_lib_filetrans(system_razor_t, razor_var_lib_t, file)
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Session local policy
|
|
-#
|
|
-
|
|
-manage_dirs_pattern(razor_t, razor_home_t, razor_home_t)
|
|
-manage_files_pattern(razor_t, razor_home_t, razor_home_t)
|
|
-manage_lnk_files_pattern(razor_t, razor_home_t, razor_home_t)
|
|
-userdom_user_home_dir_filetrans(razor_t, razor_home_t, dir, ".razor")
|
|
-
|
|
-manage_dirs_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
|
-manage_files_pattern(razor_t, razor_tmp_t, razor_tmp_t)
|
|
-files_tmp_filetrans(razor_t, razor_tmp_t, { file dir })
|
|
-
|
|
-fs_getattr_all_fs(razor_t)
|
|
-fs_search_auto_mountpoints(razor_t)
|
|
-
|
|
-userdom_use_unpriv_users_fds(razor_t)
|
|
-userdom_use_user_terminals(razor_t)
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(razor_t)
|
|
- fs_manage_nfs_files(razor_t)
|
|
- fs_manage_nfs_symlinks(razor_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(razor_t)
|
|
- fs_manage_cifs_files(razor_t)
|
|
- fs_manage_cifs_symlinks(razor_t)
|
|
+ optional_policy(`
|
|
+ milter_manage_spamass_state(razor_t)
|
|
+ ')
|
|
')
|
|
diff --git a/rdisc.te b/rdisc.te
|
|
index 9196c1d..3dac4d9 100644
|
|
--- a/rdisc.te
|
|
+++ b/rdisc.te
|
|
@@ -25,7 +25,6 @@ kernel_list_proc(rdisc_t)
|
|
kernel_read_proc_symlinks(rdisc_t)
|
|
kernel_read_kernel_sysctls(rdisc_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(rdisc_t)
|
|
corenet_all_recvfrom_netlabel(rdisc_t)
|
|
corenet_udp_sendrecv_generic_if(rdisc_t)
|
|
corenet_raw_sendrecv_generic_if(rdisc_t)
|
|
@@ -39,12 +38,9 @@ fs_search_auto_mountpoints(rdisc_t)
|
|
|
|
domain_use_interactive_fds(rdisc_t)
|
|
|
|
-files_read_etc_files(rdisc_t)
|
|
|
|
logging_send_syslog_msg(rdisc_t)
|
|
|
|
-miscfiles_read_localization(rdisc_t)
|
|
-
|
|
sysnet_read_config(rdisc_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(rdisc_t)
|
|
diff --git a/readahead.fc b/readahead.fc
|
|
index f01b32f..46279e8 100644
|
|
--- a/readahead.fc
|
|
+++ b/readahead.fc
|
|
@@ -1,7 +1,11 @@
|
|
-/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
|
+/dev/\.systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
|
|
|
|
+/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
|
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/systemd-readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
|
|
+
|
|
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)
|
|
|
|
+/var/run/systemd/readahead(/.*)? gen_context(system_u:object_r:readahead_var_run_t,s0)
|
|
/var/run/readahead.* gen_context(system_u:object_r:readahead_var_run_t,s0)
|
|
diff --git a/readahead.if b/readahead.if
|
|
index 661bb88..06f69c4 100644
|
|
--- a/readahead.if
|
|
+++ b/readahead.if
|
|
@@ -19,3 +19,27 @@ interface(`readahead_domtrans',`
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, readahead_exec_t, readahead_t)
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage readahead var_run files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`readahead_manage_pid_files',`
|
|
+ gen_require(`
|
|
+ type readahead_var_run_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, readahead_var_run_t, readahead_var_run_t)
|
|
+ manage_files_pattern($1, readahead_var_run_t, readahead_var_run_t)
|
|
+ dev_filetrans($1, readahead_var_run_t, { dir file })
|
|
+ init_pid_filetrans($1, readahead_var_run_t, { dir file })
|
|
+ files_search_pids($1)
|
|
+ init_search_pid_dirs($1)
|
|
+')
|
|
+
|
|
diff --git a/readahead.te b/readahead.te
|
|
index c0b02c9..af81d71 100644
|
|
--- a/readahead.te
|
|
+++ b/readahead.te
|
|
@@ -15,6 +15,7 @@ typealias readahead_var_lib_t alias readahead_etc_rw_t;
|
|
|
|
type readahead_var_run_t;
|
|
files_pid_file(readahead_var_run_t)
|
|
+dev_associate(readahead_var_run_t)
|
|
init_daemon_run_dir(readahead_var_run_t, "readahead")
|
|
|
|
########################################
|
|
@@ -31,13 +32,18 @@ manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
|
|
|
|
manage_dirs_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
|
|
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
|
|
+dev_filetrans(readahead_t, readahead_var_run_t, { dir file })
|
|
files_pid_filetrans(readahead_t, readahead_var_run_t, { dir file })
|
|
|
|
kernel_read_all_sysctls(readahead_t)
|
|
kernel_read_system_state(readahead_t)
|
|
kernel_dontaudit_getattr_core_if(readahead_t)
|
|
+kernel_list_all_proc(readahead_t)
|
|
|
|
-dev_read_sysfs(readahead_t)
|
|
+dev_rw_sysfs(readahead_t)
|
|
+dev_read_kmsg(readahead_t)
|
|
+dev_read_urand(readahead_t)
|
|
+dev_write_kmsg(readahead_t)
|
|
dev_getattr_generic_chr_files(readahead_t)
|
|
dev_getattr_generic_blk_files(readahead_t)
|
|
dev_getattr_all_chr_files(readahead_t)
|
|
@@ -51,12 +57,22 @@ domain_use_interactive_fds(readahead_t)
|
|
domain_read_all_domains_state(readahead_t)
|
|
|
|
files_create_boot_flag(readahead_t)
|
|
+files_delete_root_files(readahead_t)
|
|
files_getattr_all_pipes(readahead_t)
|
|
files_list_non_security(readahead_t)
|
|
files_read_non_security_files(readahead_t)
|
|
files_search_var_lib(readahead_t)
|
|
files_dontaudit_getattr_all_sockets(readahead_t)
|
|
files_dontaudit_getattr_non_security_blk_files(readahead_t)
|
|
+files_dontaudit_all_access_check(readahead_t)
|
|
+files_dontaudit_read_security_files(readahead_t)
|
|
+files_dontaudit_read_all_sockets(readahead_t)
|
|
+
|
|
+ifdef(`hide_broken_symptoms', `
|
|
+ files_dontaudit_write_all_files(readahead_t)
|
|
+ dev_dontaudit_write_all_chr_files(readahead_t)
|
|
+ dev_dontaudit_write_all_blk_files(readahead_t)
|
|
+')
|
|
|
|
fs_getattr_all_fs(readahead_t)
|
|
fs_search_auto_mountpoints(readahead_t)
|
|
@@ -66,13 +82,12 @@ fs_read_cgroup_files(readahead_t)
|
|
fs_read_tmpfs_files(readahead_t)
|
|
fs_read_tmpfs_symlinks(readahead_t)
|
|
fs_list_inotifyfs(readahead_t)
|
|
+fs_dontaudit_read_tmpfs_blk_dev(readahead_t)
|
|
fs_dontaudit_search_ramfs(readahead_t)
|
|
fs_dontaudit_read_ramfs_pipes(readahead_t)
|
|
fs_dontaudit_read_ramfs_files(readahead_t)
|
|
fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
|
|
|
|
-mcs_file_read_all(readahead_t)
|
|
-
|
|
mls_file_read_all_levels(readahead_t)
|
|
|
|
storage_raw_read_fixed_disk(readahead_t)
|
|
@@ -84,13 +99,15 @@ auth_dontaudit_read_shadow(readahead_t)
|
|
init_use_fds(readahead_t)
|
|
init_use_script_ptys(readahead_t)
|
|
init_getattr_initctl(readahead_t)
|
|
+# needs to write to /run/systemd/notify
|
|
+init_write_pid_socket(readahead_t)
|
|
+init_create_pid_dirs(readahead_t)
|
|
+init_pid_filetrans(readahead_t, readahead_var_run_t, dir, "readahead")
|
|
|
|
logging_send_syslog_msg(readahead_t)
|
|
logging_set_audit_parameters(readahead_t)
|
|
logging_dontaudit_search_audit_config(readahead_t)
|
|
|
|
-miscfiles_read_localization(readahead_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
|
|
userdom_dontaudit_search_user_home_dirs(readahead_t)
|
|
|
|
diff --git a/realmd.fc b/realmd.fc
|
|
index 04babe3..3b92679 100644
|
|
--- a/realmd.fc
|
|
+++ b/realmd.fc
|
|
@@ -1 +1,5 @@
|
|
-/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
|
|
+/usr/lib/realmd/realmd -- gen_context(system_u:object_r:realmd_exec_t,s0)
|
|
+
|
|
+/var/cache/realmd(/.*)? gen_context(system_u:object_r:realmd_var_cache_t,s0)
|
|
+
|
|
+/var/lib/ipa-client(/.*)? gen_context(system_u:object_r:realmd_var_lib_t,s0)
|
|
diff --git a/realmd.if b/realmd.if
|
|
index bff31df..3b2a829 100644
|
|
--- a/realmd.if
|
|
+++ b/realmd.if
|
|
@@ -1,8 +1,9 @@
|
|
-## <summary>Dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA.</summary>
|
|
+
|
|
+## <summary>dbus system service which manages discovery and enrollment in realms and domains like Active Directory or IPA</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute realmd in the realmd domain.
|
|
+## Execute realmd in the realmd_t domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -39,3 +40,101 @@ interface(`realmd_dbus_chat',`
|
|
allow $1 realmd_t:dbus send_msg;
|
|
allow realmd_t $1:dbus send_msg;
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search realmd cache directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`realmd_search_cache',`
|
|
+ gen_require(`
|
|
+ type realmd_var_cache_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 realmd_var_cache_t:dir search_dir_perms;
|
|
+ files_search_var($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read realmd cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`realmd_read_cache_files',`
|
|
+ gen_require(`
|
|
+ type realmd_var_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ read_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## realmd cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`realmd_manage_cache_files',`
|
|
+ gen_require(`
|
|
+ type realmd_var_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_files_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage realmd cache dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`realmd_manage_cache_dirs',`
|
|
+ gen_require(`
|
|
+ type realmd_var_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_dirs_pattern($1, realmd_var_cache_t, realmd_var_cache_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read realmd tmp files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`realmd_read_tmp_files',`
|
|
+ gen_require(`
|
|
+ type realmd_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ read_files_pattern($1, realmd_tmp_t, realmd_tmp_t)
|
|
+')
|
|
+
|
|
diff --git a/realmd.te b/realmd.te
|
|
index 5bc878b..5736203 100644
|
|
--- a/realmd.te
|
|
+++ b/realmd.te
|
|
@@ -7,47 +7,89 @@ policy_module(realmd, 1.1.0)
|
|
|
|
type realmd_t;
|
|
type realmd_exec_t;
|
|
-init_system_domain(realmd_t, realmd_exec_t)
|
|
+init_daemon_domain(realmd_t, realmd_exec_t)
|
|
+application_domain(realmd_t, realmd_exec_t)
|
|
+role system_r types realmd_t;
|
|
+
|
|
+type realmd_tmp_t;
|
|
+files_tmp_file(realmd_tmp_t)
|
|
+
|
|
+type realmd_var_cache_t;
|
|
+files_type(realmd_var_cache_t)
|
|
+
|
|
+type realmd_var_lib_t;
|
|
+files_type(realmd_var_lib_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# realmd local policy
|
|
#
|
|
|
|
-allow realmd_t self:capability sys_nice;
|
|
+allow realmd_t self:capability { sys_nice };
|
|
+allow realmd_t self:capability2 block_suspend;
|
|
allow realmd_t self:process setsched;
|
|
+allow realmd_t self:key manage_key_perms;
|
|
+
|
|
+manage_dirs_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
|
|
+manage_files_pattern(realmd_t, realmd_tmp_t, realmd_tmp_t)
|
|
+files_tmp_filetrans(realmd_t, realmd_tmp_t, { dir file })
|
|
+
|
|
+manage_files_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
|
|
+manage_dirs_pattern(realmd_t, realmd_var_cache_t, realmd_var_cache_t)
|
|
+
|
|
+manage_dirs_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
|
|
+manage_files_pattern(realmd_t, realmd_var_lib_t, realmd_var_lib_t)
|
|
+files_var_lib_filetrans(realmd_t, realmd_var_lib_t, dir)
|
|
|
|
kernel_read_system_state(realmd_t)
|
|
+kernel_read_network_state(realmd_t)
|
|
|
|
corecmd_exec_bin(realmd_t)
|
|
corecmd_exec_shell(realmd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(realmd_t)
|
|
-corenet_all_recvfrom_netlabel(realmd_t)
|
|
-corenet_tcp_sendrecv_generic_if(realmd_t)
|
|
-corenet_tcp_sendrecv_generic_node(realmd_t)
|
|
-
|
|
-corenet_sendrecv_http_client_packets(realmd_t)
|
|
corenet_tcp_connect_http_port(realmd_t)
|
|
-corenet_tcp_sendrecv_http_port(realmd_t)
|
|
+corenet_tcp_connect_ldap_port(realmd_t)
|
|
+corenet_tcp_connect_smbd_port(realmd_t)
|
|
|
|
domain_use_interactive_fds(realmd_t)
|
|
|
|
dev_read_rand(realmd_t)
|
|
dev_read_urand(realmd_t)
|
|
|
|
-fs_getattr_all_fs(realmd_t)
|
|
+files_manage_etc_files(realmd_t)
|
|
|
|
-files_read_usr_files(realmd_t)
|
|
+fs_getattr_all_fs(realmd_t)
|
|
|
|
auth_use_nsswitch(realmd_t)
|
|
|
|
+init_filetrans_named_content(realmd_t)
|
|
+
|
|
+logging_manage_generic_logs(realmd_t)
|
|
logging_send_syslog_msg(realmd_t)
|
|
|
|
+miscfiles_manage_generic_cert_files(realmd_t)
|
|
+
|
|
+seutil_domtrans_setfiles(realmd_t)
|
|
+seutil_read_file_contexts(realmd_t)
|
|
+
|
|
+sysnet_dns_name_resolve(realmd_t)
|
|
+systemd_exec_systemctl(realmd_t)
|
|
+
|
|
+#userdom_admin_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
|
|
+#userdom_user_home_dir_filetrans(realmd_t, cache_home_t, dir, ".cache")
|
|
+
|
|
+optional_policy(`
|
|
+ authconfig_domtrans(realmd_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
dbus_system_domain(realmd_t, realmd_exec_t)
|
|
|
|
optional_policy(`
|
|
+ certmonger_dbus_chat(realmd_t)
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
networkmanager_dbus_chat(realmd_t)
|
|
')
|
|
|
|
@@ -63,21 +105,40 @@ optional_policy(`
|
|
optional_policy(`
|
|
kerberos_use(realmd_t)
|
|
kerberos_rw_keytab(realmd_t)
|
|
+ kerberos_rw_config(realmd_t)
|
|
+ kerberos_filetrans_named_content(realmd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ntp_domtrans_ntpdate(realmd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_domtrans(realmd_t)
|
|
+ ssh_systemctl(realmd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_exec_ypbind(realmd_t)
|
|
- nis_initrc_domtrans(realmd_t)
|
|
+ nis_systemctl_ypbind(realmd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- gnome_read_generic_home_content(realmd_t)
|
|
+ gnome_read_config(realmd_t)
|
|
+ gnome_read_generic_cache_files(realmd_t)
|
|
+ gnome_write_generic_cache_files(realmd_t)
|
|
+ gnome_manage_cache_home_dir(realmd_t)
|
|
+
|
|
')
|
|
|
|
optional_policy(`
|
|
samba_domtrans_net(realmd_t)
|
|
samba_manage_config(realmd_t)
|
|
- samba_getattr_winbind_exec(realmd_t)
|
|
+ samba_getattr_winbind(realmd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rpm_dbus_chat(realmd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -86,5 +147,27 @@ optional_policy(`
|
|
sssd_manage_lib_files(realmd_t)
|
|
sssd_manage_public_files(realmd_t)
|
|
sssd_read_pid_files(realmd_t)
|
|
- sssd_initrc_domtrans(realmd_t)
|
|
+ sssd_systemctl(realmd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_read_state_xdm(realmd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(realmd_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+#
|
|
+# realmd consolehelper local policy
|
|
+#
|
|
+
|
|
+optional_policy(`
|
|
+ userhelper_console_role_template(realmd, system_r, realmd_t)
|
|
+ authconfig_manage_lib_files(realmd_consolehelper_t)
|
|
+
|
|
+ oddjob_systemctl(realmd_consolehelper_t)
|
|
+
|
|
+ unconfined_domain_noaudit(realmd_consolehelper_t)
|
|
')
|
|
diff --git a/redis.fc b/redis.fc
|
|
index e240ac9..638d6b4 100644
|
|
--- a/redis.fc
|
|
+++ b/redis.fc
|
|
@@ -1,9 +1,11 @@
|
|
/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
|
|
|
|
-/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
|
|
+/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
|
|
|
|
-/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
|
|
+/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
|
|
|
|
-/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
|
|
+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
|
|
|
|
-/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
|
|
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
|
|
+
|
|
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
|
|
diff --git a/redis.if b/redis.if
|
|
index 16c8ecb..9fc0cb9 100644
|
|
--- a/redis.if
|
|
+++ b/redis.if
|
|
@@ -1,9 +1,224 @@
|
|
-## <summary>Advanced key-value store.</summary>
|
|
+## <summary>Advanced key-value store</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an redis environment.
|
|
+## Execute redis server in the redis domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`redis_domtrans',`
|
|
+ gen_require(`
|
|
+ type redis_t, redis_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, redis_exec_t, redis_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute redis server in the redis domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`redis_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type redis_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read redis's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`redis_read_log',`
|
|
+ gen_require(`
|
|
+ type redis_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, redis_log_t, redis_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to redis log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`redis_append_log',`
|
|
+ gen_require(`
|
|
+ type redis_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, redis_log_t, redis_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage redis log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`redis_manage_log',`
|
|
+ gen_require(`
|
|
+ type redis_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, redis_log_t, redis_log_t)
|
|
+ manage_files_pattern($1, redis_log_t, redis_log_t)
|
|
+ manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search redis lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`redis_search_lib',`
|
|
+ gen_require(`
|
|
+ type redis_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 redis_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read redis lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`redis_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type redis_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage redis lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`redis_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type redis_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage redis lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`redis_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type redis_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read redis PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`redis_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type redis_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, redis_var_run_t, redis_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute redis server in the redis domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`redis_systemctl',`
|
|
+ gen_require(`
|
|
+ type redis_t;
|
|
+ type redis_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_password_run($1)
|
|
+ allow $1 redis_unit_file_t:file read_file_perms;
|
|
+ allow $1 redis_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, redis_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an redis environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -20,7 +235,7 @@
|
|
interface(`redis_admin',`
|
|
gen_require(`
|
|
type redis_t, redis_initrc_exec_t, redis_var_lib_t;
|
|
- type redis_log_t, redis_var_run_t;
|
|
+ type redis_log_t, redis_var_run_t, redis_unit_file_t;
|
|
')
|
|
|
|
allow $1 redis_t:process { ptrace signal_perms };
|
|
@@ -32,11 +247,20 @@ interface(`redis_admin',`
|
|
allow $2 system_r;
|
|
|
|
logging_search_logs($1)
|
|
- admin_pattern($!, redis_log_t)
|
|
+ admin_pattern($1, redis_log_t)
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, redis_var_lib_t)
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, redis_var_run_t)
|
|
+
|
|
+ redis_systemctl($1)
|
|
+ admin_pattern($1, redis_unit_file_t)
|
|
+ allow $1 redis_unit_file_t:service all_service_perms;
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/redis.te b/redis.te
|
|
index 25cd417..178198b 100644
|
|
--- a/redis.te
|
|
+++ b/redis.te
|
|
@@ -21,6 +21,9 @@ files_type(redis_var_lib_t)
|
|
type redis_var_run_t;
|
|
files_pid_file(redis_var_run_t)
|
|
|
|
+type redis_unit_file_t;
|
|
+systemd_unit_file(redis_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -60,6 +63,4 @@ dev_read_urand(redis_t)
|
|
|
|
logging_send_syslog_msg(redis_t)
|
|
|
|
-miscfiles_read_localization(redis_t)
|
|
-
|
|
sysnet_dns_name_resolve(redis_t)
|
|
diff --git a/remotelogin.fc b/remotelogin.fc
|
|
index 327baf0..d8691bd 100644
|
|
--- a/remotelogin.fc
|
|
+++ b/remotelogin.fc
|
|
@@ -1 +1,2 @@
|
|
+
|
|
# Remote login currently has no file contexts.
|
|
diff --git a/remotelogin.if b/remotelogin.if
|
|
index a9ce68e..31be971 100644
|
|
--- a/remotelogin.if
|
|
+++ b/remotelogin.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Rshd, rlogind, and telnetd.</summary>
|
|
+## <summary>Policy for rshd, rlogind, and telnetd.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,13 +15,12 @@ interface(`remotelogin_domtrans',`
|
|
type remote_login_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
auth_domtrans_login_program($1, remote_login_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to remote login.
|
|
+## allow Domain to signal remote login domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -36,44 +35,3 @@ interface(`remotelogin_signal',`
|
|
|
|
allow $1 remote_login_t:process signal;
|
|
')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Create, read, write, and delete
|
|
-## remote login temporary content.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`remotelogin_manage_tmp_content',`
|
|
- gen_require(`
|
|
- type remote_login_tmp_t;
|
|
- ')
|
|
-
|
|
- files_search_tmp($1)
|
|
- allow $1 remote_login_tmp_t:dir manage_dir_perms;
|
|
- allow $1 remote_login_tmp_t:file manage_file_perms;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Relabel remote login temporary content.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`remotelogin_relabel_tmp_content',`
|
|
- gen_require(`
|
|
- type remote_login_tmp_t;
|
|
- ')
|
|
-
|
|
- files_search_tmp($1)
|
|
- allow $1 remote_login_tmp_t:dir relabel_dir_perms;
|
|
- allow $1 remote_login_tmp_t:file relabel_file_perms;
|
|
-')
|
|
diff --git a/remotelogin.te b/remotelogin.te
|
|
index ae30871..43fd6e8 100644
|
|
--- a/remotelogin.te
|
|
+++ b/remotelogin.te
|
|
@@ -10,12 +10,9 @@ domain_interactive_fd(remote_login_t)
|
|
auth_login_pgm_domain(remote_login_t)
|
|
auth_login_entry_type(remote_login_t)
|
|
|
|
-type remote_login_tmp_t;
|
|
-files_tmp_file(remote_login_tmp_t)
|
|
-
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# Remote login remote policy
|
|
#
|
|
|
|
allow remote_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
|
|
@@ -23,68 +20,79 @@ allow remote_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrl
|
|
allow remote_login_t self:process { setrlimit setexec };
|
|
allow remote_login_t self:fd use;
|
|
allow remote_login_t self:fifo_file rw_fifo_file_perms;
|
|
+allow remote_login_t self:sock_file read_sock_file_perms;
|
|
+allow remote_login_t self:unix_dgram_socket create_socket_perms;
|
|
+allow remote_login_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow remote_login_t self:unix_dgram_socket sendto;
|
|
-allow remote_login_t self:unix_stream_socket { accept connectto listen };
|
|
-
|
|
-manage_dirs_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
|
|
-manage_files_pattern(remote_login_t, remote_login_tmp_t, remote_login_tmp_t)
|
|
-files_tmp_filetrans(remote_login_t, remote_login_tmp_t, { file dir })
|
|
+allow remote_login_t self:unix_stream_socket connectto;
|
|
+allow remote_login_t self:shm create_shm_perms;
|
|
+allow remote_login_t self:sem create_sem_perms;
|
|
+allow remote_login_t self:msgq create_msgq_perms;
|
|
+allow remote_login_t self:msg { send receive };
|
|
+allow remote_login_t self:key write;
|
|
|
|
kernel_read_system_state(remote_login_t)
|
|
kernel_read_kernel_sysctls(remote_login_t)
|
|
|
|
dev_getattr_mouse_dev(remote_login_t)
|
|
dev_setattr_mouse_dev(remote_login_t)
|
|
+dev_dontaudit_search_sysfs(remote_login_t)
|
|
|
|
fs_getattr_xattr_fs(remote_login_t)
|
|
+fs_search_auto_mountpoints(remote_login_t)
|
|
|
|
term_relabel_all_ptys(remote_login_t)
|
|
term_use_all_ptys(remote_login_t)
|
|
term_setattr_all_ptys(remote_login_t)
|
|
|
|
-auth_manage_pam_console_data(remote_login_t)
|
|
-auth_domtrans_pam_console(remote_login_t)
|
|
auth_rw_login_records(remote_login_t)
|
|
auth_rw_faillog(remote_login_t)
|
|
+auth_manage_pam_console_data(remote_login_t)
|
|
+auth_domtrans_pam_console(remote_login_t)
|
|
|
|
corecmd_list_bin(remote_login_t)
|
|
corecmd_read_bin_symlinks(remote_login_t)
|
|
+# cjp: these are probably not needed:
|
|
+corecmd_read_bin_files(remote_login_t)
|
|
+corecmd_read_bin_pipes(remote_login_t)
|
|
+corecmd_read_bin_sockets(remote_login_t)
|
|
|
|
domain_read_all_entry_files(remote_login_t)
|
|
|
|
files_read_etc_runtime_files(remote_login_t)
|
|
files_list_home(remote_login_t)
|
|
-files_read_usr_files(remote_login_t)
|
|
files_list_world_readable(remote_login_t)
|
|
files_read_world_readable_files(remote_login_t)
|
|
files_read_world_readable_symlinks(remote_login_t)
|
|
files_read_world_readable_pipes(remote_login_t)
|
|
files_read_world_readable_sockets(remote_login_t)
|
|
files_list_mnt(remote_login_t)
|
|
+# for when /var/mail is a sym-link
|
|
files_read_var_symlinks(remote_login_t)
|
|
|
|
-miscfiles_read_localization(remote_login_t)
|
|
+auth_use_nsswitch(remote_login_t)
|
|
+
|
|
|
|
userdom_use_unpriv_users_fds(remote_login_t)
|
|
userdom_search_user_home_content(remote_login_t)
|
|
+# Only permit unprivileged user domains to be entered via rlogin,
|
|
+# since very weak authentication is used.
|
|
userdom_signal_unpriv_users(remote_login_t)
|
|
userdom_spec_domtrans_unpriv_users(remote_login_t)
|
|
+userdom_use_user_ptys(remote_login_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_read_nfs_files(remote_login_t)
|
|
- fs_read_nfs_symlinks(remote_login_t)
|
|
-')
|
|
+userdom_manage_user_tmp_dirs(remote_login_t)
|
|
+userdom_manage_user_tmp_files(remote_login_t)
|
|
+userdom_tmp_filetrans_user_tmp(remote_login_t, { file dir })
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_read_cifs_files(remote_login_t)
|
|
- fs_read_cifs_symlinks(remote_login_t)
|
|
-')
|
|
+userdom_home_reader(remote_login_t)
|
|
|
|
optional_policy(`
|
|
alsa_domtrans(remote_login_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # Search for mail spool file.
|
|
mta_getattr_spool(remote_login_t)
|
|
')
|
|
|
|
diff --git a/resmgr.te b/resmgr.te
|
|
index f6eb358..e4fc73d 100644
|
|
--- a/resmgr.te
|
|
+++ b/resmgr.te
|
|
@@ -42,7 +42,6 @@ dev_getattr_scanner_dev(resmgrd_t)
|
|
|
|
domain_use_interactive_fds(resmgrd_t)
|
|
|
|
-files_read_etc_files(resmgrd_t)
|
|
|
|
fs_search_auto_mountpoints(resmgrd_t)
|
|
|
|
@@ -54,8 +53,6 @@ storage_write_scsi_generic(resmgrd_t)
|
|
|
|
logging_send_syslog_msg(resmgrd_t)
|
|
|
|
-miscfiles_read_localization(resmgrd_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(resmgrd_t)
|
|
|
|
optional_policy(`
|
|
diff --git a/rgmanager.fc b/rgmanager.fc
|
|
index 5421af0..91e69b8 100644
|
|
--- a/rgmanager.fc
|
|
+++ b/rgmanager.fc
|
|
@@ -1,12 +1,22 @@
|
|
-/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:rgmanager_initrc_exec_t,s0)
|
|
|
|
-/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
|
|
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
|
|
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
|
|
|
|
-/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
|
|
-/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
|
|
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
|
|
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
|
|
|
|
-/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
|
|
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
|
|
+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:rgmanager_exec_t,s0)
|
|
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_lib_t,s0)
|
|
|
|
-/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
|
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
|
|
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:rgmanager_var_log_t,s0)
|
|
|
|
-/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
|
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
|
+
|
|
+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
|
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
|
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:rgmanager_var_run_t,s0)
|
|
diff --git a/rgmanager.if b/rgmanager.if
|
|
index 1c2f9aa..a4133dc 100644
|
|
--- a/rgmanager.if
|
|
+++ b/rgmanager.if
|
|
@@ -1,13 +1,13 @@
|
|
-## <summary>Resource Group Manager.</summary>
|
|
+## <summary>rgmanager - Resource Group Manager</summary>
|
|
|
|
#######################################
|
|
## <summary>
|
|
## Execute a domain transition to run rgmanager.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rgmanager_domtrans',`
|
|
@@ -21,8 +21,7 @@ interface(`rgmanager_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to rgmanager with a unix
|
|
-## domain stream socket.
|
|
+## Connect to rgmanager over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -39,10 +38,28 @@ interface(`rgmanager_stream_connect',`
|
|
stream_connect_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t, rgmanager_t)
|
|
')
|
|
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage rgmanager pid files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rgmanager_manage_pid_files',`
|
|
+ gen_require(`
|
|
+ type rgmanager_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ manage_files_pattern($1, rgmanager_var_run_t, rgmanager_var_run_t)
|
|
+')
|
|
+
|
|
######################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rgmanager tmp files.
|
|
+## Allow manage rgmanager tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -61,8 +78,7 @@ interface(`rgmanager_manage_tmp_files',`
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rgmanager tmpfs files.
|
|
+## Allow manage rgmanager tmpfs files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -79,10 +95,28 @@ interface(`rgmanager_manage_tmpfs_files',`
|
|
manage_files_pattern($1, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow read and write access to rgmanager semaphores.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rgmanager_rw_semaphores',`
|
|
+ gen_require(`
|
|
+ type rgmanager_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 rgmanager_t:sem rw_sem_perms;
|
|
+')
|
|
+
|
|
######################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an rgmanager environment.
|
|
+## All of the rules required to administrate
|
|
+## an rgmanager environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -91,7 +125,7 @@ interface(`rgmanager_manage_tmpfs_files',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the rgmanager domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -102,8 +136,11 @@ interface(`rgmanager_admin',`
|
|
type rgmanager_tmpfs_t, rgmanager_var_log_t, rgmanager_var_run_t;
|
|
')
|
|
|
|
- allow $1 rgmanager_t:process { ptrace signal_perms };
|
|
+ allow $1 rgmanager_t:process signal_perms;
|
|
ps_process_pattern($1, rgmanager_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 rgmanager_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, rgmanager_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -121,3 +158,66 @@ interface(`rgmanager_admin',`
|
|
files_list_pids($1)
|
|
admin_pattern($1, rgmanager_var_run_t)
|
|
')
|
|
+
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow the specified domain to manage rgmanager's lib/run files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rgmanager_manage_files',`
|
|
+ gen_require(`
|
|
+ type rgmanager_var_lib_t;
|
|
+ type rgmanager_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_list_var_lib($1)
|
|
+ admin_pattern($1, rgmanager_var_lib_t)
|
|
+
|
|
+ files_list_pids($1)
|
|
+ admin_pattern($1, rgmanager_var_run_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow the specified domain to execute rgmanager's lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rgmanager_execute_lib',`
|
|
+ gen_require(`
|
|
+ type rgmanager_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_list_var_lib($1)
|
|
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
|
|
+ can_exec($1, rgmanager_var_lib_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow the specified domain to search rgmanager's lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rgmanager_search_lib',`
|
|
+ gen_require(`
|
|
+ type rgmanager_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_list_var_lib($1)
|
|
+ allow $1 rgmanager_var_lib_t:dir search_dir_perms;
|
|
+')
|
|
diff --git a/rgmanager.te b/rgmanager.te
|
|
index c8a1e16..2d409bf 100644
|
|
--- a/rgmanager.te
|
|
+++ b/rgmanager.te
|
|
@@ -6,10 +6,9 @@ policy_module(rgmanager, 1.3.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether rgmanager can
|
|
-## connect to the network using TCP.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow rgmanager domain to connect to the network using TCP.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(rgmanager_can_network_connect, false)
|
|
|
|
@@ -26,6 +25,9 @@ files_tmp_file(rgmanager_tmp_t)
|
|
type rgmanager_tmpfs_t;
|
|
files_tmpfs_file(rgmanager_tmpfs_t)
|
|
|
|
+type rgmanager_var_lib_t;
|
|
+files_type(rgmanager_var_lib_t)
|
|
+
|
|
type rgmanager_var_log_t;
|
|
logging_log_file(rgmanager_var_log_t)
|
|
|
|
@@ -34,14 +36,16 @@ files_pid_file(rgmanager_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# rgmanager local policy
|
|
#
|
|
|
|
allow rgmanager_t self:capability { dac_override net_raw sys_resource sys_admin sys_nice ipc_lock };
|
|
allow rgmanager_t self:process { setsched signal };
|
|
+
|
|
allow rgmanager_t self:fifo_file rw_fifo_file_perms;
|
|
-allow rgmanager_t self:unix_stream_socket { accept listen };
|
|
-allow rgmanager_t self:tcp_socket { accept listen };
|
|
+allow rgmanager_t self:unix_stream_socket { create_stream_socket_perms };
|
|
+allow rgmanager_t self:unix_dgram_socket create_socket_perms;
|
|
+allow rgmanager_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
manage_dirs_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
|
|
manage_files_pattern(rgmanager_t, rgmanager_tmp_t, rgmanager_tmp_t)
|
|
@@ -51,77 +55,93 @@ manage_dirs_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
|
|
manage_files_pattern(rgmanager_t, rgmanager_tmpfs_t, rgmanager_tmpfs_t)
|
|
fs_tmpfs_filetrans(rgmanager_t, rgmanager_tmpfs_t, { dir file })
|
|
|
|
-allow rgmanager_t rgmanager_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
-logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, file)
|
|
+# var/lib files
|
|
+# # needed by hearbeat
|
|
+can_exec(rgmanager_t, rgmanager_var_lib_t)
|
|
+manage_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
|
|
+manage_dirs_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
|
|
+manage_sock_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
|
|
+manage_fifo_files_pattern(rgmanager_t, rgmanager_var_lib_t,rgmanager_var_lib_t)
|
|
+files_var_lib_filetrans(rgmanager_t,rgmanager_var_lib_t, { file dir fifo_file sock_file })
|
|
+
|
|
+
|
|
+manage_files_pattern(rgmanager_t, rgmanager_var_log_t, rgmanager_var_log_t)
|
|
+logging_log_filetrans(rgmanager_t, rgmanager_var_log_t, { file })
|
|
|
|
+manage_dirs_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
|
|
manage_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
|
|
manage_sock_files_pattern(rgmanager_t, rgmanager_var_run_t, rgmanager_var_run_t)
|
|
-files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file })
|
|
+files_pid_filetrans(rgmanager_t, rgmanager_var_run_t, { file sock_file dir })
|
|
|
|
+kernel_kill(rgmanager_t)
|
|
kernel_read_kernel_sysctls(rgmanager_t)
|
|
+kernel_read_rpc_sysctls(rgmanager_t)
|
|
kernel_read_system_state(rgmanager_t)
|
|
kernel_rw_rpc_sysctls(rgmanager_t)
|
|
kernel_search_debugfs(rgmanager_t)
|
|
kernel_search_network_state(rgmanager_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(rgmanager_t)
|
|
-corenet_all_recvfrom_netlabel(rgmanager_t)
|
|
-corenet_tcp_sendrecv_generic_if(rgmanager_t)
|
|
-corenet_tcp_sendrecv_generic_node(rgmanager_t)
|
|
-
|
|
corecmd_exec_bin(rgmanager_t)
|
|
corecmd_exec_shell(rgmanager_t)
|
|
|
|
+# need to write to /dev/misc/dlm-control
|
|
dev_rw_dlm_control(rgmanager_t)
|
|
dev_setattr_dlm_control(rgmanager_t)
|
|
dev_search_sysfs(rgmanager_t)
|
|
|
|
domain_read_all_domains_state(rgmanager_t)
|
|
domain_getattr_all_domains(rgmanager_t)
|
|
-domain_dontaudit_ptrace_all_domains(rgmanager_t)
|
|
|
|
-files_list_all(rgmanager_t)
|
|
+files_create_var_run_dirs(rgmanager_t)
|
|
files_getattr_all_symlinks(rgmanager_t)
|
|
+files_list_all(rgmanager_t)
|
|
files_manage_mnt_dirs(rgmanager_t)
|
|
+files_manage_mnt_files(rgmanager_t)
|
|
+files_manage_mnt_symlinks(rgmanager_t)
|
|
+files_manage_isid_type_files(rgmanager_t)
|
|
files_manage_isid_type_dirs(rgmanager_t)
|
|
-files_read_non_security_files(rgmanager_t)
|
|
|
|
+fs_getattr_xattr_fs(rgmanager_t)
|
|
fs_getattr_all_fs(rgmanager_t)
|
|
|
|
storage_raw_read_fixed_disk(rgmanager_t)
|
|
+storage_getattr_fixed_disk_dev(rgmanager_t)
|
|
|
|
term_getattr_pty_fs(rgmanager_t)
|
|
|
|
+# needed by resources scripts
|
|
+files_read_non_security_files(rgmanager_t)
|
|
auth_dontaudit_getattr_shadow(rgmanager_t)
|
|
auth_use_nsswitch(rgmanager_t)
|
|
|
|
init_domtrans_script(rgmanager_t)
|
|
+init_initrc_domain(rgmanager_t)
|
|
|
|
logging_send_syslog_msg(rgmanager_t)
|
|
|
|
-miscfiles_read_localization(rgmanager_t)
|
|
+userdom_kill_all_users(rgmanager_t)
|
|
|
|
tunable_policy(`rgmanager_can_network_connect',`
|
|
- corenet_sendrecv_all_client_packets(rgmanager_t)
|
|
corenet_tcp_connect_all_ports(rgmanager_t)
|
|
- corenet_tcp_sendrecv_all_ports(rgmanager_t)
|
|
')
|
|
|
|
+# rgmanager can run resource scripts
|
|
optional_policy(`
|
|
aisexec_stream_connect(rgmanager_t)
|
|
+ corosync_stream_connect(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- consoletype_exec(rgmanager_t)
|
|
+ apache_domtrans(rgmanager_t)
|
|
+ apache_signal(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- corosync_stream_connect(rgmanager_t)
|
|
+ consoletype_exec(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- apache_domtrans(rgmanager_t)
|
|
- apache_signal(rgmanager_t)
|
|
+ dbus_system_bus_client(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -130,7 +150,6 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
rhcs_stream_connect_groupd(rgmanager_t)
|
|
- rhcs_stream_connect_gfs_controld(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -140,6 +159,7 @@ optional_policy(`
|
|
optional_policy(`
|
|
ccs_manage_config(rgmanager_t)
|
|
ccs_stream_connect(rgmanager_t)
|
|
+ rhcs_stream_connect_gfs_controld(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -147,6 +167,12 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ ldap_initrc_domtrans(rgmanager_t)
|
|
+ ldap_systemctl(rgmanager_t)
|
|
+ ldap_domtrans(rgmanager_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
mount_domtrans(rgmanager_t)
|
|
')
|
|
|
|
@@ -174,12 +200,18 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ rpc_initrc_domtrans_nfsd(rgmanager_t)
|
|
+ rpc_initrc_domtrans_rpcd(rgmanager_t)
|
|
+ rpc_systemctl_nfsd(rgmanager_t)
|
|
+ rpc_systemctl_rpcd(rgmanager_t)
|
|
+
|
|
rpc_domtrans_nfsd(rgmanager_t)
|
|
rpc_domtrans_rpcd(rgmanager_t)
|
|
rpc_manage_nfs_state_data(rgmanager_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ samba_initrc_domtrans(rgmanager_t)
|
|
samba_domtrans_smbd(rgmanager_t)
|
|
samba_domtrans_nmbd(rgmanager_t)
|
|
samba_manage_var_files(rgmanager_t)
|
|
@@ -201,5 +233,9 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ unconfined_domain(rgmanager_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
xen_domtrans_xm(rgmanager_t)
|
|
')
|
|
diff --git a/rhcs.fc b/rhcs.fc
|
|
index 47de2d6..98a4280 100644
|
|
--- a/rhcs.fc
|
|
+++ b/rhcs.fc
|
|
@@ -1,31 +1,85 @@
|
|
-/etc/rc\.d/init\.d/dlm -- gen_context(system_u:object_r:dlm_controld_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/foghorn -- gen_context(system_u:object_r:foghorn_initrc_exec_t,s0)
|
|
+/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
|
|
+/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
|
+/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
|
+/usr/sbin/fence_sanlockd -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
|
+/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
|
+/usr/sbin/fence_virtd -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
|
+/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
|
|
+/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
|
|
+/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
|
|
+/usr/sbin/haproxy -- gen_context(system_u:object_r:haproxy_exec_t,s0)
|
|
+/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
|
|
|
|
-/usr/sbin/dlm_controld -- gen_context(system_u:object_r:dlm_controld_exec_t,s0)
|
|
-/usr/sbin/fenced -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
|
-/usr/sbin/fence_node -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
|
-/usr/sbin/fence_tool -- gen_context(system_u:object_r:fenced_exec_t,s0)
|
|
-/usr/sbin/foghorn -- gen_context(system_u:object_r:foghorn_exec_t,s0)
|
|
-/usr/sbin/gfs_controld -- gen_context(system_u:object_r:gfs_controld_exec_t,s0)
|
|
-/usr/sbin/groupd -- gen_context(system_u:object_r:groupd_exec_t,s0)
|
|
-/usr/sbin/qdiskd -- gen_context(system_u:object_r:qdiskd_exec_t,s0)
|
|
+/usr/lib/systemd/system/haproxy.* -- gen_context(system_u:object_r:haproxy_unit_file_t,s0)
|
|
|
|
-/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
|
|
+/var/lock/fence_manual\.lock -- gen_context(system_u:object_r:fenced_lock_t,s0)
|
|
|
|
-/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
|
|
+/var/lib/cluster(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
|
|
+/var/lib/haproxy(/.*)? gen_context(system_u:object_r:haproxy_var_lib_t,s0)
|
|
+/var/lib/qdiskd(/.*)? gen_context(system_u:object_r:qdiskd_var_lib_t,s0)
|
|
|
|
-/var/log/cluster/.*\.*log <<none>>
|
|
+/var/log/cluster/.*\.*log <<none>>
|
|
/var/log/cluster/dlm_controld\.log.* -- gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
|
|
-/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
|
|
+/var/log/cluster/fenced\.log.* -- gen_context(system_u:object_r:fenced_var_log_t,s0)
|
|
/var/log/cluster/gfs_controld\.log.* -- gen_context(system_u:object_r:gfs_controld_var_log_t,s0)
|
|
-/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
|
|
-/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
|
|
+/var/log/cluster/qdiskd\.log.* -- gen_context(system_u:object_r:qdiskd_var_log_t,s0)
|
|
+/var/log/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_log_t,s0)
|
|
|
|
/var/run/cluster/fenced_override -- gen_context(system_u:object_r:fenced_var_run_t,s0)
|
|
-/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
|
|
-/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
|
|
-/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
|
|
-/var/run/fenced\.pid -- gen_context(system_u:object_r:fenced_var_run_t,s0)
|
|
-/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
|
|
-/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
|
|
-/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
|
|
+/var/run/cluster/fence_scsi.* -- gen_context(system_u:object_r:fenced_var_run_t,s0)
|
|
+/var/run/dlm_controld\.pid -- gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
|
|
+/var/run/dlm_controld(/.*)? gen_context(system_u:object_r:dlm_controld_var_run_t,s0)
|
|
+/var/run/fence.* gen_context(system_u:object_r:fenced_var_run_t,s0)
|
|
+/var/run/gfs_controld\.pid -- gen_context(system_u:object_r:gfs_controld_var_run_t,s0)
|
|
+/var/run/groupd\.pid -- gen_context(system_u:object_r:groupd_var_run_t,s0)
|
|
+/var/run/haproxy\.pid -- gen_context(system_u:object_r:haproxy_var_run_t,s0)
|
|
+/var/run/qdiskd\.pid -- gen_context(system_u:object_r:qdiskd_var_run_t,s0)
|
|
+
|
|
+# cluster administrative domains file spec
|
|
+/etc/rc\.d/init\.d/openais -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/cpglockd -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/rgmanager -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/heartbeat -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/pacemaker -- gen_context(system_u:object_r:cluster_initrc_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/corosync.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/pacemaker.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/pcsd.* -- gen_context(system_u:object_r:cluster_unit_file_t,s0)
|
|
+
|
|
+/usr/sbin/aisexec -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
|
+/usr/sbin/corosync -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
|
+/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
|
+/usr/sbin/cpglockd -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
|
+/usr/sbin/ccs_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
|
+/usr/sbin/cman_tool -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
|
+/usr/sbin/ldirectord -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
|
+/usr/sbin/rgmanager -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
|
+/usr/sbin/pacemakerd -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
|
+
|
|
+/usr/lib/pcsd/pcsd -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
|
+
|
|
+/usr/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
|
|
+/usr/lib/heartbeat/heartbeat -- gen_context(system_u:object_r:cluster_exec_t,s0)
|
|
+/var/lib/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
|
|
+/var/lib/corosync(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
|
|
+/var/lib/openais(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
|
|
+/var/lib/pacemaker(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
|
|
+/var/lib/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
|
|
+/var/lib/pengine(/.*)? gen_context(system_u:object_r:cluster_var_lib_t,s0)
|
|
+
|
|
+/var/run/aisexec.* gen_context(system_u:object_r:cluster_var_run_t,s0)
|
|
+/var/run/cman_.* -s gen_context(system_u:object_r:cluster_var_run_t,s0)
|
|
+/var/run/cluster/rgmanager\.sk -s gen_context(system_u:object_r:cluster_var_run_t,s0)
|
|
+/var/run/cpglockd\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
|
|
+/var/run/corosync\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
|
|
+/var/run/crm(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
|
|
+/var/run/heartbeat(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
|
|
+/var/run/rgmanager\.pid -- gen_context(system_u:object_r:cluster_var_run_t,s0)
|
|
+/var/run/rsctmp(/.*)? gen_context(system_u:object_r:cluster_var_run_t,s0)
|
|
+
|
|
+/var/log/cluster/aisexec\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
|
+/var/log/cluster/cpglockd\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
|
+/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
|
+/var/log/cluster/rgmanager\.log.* -- gen_context(system_u:object_r:cluster_var_log_t,s0)
|
|
+/var/log/pcsd(/.*)? gen_context(system_u:object_r:cluster_var_log_t,s0)
|
|
diff --git a/rhcs.if b/rhcs.if
|
|
index c8bdea2..2e4d698 100644
|
|
--- a/rhcs.if
|
|
+++ b/rhcs.if
|
|
@@ -1,19 +1,19 @@
|
|
-## <summary>Red Hat Cluster Suite.</summary>
|
|
+## <summary>RHCS - Red Hat Cluster Suite</summary>
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## The template to define a rhcs domain.
|
|
+## Creates types and rules for a basic
|
|
+## rhcs init daemon domain.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## Prefix for the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`rhcs_domain_template',`
|
|
gen_require(`
|
|
- attribute cluster_domain, cluster_pid, cluster_tmpfs;
|
|
- attribute cluster_log;
|
|
+ attribute cluster_domain, cluster_tmpfs, cluster_pid, cluster_log;
|
|
')
|
|
|
|
##############################
|
|
@@ -43,33 +43,27 @@ template(`rhcs_domain_template',`
|
|
manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
|
fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file })
|
|
|
|
- manage_dirs_pattern($1_t, $1_var_log_t, $1_var_log_t)
|
|
- append_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
|
|
- create_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
|
|
- setattr_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
|
|
- manage_sock_files_pattern($1_t, $1_var_log_t, $1_var_log_t)
|
|
logging_log_filetrans($1_t, $1_var_log_t, { dir file sock_file })
|
|
|
|
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
|
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
|
manage_fifo_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
|
manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
|
- files_pid_filetrans($1_t, $1_var_run_t, { dir file sock_file fifo_file })
|
|
+ files_pid_filetrans($1_t, $1_var_run_t, { file sock_file fifo_file })
|
|
|
|
- optional_policy(`
|
|
- dbus_system_bus_client($1_t)
|
|
- ')
|
|
+ auth_use_nsswitch($1_t)
|
|
+
|
|
+ logging_send_syslog_msg($1_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run dlm_controld.
|
|
+## Execute a domain transition to run dlm_controld.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhcs_domtrans_dlm_controld',`
|
|
@@ -83,27 +77,8 @@ interface(`rhcs_domtrans_dlm_controld',`
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Get attributes of fenced
|
|
-## executable files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`rhcs_getattr_fenced_exec_files',`
|
|
- gen_require(`
|
|
- type fenced_exec_t;
|
|
- ')
|
|
-
|
|
- allow $1 fenced_exec_t:file getattr_file_perms;
|
|
-')
|
|
-
|
|
-#####################################
|
|
-## <summary>
|
|
-## Connect to dlm_controld with a
|
|
-## unix domain stream socket.
|
|
+## Connect to dlm_controld over a unix domain
|
|
+## stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -122,7 +97,7 @@ interface(`rhcs_stream_connect_dlm_controld',`
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Read and write dlm_controld semaphores.
|
|
+## Allow read and write access to dlm_controld semaphores.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -160,9 +135,27 @@ interface(`rhcs_domtrans_fenced',`
|
|
domtrans_pattern($1, fenced_exec_t, fenced_t)
|
|
')
|
|
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow a domain to getattr on fenced executable.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_getattr_fenced',`
|
|
+ gen_require(`
|
|
+ type fenced_t, fenced_exec_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 fenced_exec_t:file getattr;
|
|
+')
|
|
+
|
|
######################################
|
|
## <summary>
|
|
-## Read and write fenced semaphores.
|
|
+## Allow read and write access to fenced semaphores.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -181,10 +174,9 @@ interface(`rhcs_rw_fenced_semaphores',`
|
|
manage_files_pattern($1, fenced_tmpfs_t, fenced_tmpfs_t)
|
|
')
|
|
|
|
-####################################
|
|
+######################################
|
|
## <summary>
|
|
-## Connect to all cluster domains
|
|
-## with a unix domain stream socket.
|
|
+## Read fenced PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -192,19 +184,18 @@ interface(`rhcs_rw_fenced_semaphores',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rhcs_stream_connect_cluster',`
|
|
+interface(`rhcs_read_fenced_pid_files',`
|
|
gen_require(`
|
|
- attribute cluster_domain, cluster_pid;
|
|
+ type fenced_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
|
|
+ read_files_pattern($1, fenced_var_run_t, fenced_var_run_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Connect to fenced with an unix
|
|
-## domain stream socket.
|
|
+## Connect to fenced over a unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -223,8 +214,7 @@ interface(`rhcs_stream_connect_fenced',`
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Execute a domain transition
|
|
-## to run gfs_controld.
|
|
+## Execute a domain transition to run gfs_controld.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -243,7 +233,7 @@ interface(`rhcs_domtrans_gfs_controld',`
|
|
|
|
####################################
|
|
## <summary>
|
|
-## Read and write gfs_controld semaphores.
|
|
+## Allow read and write access to gfs_controld semaphores.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -264,7 +254,7 @@ interface(`rhcs_rw_gfs_controld_semaphores',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write gfs_controld_t shared memory.
|
|
+## Read and write to gfs_controld_t shared memory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -285,8 +275,7 @@ interface(`rhcs_rw_gfs_controld_shm',`
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Connect to gfs_controld_t with
|
|
-## a unix domain stream socket.
|
|
+## Connect to gfs_controld_t over a unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -324,8 +313,8 @@ interface(`rhcs_domtrans_groupd',`
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Connect to groupd with a unix
|
|
-## domain stream socket.
|
|
+## Connect to groupd over a unix domain
|
|
+## stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -342,10 +331,51 @@ interface(`rhcs_stream_connect_groupd',`
|
|
stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t)
|
|
')
|
|
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow read and write access to groupd semaphores.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_rw_groupd_semaphores',`
|
|
+ gen_require(`
|
|
+ type groupd_t, groupd_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 groupd_t:sem { rw_sem_perms destroy };
|
|
+
|
|
+ fs_search_tmpfs($1)
|
|
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read and write to group shared memory.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_rw_groupd_shm',`
|
|
+ gen_require(`
|
|
+ type groupd_t, groupd_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 groupd_t:shm { rw_shm_perms destroy };
|
|
+
|
|
+ fs_search_tmpfs($1)
|
|
+ manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Read and write all cluster domains
|
|
-## shared memory.
|
|
+## Read and write to group shared memory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -366,8 +396,7 @@ interface(`rhcs_rw_cluster_shm',`
|
|
|
|
####################################
|
|
## <summary>
|
|
-## Read and write all cluster
|
|
-## domains semaphores.
|
|
+## Read and write access to cluster domains semaphores.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -383,9 +412,10 @@ interface(`rhcs_rw_cluster_semaphores',`
|
|
allow $1 cluster_domain:sem { rw_sem_perms destroy };
|
|
')
|
|
|
|
-#####################################
|
|
+####################################
|
|
## <summary>
|
|
-## Read and write groupd semaphores.
|
|
+## Connect to cluster domains over a unix domain
|
|
+## stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -393,36 +423,39 @@ interface(`rhcs_rw_cluster_semaphores',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rhcs_rw_groupd_semaphores',`
|
|
+interface(`rhcs_stream_connect_cluster',`
|
|
gen_require(`
|
|
- type groupd_t, groupd_tmpfs_t;
|
|
+ attribute cluster_domain, cluster_pid;
|
|
')
|
|
|
|
- allow $1 groupd_t:sem { rw_sem_perms destroy };
|
|
-
|
|
- fs_search_tmpfs($1)
|
|
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, cluster_pid, cluster_pid, cluster_domain)
|
|
')
|
|
|
|
-########################################
|
|
+#####################################
|
|
## <summary>
|
|
-## Read and write groupd shared memory.
|
|
+## Connect to cluster domains over a unix domain
|
|
+## stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
#
|
|
-interface(`rhcs_rw_groupd_shm',`
|
|
+interface(`rhcs_stream_connect_cluster_to',`
|
|
gen_require(`
|
|
- type groupd_t, groupd_tmpfs_t;
|
|
+ attribute cluster_domain;
|
|
+ attribute cluster_pid;
|
|
')
|
|
|
|
- allow $1 groupd_t:shm { rw_shm_perms destroy };
|
|
-
|
|
- fs_search_tmpfs($1)
|
|
- manage_files_pattern($1, groupd_tmpfs_t, groupd_tmpfs_t)
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, cluster_pid, cluster_pid, $2)
|
|
')
|
|
|
|
######################################
|
|
@@ -446,52 +479,360 @@ interface(`rhcs_domtrans_qdiskd',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an rhcs environment.
|
|
+## Allow domain to read qdiskd tmpfs files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`rhcs_read_qdiskd_tmpfs_files',`
|
|
+ gen_require(`
|
|
+ type qdiskd_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ fs_search_tmpfs($1)
|
|
+ allow $1 qdiskd_tmpfs_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow domain to read cluster lib files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`rhcs_admin',`
|
|
+interface(`rhcs_read_cluster_lib_files',`
|
|
gen_require(`
|
|
- attribute cluster_domain, cluster_pid, cluster_tmpfs;
|
|
- attribute cluster_log;
|
|
- type dlm_controld_initrc_exec_t, foghorn_initrc_exec_t, fenced_lock_t;
|
|
- type fenced_tmp_t, qdiskd_var_lib_t;
|
|
+ type cluster_var_lib_t;
|
|
')
|
|
|
|
- allow $1 cluster_domain:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, cluster_domain)
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow domain to manage cluster lib files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_manage_cluster_lib_files',`
|
|
+ gen_require(`
|
|
+ type cluster_var_lib_t;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, { dlm_controld_initrc_exec_t foghorn_initrc_exec_t })
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 { dlm_controld_initrc_exec_t foghorn_initrc_exec_t } system_r;
|
|
- allow $2 system_r;
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
|
+')
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, cluster_pid)
|
|
+####################################
|
|
+## <summary>
|
|
+## Allow domain to relabel cluster lib files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_relabel_cluster_lib_files',`
|
|
+ gen_require(`
|
|
+ type cluster_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ relabelto_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
|
+ relabelfrom_files_pattern($1, cluster_var_lib_t, cluster_var_lib_t)
|
|
+')
|
|
|
|
- files_search_locks($1)
|
|
- admin_pattern($1, fenced_lock_t)
|
|
+######################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run cluster administrative domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_domtrans_cluster',`
|
|
+ gen_require(`
|
|
+ type cluster_t, cluster_exec_t;
|
|
+ ')
|
|
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, fenced_tmp_t)
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, cluster_exec_t, cluster_t)
|
|
+')
|
|
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, qdiskd_var_lib_t)
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute cluster init scripts in
|
|
+## the init script domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_initrc_domtrans_cluster',`
|
|
+ gen_require(`
|
|
+ type cluster_initrc_exec_t;
|
|
+ ')
|
|
|
|
- fs_search_tmpfs($1)
|
|
- admin_pattern($1, cluster_tmpfs)
|
|
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Execute cluster in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_exec_cluster',`
|
|
+ gen_require(`
|
|
+ type cluster_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ can_exec($1, cluster_exec_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Read cluster log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_read_log_cluster',`
|
|
+ gen_require(`
|
|
+ type cluster_var_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ list_dirs_pattern($1, cluster_var_log_t, cluster_var_log_t)
|
|
+ read_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Setattr cluster log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_setattr_log_cluster',`
|
|
+ gen_require(`
|
|
+ type cluster_var_log_t;
|
|
+ ')
|
|
+
|
|
+ setattr_files_pattern($1, cluster_var_log_t, cluster_var_log_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read/write inherited cluster's tmpf files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_rw_inherited_cluster_tmp_files',`
|
|
+ gen_require(`
|
|
+ type cluster_tmp_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 cluster_tmp_t:file rw_inherited_file_perms;
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow manage cluster tmp files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_manage_cluster_tmp_files',`
|
|
+ gen_require(`
|
|
+ type cluster_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_tmp($1)
|
|
+ manage_files_pattern($1, cluster_tmp_t, cluster_tmp_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read/write cluster's tmpfs files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_rw_cluster_tmpfs',`
|
|
+ gen_require(`
|
|
+ type cluster_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ rw_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow manage cluster tmpfs files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_manage_cluster_tmpfs_files',`
|
|
+ gen_require(`
|
|
+ type cluster_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ fs_search_tmpfs($1)
|
|
+ manage_files_pattern($1, cluster_tmpfs_t, cluster_tmpfs_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow read cluster pid files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_read_cluster_pid_files',`
|
|
+ gen_require(`
|
|
+ type cluster_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
|
|
+')
|
|
+
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Allow manage cluster pid files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_manage_cluster_pid_files',`
|
|
+ gen_require(`
|
|
+ type cluster_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ manage_files_pattern($1, cluster_var_run_t, cluster_var_run_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute cluster server in the cluster domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhcs_systemctl_cluster',`
|
|
+ gen_require(`
|
|
+ type cluster_t;
|
|
+ type cluster_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 cluster_unit_file_t:file read_file_perms;
|
|
+ allow $1 cluster_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, cluster_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an cluster environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed to manage the rgmanager domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`rhcs_admin_cluster',`
|
|
+ gen_require(`
|
|
+ type cluster_t, cluster_initrc_exec_t, cluster_tmp_t;
|
|
+ type cluster_tmpfs_t, cluster_var_log_t, cluster_var_run_t;
|
|
+ type cluster_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 cluster_t:process signal_perms;
|
|
+ ps_process_pattern($1, cluster_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 cluster_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, cluster_initrc_exec_t)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 cluster_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
+
|
|
+ files_list_tmp($1)
|
|
+ admin_pattern($1, cluster_tmp_t)
|
|
+
|
|
+ admin_pattern($1, cluster_tmpfs_t)
|
|
+
|
|
+ logging_list_logs($1)
|
|
+ admin_pattern($1, cluster_var_log_t)
|
|
+
|
|
+ files_list_pids($1)
|
|
+ admin_pattern($1, cluster_var_run_t)
|
|
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, cluster_log)
|
|
+ rhcs_systemctl_cluster($1)
|
|
+ admin_pattern($1, cluster_unit_file_t)
|
|
+ allow $1 cluster_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/rhcs.te b/rhcs.te
|
|
index 6cf79c4..d4169cb 100644
|
|
--- a/rhcs.te
|
|
+++ b/rhcs.te
|
|
@@ -20,6 +20,27 @@ gen_tunable(fenced_can_network_connect, false)
|
|
## </desc>
|
|
gen_tunable(fenced_can_ssh, false)
|
|
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow cluster administrative domains to connect to the network using TCP.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(cluster_can_network_connect, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow cluster administrative domains to manage all files on a system.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(cluster_manage_all_files, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow cluster administrative cluster domains memcheck-amd64- to use executable memory
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(cluster_use_execmem, false)
|
|
+
|
|
attribute cluster_domain;
|
|
attribute cluster_log;
|
|
attribute cluster_pid;
|
|
@@ -44,34 +65,283 @@ type foghorn_initrc_exec_t;
|
|
init_script_file(foghorn_initrc_exec_t)
|
|
|
|
rhcs_domain_template(gfs_controld)
|
|
+rhcs_domain_template(haproxy)
|
|
+
|
|
+type haproxy_var_lib_t;
|
|
+files_type(haproxy_var_lib_t)
|
|
+
|
|
+type haproxy_unit_file_t;
|
|
+systemd_unit_file(haproxy_unit_file_t)
|
|
+
|
|
rhcs_domain_template(groupd)
|
|
rhcs_domain_template(qdiskd)
|
|
|
|
type qdiskd_var_lib_t;
|
|
files_type(qdiskd_var_lib_t)
|
|
|
|
+# cluster_t is a new domain for administrative generic cluster services
|
|
+# (rgmanager, corosync, hearbeat, cman, pacemaker)
|
|
+rhcs_domain_template(cluster)
|
|
+
|
|
+typealias cluster_t alias { aisexec_t corosync_t pacemaker_t rgmanager_t };
|
|
+typealias cluster_exec_t alias { aisexec_exec_t corosync_exec_t pacemaker_exec_t rgmanager_exec_t };
|
|
+typealias cluster_tmpfs_t alias { aisexec_tmpfs_t corosync_tmpfs_t pacemaker_tmpfs_t rgmanager_tmpfs_t };
|
|
+typealias cluster_var_log_t alias { aisexec_var_log_t corosync_var_log_t rgmanager_var_log_t };
|
|
+typealias cluster_var_run_t alias { aisexec_var_run_t corosync_var_run_t pacemaker_var_run_t rgmanager_var_run_t };
|
|
+
|
|
+type cluster_initrc_exec_t;
|
|
+typealias cluster_initrc_exec_t alias { aisexec_initrc_exec_t corosync_initrc_exec_t pacemaker_initrc_exec_t rgmanager_initrc_exec_t };
|
|
+init_script_file(cluster_initrc_exec_t)
|
|
+
|
|
+type cluster_tmp_t;
|
|
+typealias cluster_tmp_t alias { aisexec_tmp_t corosync_tmp_t pacemaker_tmp_t rgmanager_tmp_t };
|
|
+files_tmp_file(cluster_tmp_t)
|
|
+
|
|
+type cluster_var_lib_t;
|
|
+typealias cluster_var_lib_t alias { aisexec_var_lib_t corosync_var_lib_t pacemaker_var_lib_t rgmanager_var_lib_t };
|
|
+files_type(cluster_var_lib_t)
|
|
+
|
|
+type cluster_unit_file_t;
|
|
+typealias cluster_unit_file_t alias { corosync_unit_file_t pacemaker_unit_file_t };
|
|
+systemd_unit_file(cluster_unit_file_t)
|
|
+
|
|
#####################################
|
|
#
|
|
# Common cluster domains local policy
|
|
#
|
|
|
|
allow cluster_domain self:capability sys_nice;
|
|
-allow cluster_domain self:process setsched;
|
|
+allow cluster_domain self:process { signal setsched };
|
|
allow cluster_domain self:sem create_sem_perms;
|
|
allow cluster_domain self:fifo_file rw_fifo_file_perms;
|
|
allow cluster_domain self:unix_stream_socket create_stream_socket_perms;
|
|
allow cluster_domain self:unix_dgram_socket create_socket_perms;
|
|
|
|
-logging_send_syslog_msg(cluster_domain)
|
|
+manage_dirs_pattern(cluster_domain, cluster_log, cluster_log)
|
|
+manage_files_pattern(cluster_domain, cluster_log, cluster_log)
|
|
+manage_sock_files_pattern(cluster_domain, cluster_log, cluster_log)
|
|
|
|
-miscfiles_read_localization(cluster_domain)
|
|
+tunable_policy(`cluster_use_execmem',`
|
|
+ allow cluster_domain self:process execmem;
|
|
+')
|
|
|
|
optional_policy(`
|
|
ccs_stream_connect(cluster_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
- corosync_stream_connect(cluster_domain)
|
|
+ dbus_system_bus_client(cluster_domain)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+#
|
|
+# cluster domain local policy
|
|
+#
|
|
+
|
|
+allow cluster_t self:capability { dac_override fowner setuid setgid sys_nice sys_admin sys_resource ipc_lock ipc_owner };
|
|
+# for hearbeat
|
|
+allow cluster_t self:capability { net_raw chown };
|
|
+allow cluster_t self:capability2 block_suspend;
|
|
+allow cluster_t self:process { setpgid setrlimit setsched signull };
|
|
+
|
|
+allow cluster_t self:tcp_socket create_stream_socket_perms;
|
|
+allow cluster_t self:shm create_shm_perms;
|
|
+
|
|
+manage_dirs_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
|
|
+manage_files_pattern(cluster_t, cluster_tmp_t, cluster_tmp_t)
|
|
+files_tmp_filetrans(cluster_t, cluster_tmp_t, { file dir })
|
|
+
|
|
+can_exec(cluster_t, cluster_var_lib_t)
|
|
+manage_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
|
|
+manage_dirs_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
|
|
+manage_sock_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
|
|
+manage_fifo_files_pattern(cluster_t, cluster_var_lib_t,cluster_var_lib_t)
|
|
+files_var_lib_filetrans(cluster_t,cluster_var_lib_t, { file dir fifo_file sock_file })
|
|
+
|
|
+can_exec(cluster_t, cluster_exec_t)
|
|
+
|
|
+kernel_kill(cluster_t)
|
|
+kernel_read_all_sysctls(cluster_t)
|
|
+kernel_read_system_state(cluster_t)
|
|
+kernel_rw_rpc_sysctls(cluster_t)
|
|
+kernel_search_debugfs(cluster_t)
|
|
+kernel_search_network_state(cluster_t)
|
|
+
|
|
+corecmd_exec_bin(cluster_t)
|
|
+corecmd_exec_shell(cluster_t)
|
|
+
|
|
+corenet_all_recvfrom_unlabeled(cluster_t)
|
|
+corenet_all_recvfrom_netlabel(cluster_t)
|
|
+corenet_udp_sendrecv_generic_if(cluster_t)
|
|
+corenet_udp_sendrecv_generic_node(cluster_t)
|
|
+corenet_udp_bind_generic_node(cluster_t)
|
|
+
|
|
+corenet_sendrecv_netsupport_server_packets(cluster_t)
|
|
+corenet_udp_bind_netsupport_port(cluster_t)
|
|
+corenet_udp_sendrecv_netsupport_port(cluster_t)
|
|
+
|
|
+corenet_sendrecv_cluster_server_packets(cluster_t)
|
|
+corenet_udp_bind_cluster_port(cluster_t)
|
|
+corenet_udp_sendrecv_cluster_port(cluster_t)
|
|
+
|
|
+# need to write to /dev/misc/dlm-contro
|
|
+dev_rw_dlm_control(cluster_t)
|
|
+dev_setattr_dlm_control(cluster_t)
|
|
+dev_read_sysfs(cluster_t)
|
|
+dev_read_rand(cluster_t)
|
|
+dev_read_urand(cluster_t)
|
|
+
|
|
+domain_read_all_domains_state(cluster_t)
|
|
+
|
|
+fs_getattr_xattr_fs(cluster_t)
|
|
+fs_getattr_all_fs(cluster_t)
|
|
+
|
|
+storage_raw_read_fixed_disk(cluster_t)
|
|
+
|
|
+term_getattr_pty_fs(cluster_t)
|
|
+
|
|
+files_manage_mounttab(cluster_t)
|
|
+# needed by resources scripts
|
|
+files_read_non_security_files(cluster_t)
|
|
+auth_dontaudit_getattr_shadow(cluster_t)
|
|
+
|
|
+init_domtrans_script(cluster_t)
|
|
+init_initrc_domain(cluster_t)
|
|
+init_read_script_state(cluster_t)
|
|
+init_rw_script_tmp_files(cluster_t)
|
|
+init_manage_script_status_files(cluster_t)
|
|
+
|
|
+userdom_read_user_tmp_files(cluster_t)
|
|
+userdom_delete_user_tmpfs_files(cluster_t)
|
|
+userdom_rw_user_tmpfs_files(cluster_t)
|
|
+userdom_kill_all_users(cluster_t)
|
|
+
|
|
+tunable_policy(`cluster_can_network_connect',`
|
|
+ corenet_tcp_connect_all_ports(cluster_t)
|
|
+')
|
|
+
|
|
+# we need to have dirs created with var_run_t in /run/cluster
|
|
+files_create_var_run_dirs(cluster_t)
|
|
+
|
|
+tunable_policy(`cluster_manage_all_files',`
|
|
+ files_getattr_all_symlinks(cluster_t)
|
|
+ files_list_all(cluster_t)
|
|
+ files_manage_mnt_dirs(cluster_t)
|
|
+ files_manage_mnt_files(cluster_t)
|
|
+ files_manage_mnt_symlinks(cluster_t)
|
|
+ files_manage_isid_type_files(cluster_t)
|
|
+ files_manage_isid_type_dirs(cluster_t)
|
|
+ fs_manage_tmpfs_files(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ccs_read_config(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ cmirrord_rw_shm(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ consoletype_exec(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ lvm_domtrans(cluster_t)
|
|
+ lvm_rw_clvmd_tmpfs_files(cluster_t)
|
|
+ lvm_delete_clvmd_tmpfs_files(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ fstools_domtrans(cluster_t)
|
|
+')
|
|
+
|
|
+
|
|
+optional_policy(`
|
|
+ hostname_exec(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ccs_manage_config(cluster_t)
|
|
+ ccs_stream_connect(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ldap_systemctl(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mount_domtrans(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mysql_domtrans_mysql_safe(cluster_t)
|
|
+ mysql_stream_connect(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ netutils_domtrans(cluster_t)
|
|
+ netutils_domtrans_ping(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ postgresql_signal(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rhcs_getattr_fenced(cluster_t)
|
|
+ rhcs_rw_cluster_shm(cluster_t)
|
|
+ rhcs_rw_cluster_semaphores(cluster_t)
|
|
+ rhcs_stream_connect_cluster(cluster_t)
|
|
+ rhcs_relabel_cluster_lib_files(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rdisc_exec(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ricci_dontaudit_rw_modcluster_pipes(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rpc_systemctl_nfsd(cluster_t)
|
|
+ rpc_systemctl_rpcd(cluster_t)
|
|
+
|
|
+ rpc_domtrans_nfsd(cluster_t)
|
|
+ rpc_domtrans_rpcd(cluster_t)
|
|
+ rpc_manage_nfs_state_data(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ samba_manage_var_files(cluster_t)
|
|
+ samba_rw_config(cluster_t)
|
|
+ samba_signal_smbd(cluster_t)
|
|
+ samba_signal_nmbd(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_domtrans_ifconfig(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ udev_read_db(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ virt_stream_connect(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ wdmd_rw_tmpfs(cluster_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ xen_domtrans_xm(cluster_t)
|
|
')
|
|
|
|
#####################################
|
|
@@ -79,7 +349,7 @@ optional_policy(`
|
|
# dlm_controld local policy
|
|
#
|
|
|
|
-allow dlm_controld_t self:capability { net_admin sys_admin sys_resource };
|
|
+allow dlm_controld_t self:capability { dac_override net_admin sys_admin sys_resource };
|
|
allow dlm_controld_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
stream_connect_pattern(dlm_controld_t, fenced_var_run_t, fenced_var_run_t, fenced_t)
|
|
@@ -98,16 +368,30 @@ fs_manage_configfs_dirs(dlm_controld_t)
|
|
|
|
init_rw_script_tmp_files(dlm_controld_t)
|
|
|
|
+logging_send_syslog_msg(dlm_controld_t)
|
|
+
|
|
+optional_policy(`
|
|
+ corosync_rw_tmpfs(dlm_controld_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rhcs_stream_connect_cluster(dlm_controld_t)
|
|
+')
|
|
+
|
|
#######################################
|
|
#
|
|
# fenced local policy
|
|
#
|
|
|
|
allow fenced_t self:capability { sys_rawio sys_resource };
|
|
-allow fenced_t self:process { getsched signal_perms };
|
|
-allow fenced_t self:tcp_socket { accept listen };
|
|
+allow fenced_t self:process { getsched setpgid signal_perms };
|
|
+
|
|
+allow fenced_t self:tcp_socket create_stream_socket_perms;
|
|
+allow fenced_t self:udp_socket create_socket_perms;
|
|
allow fenced_t self:unix_stream_socket connectto;
|
|
|
|
+can_exec(fenced_t, fenced_exec_t)
|
|
+
|
|
manage_files_pattern(fenced_t, fenced_lock_t, fenced_lock_t)
|
|
files_lock_filetrans(fenced_t, fenced_lock_t, file)
|
|
|
|
@@ -118,9 +402,8 @@ files_tmp_filetrans(fenced_t, fenced_tmp_t, { file fifo_file dir })
|
|
|
|
stream_connect_pattern(fenced_t, groupd_var_run_t, groupd_var_run_t, groupd_t)
|
|
|
|
-can_exec(fenced_t, fenced_exec_t)
|
|
-
|
|
kernel_read_system_state(fenced_t)
|
|
+kernel_read_network_state(fenced_t)
|
|
|
|
corecmd_exec_bin(fenced_t)
|
|
corecmd_exec_shell(fenced_t)
|
|
@@ -148,9 +431,7 @@ corenet_tcp_sendrecv_http_port(fenced_t)
|
|
|
|
dev_read_sysfs(fenced_t)
|
|
dev_read_urand(fenced_t)
|
|
-
|
|
-files_read_usr_files(fenced_t)
|
|
-files_read_usr_symlinks(fenced_t)
|
|
+dev_read_rand(fenced_t)
|
|
|
|
storage_raw_read_fixed_disk(fenced_t)
|
|
storage_raw_write_fixed_disk(fenced_t)
|
|
@@ -160,7 +441,7 @@ term_getattr_pty_fs(fenced_t)
|
|
term_use_generic_ptys(fenced_t)
|
|
term_use_ptmx(fenced_t)
|
|
|
|
-auth_use_nsswitch(fenced_t)
|
|
+logging_send_syslog_msg(fenced_t)
|
|
|
|
tunable_policy(`fenced_can_network_connect',`
|
|
corenet_sendrecv_all_client_packets(fenced_t)
|
|
@@ -182,7 +463,8 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- corosync_exec(fenced_t)
|
|
+ rhcs_exec_cluster(fenced_t)
|
|
+ rhcs_rw_cluster_tmpfs(fenced_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -190,12 +472,12 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- gnome_read_generic_home_content(fenced_t)
|
|
+ lvm_domtrans(fenced_t)
|
|
+ lvm_read_config(fenced_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- lvm_domtrans(fenced_t)
|
|
- lvm_read_config(fenced_t)
|
|
+ sanlock_domtrans(fenced_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -203,6 +485,13 @@ optional_policy(`
|
|
snmp_manage_var_lib_dirs(fenced_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ virt_domtrans(fenced_t)
|
|
+ virt_read_config(fenced_t)
|
|
+ virt_read_pid_files(fenced_t)
|
|
+ virt_stream_connect(fenced_t)
|
|
+')
|
|
+
|
|
#######################################
|
|
#
|
|
# foghorn local policy
|
|
@@ -221,16 +510,18 @@ corenet_sendrecv_agentx_client_packets(foghorn_t)
|
|
corenet_tcp_connect_agentx_port(foghorn_t)
|
|
corenet_tcp_sendrecv_agentx_port(foghorn_t)
|
|
|
|
+corenet_tcp_connect_snmp_port(foghorn_t)
|
|
+
|
|
dev_read_urand(foghorn_t)
|
|
|
|
-files_read_usr_files(foghorn_t)
|
|
+logging_send_syslog_msg(foghorn_t)
|
|
|
|
optional_policy(`
|
|
dbus_connect_system_bus(foghorn_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- snmp_read_snmp_var_lib_files(foghorn_t)
|
|
+ snmp_manage_var_lib_files(foghorn_t)
|
|
snmp_stream_connect(foghorn_t)
|
|
')
|
|
|
|
@@ -257,6 +548,8 @@ storage_getattr_removable_dev(gfs_controld_t)
|
|
|
|
init_rw_script_tmp_files(gfs_controld_t)
|
|
|
|
+logging_send_syslog_msg(gfs_controld_t)
|
|
+
|
|
optional_policy(`
|
|
lvm_exec(gfs_controld_t)
|
|
dev_rw_lvm_control(gfs_controld_t)
|
|
@@ -275,10 +568,39 @@ domtrans_pattern(groupd_t, fenced_exec_t, fenced_t)
|
|
|
|
dev_list_sysfs(groupd_t)
|
|
|
|
-files_read_etc_files(groupd_t)
|
|
-
|
|
init_rw_script_tmp_files(groupd_t)
|
|
|
|
+logging_send_syslog_msg(groupd_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# haproxy local policy
|
|
+#
|
|
+
|
|
+# bug in haproxy and process vs pid owner
|
|
+allow haproxy_t self:capability dac_override;
|
|
+
|
|
+allow haproxy_t self:capability { chown setgid setuid sys_chroot sys_resource };
|
|
+allow haproxy_t self:process { fork setrlimit signal_perms };
|
|
+allow haproxy_t self:fifo_file rw_fifo_file_perms;
|
|
+allow haproxy_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow haproxy_t self:tcp_socket { accept listen };
|
|
+
|
|
+manage_dirs_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
|
|
+manage_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
|
|
+manage_lnk_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
|
|
+manage_sock_files_pattern(haproxy_t, haproxy_var_lib_t, haproxy_var_lib_t)
|
|
+files_var_lib_filetrans(haproxy_t, haproxy_var_lib_t, { dir file lnk_file })
|
|
+
|
|
+corenet_tcp_connect_commplex_link_port(haproxy_t)
|
|
+corenet_tcp_connect_commplex_main_port(haproxy_t)
|
|
+corenet_tcp_bind_commplex_main_port(haproxy_t)
|
|
+
|
|
+corenet_tcp_connect_fmpro_internal_port(haproxy_t)
|
|
+corenet_tcp_connect_rtp_media_port(haproxy_t)
|
|
+
|
|
+sysnet_dns_name_resolve(haproxy_t)
|
|
+
|
|
######################################
|
|
#
|
|
# qdiskd local policy
|
|
@@ -321,6 +643,8 @@ storage_raw_write_fixed_disk(qdiskd_t)
|
|
|
|
auth_use_nsswitch(qdiskd_t)
|
|
|
|
+logging_send_syslog_msg(qdiskd_t)
|
|
+
|
|
optional_policy(`
|
|
netutils_domtrans_ping(qdiskd_t)
|
|
')
|
|
diff --git a/rhev.fc b/rhev.fc
|
|
new file mode 100644
|
|
index 0000000..4b66adf
|
|
--- /dev/null
|
|
+++ b/rhev.fc
|
|
@@ -0,0 +1,13 @@
|
|
+/usr/share/rhev-agent/rhev-agentd\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
|
+/usr/share/ovirt-guest-agent -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
|
+
|
|
+/usr/share/rhev-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
|
+/usr/share/ovirt-guest-agent/LockActiveSession\.py -- gen_context(system_u:object_r:rhev_agentd_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/ovirt-guest-agent.* -- gen_context(system_u:object_r:rhev_agentd_unit_file_t,s0)
|
|
+
|
|
+/var/run/rhev-agentd\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
|
|
+/var/run/ovirt-guest-agent\.pid -- gen_context(system_u:object_r:rhev_agentd_var_run_t,s0)
|
|
+
|
|
+/var/log/rhev-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
|
|
+/var/log/ovirt-guest-agent(/.*)? gen_context(system_u:object_r:rhev_agentd_log_t,s0)
|
|
diff --git a/rhev.if b/rhev.if
|
|
new file mode 100644
|
|
index 0000000..bf11e25
|
|
--- /dev/null
|
|
+++ b/rhev.if
|
|
@@ -0,0 +1,76 @@
|
|
+## <summary>rhev polic module contains policies for rhev apps</summary>
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Execute rhev-agentd in the rhev_agentd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhev_domtrans_agentd',`
|
|
+ gen_require(`
|
|
+ type rhev_agentd_t, rhev_agentd_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, rhev_agentd_exec_t, rhev_agentd_t)
|
|
+')
|
|
+
|
|
+####################################
|
|
+## <summary>
|
|
+## Read rhev-agentd PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhev_read_pid_files_agentd',`
|
|
+ gen_require(`
|
|
+ type rhev_agentd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Connect to rhev_agentd over a unix domain
|
|
+## stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhev_stream_connect_agentd',`
|
|
+ gen_require(`
|
|
+ type rhev_agentd_var_run_t, rhev_agentd_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, rhev_agentd_var_run_t, rhev_agentd_var_run_t, rhev_agentd_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Send sigchld to rhev-agentd
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhev_sigchld_agentd',`
|
|
+ gen_require(`
|
|
+ type rhev_agentd_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 rhev_agentd_t:process sigchld;
|
|
+')
|
|
diff --git a/rhev.te b/rhev.te
|
|
new file mode 100644
|
|
index 0000000..26f7884
|
|
--- /dev/null
|
|
+++ b/rhev.te
|
|
@@ -0,0 +1,116 @@
|
|
+policy_module(rhev,1.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type rhev_agentd_t;
|
|
+type rhev_agentd_exec_t;
|
|
+init_daemon_domain(rhev_agentd_t, rhev_agentd_exec_t)
|
|
+
|
|
+type rhev_agentd_unit_file_t;
|
|
+systemd_unit_file(rhev_agentd_unit_file_t)
|
|
+
|
|
+type rhev_agentd_var_run_t;
|
|
+files_pid_file(rhev_agentd_var_run_t)
|
|
+
|
|
+type rhev_agentd_tmp_t;
|
|
+files_tmp_file(rhev_agentd_tmp_t)
|
|
+
|
|
+type rhev_agentd_log_t;
|
|
+logging_log_file(rhev_agentd_log_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# rhev_agentd_t local policy
|
|
+#
|
|
+
|
|
+allow rhev_agentd_t self:capability { setuid setgid sys_nice };
|
|
+allow rhev_agentd_t self:process setsched;
|
|
+
|
|
+allow rhev_agentd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow rhev_agentd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
|
|
+manage_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
|
|
+manage_sock_files_pattern(rhev_agentd_t, rhev_agentd_var_run_t, rhev_agentd_var_run_t)
|
|
+files_pid_filetrans(rhev_agentd_t, rhev_agentd_var_run_t, { dir file sock_file })
|
|
+
|
|
+manage_files_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
|
|
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_log_t, rhev_agentd_log_t)
|
|
+logging_log_filetrans(rhev_agentd_t, rhev_agentd_log_t, { dir file })
|
|
+
|
|
+manage_dirs_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
|
|
+manage_files_pattern(rhev_agentd_t, rhev_agentd_tmp_t, rhev_agentd_tmp_t)
|
|
+files_tmp_filetrans(rhev_agentd_t, rhev_agentd_tmp_t, { file dir })
|
|
+can_exec(rhev_agentd_t, rhev_agentd_tmp_t)
|
|
+
|
|
+kernel_read_system_state(rhev_agentd_t)
|
|
+kernel_read_kernel_sysctls(rhev_agentd_t)
|
|
+
|
|
+corecmd_exec_bin(rhev_agentd_t)
|
|
+corecmd_exec_shell(rhev_agentd_t)
|
|
+
|
|
+dev_read_urand(rhev_agentd_t)
|
|
+
|
|
+term_use_virtio_console(rhev_agentd_t)
|
|
+
|
|
+fs_getattr_all_fs(rhev_agentd_t)
|
|
+
|
|
+files_getattr_all_mountpoints(rhev_agentd_t)
|
|
+files_search_all_mountpoints(rhev_agentd_t)
|
|
+
|
|
+auth_use_nsswitch(rhev_agentd_t)
|
|
+
|
|
+init_read_utmp(rhev_agentd_t)
|
|
+
|
|
+libs_exec_ldconfig(rhev_agentd_t)
|
|
+logging_send_syslog_msg(rhev_agentd_t)
|
|
+
|
|
+optional_policy(`
|
|
+ rpm_read_db(rhev_agentd_t)
|
|
+ rpm_dontaudit_manage_db(rhev_agentd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_signull(rhev_agentd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(rhev_agentd_t)
|
|
+ dbus_connect_system_bus(rhev_agentd_t)
|
|
+ dbus_session_bus_client(rhev_agentd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_dbus_chat_xdm(rhev_agentd_t)
|
|
+ xserver_stream_connect(rhev_agentd_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# rhev_agentd_t consolehelper local policy
|
|
+#
|
|
+
|
|
+optional_policy(`
|
|
+ userhelper_console_role_template(rhev_agentd, system_r, rhev_agentd_t)
|
|
+
|
|
+ allow rhev_agentd_consolehelper_t rhev_agentd_log_t:file rw_inherited_file_perms;
|
|
+ allow rhev_agentd_consolehelper_t rhev_agentd_tmp_t:file rw_inherited_file_perms;
|
|
+
|
|
+ can_exec(rhev_agentd_consolehelper_t, rhev_agentd_exec_t)
|
|
+ kernel_read_system_state(rhev_agentd_consolehelper_t)
|
|
+
|
|
+ term_use_virtio_console(rhev_agentd_consolehelper_t)
|
|
+
|
|
+ corenet_tcp_connect_xserver_port(rhev_agentd_consolehelper_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ dbus_session_bus_client(rhev_agentd_consolehelper_t)
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
+ unconfined_dbus_chat(rhev_agentd_consolehelper_t)
|
|
+ ')
|
|
+')
|
|
diff --git a/rhgb.if b/rhgb.if
|
|
index 1a134a7..793a29f 100644
|
|
--- a/rhgb.if
|
|
+++ b/rhgb.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary> Red Hat Graphical Boot.</summary>
|
|
+## <summary> Red Hat Graphical Boot </summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -18,7 +18,7 @@ interface(`rhgb_stub',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Inherit and use rhgb file descriptors.
|
|
+## Use a rhgb file descriptor.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -54,7 +54,7 @@ interface(`rhgb_getpgid',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to rhgb.
|
|
+## Send a signal to rhgb.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -72,8 +72,7 @@ interface(`rhgb_signal',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write inherited rhgb unix
|
|
-## domain stream sockets.
|
|
+## Read and write to unix stream sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -110,8 +109,7 @@ interface(`rhgb_dontaudit_rw_stream_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connected to rhgb with a unix
|
|
-## domain stream socket.
|
|
+## Connected to rhgb unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -121,11 +119,10 @@ interface(`rhgb_dontaudit_rw_stream_sockets',`
|
|
#
|
|
interface(`rhgb_stream_connect',`
|
|
gen_require(`
|
|
- type rhgb_t, rhgb_tmpfs_t;
|
|
+ type rhgb_t;
|
|
')
|
|
|
|
- fs_search_tmpfs($1)
|
|
- stream_connect_pattern($1, rhgb_tmpfs_t, rhgb_tmpfs_t, rhgb_t)
|
|
+ allow $1 rhgb_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
@@ -148,7 +145,7 @@ interface(`rhgb_rw_shm',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write rhgb pty devices.
|
|
+## Read from and write to the rhgb devpts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -161,14 +158,12 @@ interface(`rhgb_use_ptys',`
|
|
type rhgb_devpts_t;
|
|
')
|
|
|
|
- dev_list_all_dev_nodes($1)
|
|
allow $1 rhgb_devpts_t:chr_file rw_term_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to read and
|
|
-## write rhgb pty devices.
|
|
+## dontaudit Read from and write to the rhgb devpts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -186,7 +181,7 @@ interface(`rhgb_dontaudit_use_ptys',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write to rhgb tmpfs files.
|
|
+## Read and write to rhgb temporary file system.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -199,7 +194,6 @@ interface(`rhgb_rw_tmpfs_files',`
|
|
type rhgb_tmpfs_t;
|
|
')
|
|
|
|
-
|
|
fs_search_tmpfs($1)
|
|
allow $1 rhgb_tmpfs_t:file rw_file_perms;
|
|
')
|
|
diff --git a/rhgb.te b/rhgb.te
|
|
index 3f32e4b..f97ea42 100644
|
|
--- a/rhgb.te
|
|
+++ b/rhgb.te
|
|
@@ -43,7 +43,6 @@ kernel_read_system_state(rhgb_t)
|
|
corecmd_exec_bin(rhgb_t)
|
|
corecmd_exec_shell(rhgb_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(rhgb_t)
|
|
corenet_all_recvfrom_netlabel(rhgb_t)
|
|
corenet_tcp_sendrecv_generic_if(rhgb_t)
|
|
corenet_tcp_sendrecv_generic_node(rhgb_t)
|
|
@@ -57,11 +56,9 @@ dev_read_urand(rhgb_t)
|
|
|
|
domain_use_interactive_fds(rhgb_t)
|
|
|
|
-files_read_etc_files(rhgb_t)
|
|
files_read_var_files(rhgb_t)
|
|
files_read_etc_runtime_files(rhgb_t)
|
|
files_search_tmp(rhgb_t)
|
|
-files_read_usr_files(rhgb_t)
|
|
files_mounton_mnt(rhgb_t)
|
|
files_dontaudit_rw_root_dir(rhgb_t)
|
|
files_dontaudit_read_default_files(rhgb_t)
|
|
@@ -89,7 +86,6 @@ libs_read_lib_files(rhgb_t)
|
|
|
|
logging_send_syslog_msg(rhgb_t)
|
|
|
|
-miscfiles_read_localization(rhgb_t)
|
|
miscfiles_read_fonts(rhgb_t)
|
|
miscfiles_dontaudit_write_fonts(rhgb_t)
|
|
|
|
diff --git a/rhnsd.fc b/rhnsd.fc
|
|
new file mode 100644
|
|
index 0000000..1936028
|
|
--- /dev/null
|
|
+++ b/rhnsd.fc
|
|
@@ -0,0 +1,5 @@
|
|
+/etc/rc\.d/init\.d/rhnsd -- gen_context(system_u:object_r:rhnsd_initrc_exec_t,s0)
|
|
+
|
|
+/usr/sbin/rhnsd -- gen_context(system_u:object_r:rhnsd_exec_t,s0)
|
|
+
|
|
+/var/run/rhnsd\.pid -- gen_context(system_u:object_r:rhnsd_var_run_t,s0)
|
|
diff --git a/rhnsd.if b/rhnsd.if
|
|
new file mode 100644
|
|
index 0000000..88087b7
|
|
--- /dev/null
|
|
+++ b/rhnsd.if
|
|
@@ -0,0 +1,74 @@
|
|
+## <summary>policy for rhnsd</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to rhnsd.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhnsd_domtrans',`
|
|
+ gen_require(`
|
|
+ type rhnsd_t, rhnsd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, rhnsd_exec_t, rhnsd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute rhnsd server in the rhnsd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rhnsd_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type rhnsd_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, rhnsd_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an rhnsd environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`rhnsd_admin',`
|
|
+ gen_require(`
|
|
+ type rhnsd_t;
|
|
+ type rhnsd_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 rhnsd_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, rhnsd_t)
|
|
+
|
|
+ rhnsd_initrc_domtrans($1)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 rhnsd_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/rhnsd.te b/rhnsd.te
|
|
new file mode 100644
|
|
index 0000000..0e965c3
|
|
--- /dev/null
|
|
+++ b/rhnsd.te
|
|
@@ -0,0 +1,40 @@
|
|
+policy_module(rhnsd, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type rhnsd_t;
|
|
+type rhnsd_exec_t;
|
|
+init_daemon_domain(rhnsd_t, rhnsd_exec_t)
|
|
+
|
|
+type rhnsd_var_run_t;
|
|
+files_pid_file(rhnsd_var_run_t)
|
|
+
|
|
+type rhnsd_initrc_exec_t;
|
|
+init_script_file(rhnsd_initrc_exec_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# rhnsd local policy
|
|
+#
|
|
+
|
|
+allow rhnsd_t self:capability { kill };
|
|
+allow rhnsd_t self:process { fork signal };
|
|
+allow rhnsd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow rhnsd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
|
|
+manage_files_pattern(rhnsd_t, rhnsd_var_run_t, rhnsd_var_run_t)
|
|
+files_pid_filetrans(rhnsd_t, rhnsd_var_run_t, { dir file })
|
|
+
|
|
+corecmd_exec_bin(rhnsd_t)
|
|
+
|
|
+
|
|
+logging_send_syslog_msg(rhnsd_t)
|
|
+
|
|
+optional_policy(`
|
|
+ # execute rhn_check
|
|
+ rpm_domtrans(rhnsd_t)
|
|
+')
|
|
diff --git a/rhsmcertd.if b/rhsmcertd.if
|
|
index 6dbc905..78746ef 100644
|
|
--- a/rhsmcertd.if
|
|
+++ b/rhsmcertd.if
|
|
@@ -1,8 +1,8 @@
|
|
-## <summary>Subscription Management Certificate Daemon.</summary>
|
|
+## <summary>Subscription Management Certificate Daemon policy</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute rhsmcertd in the rhsmcertd domain.
|
|
+## Transition to rhsmcertd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -21,12 +21,11 @@ interface(`rhsmcertd_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute rhsmcertd init scripts
|
|
-## in the initrc domain.
|
|
+## Execute rhsmcertd server in the rhsmcertd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
@@ -40,7 +39,7 @@ interface(`rhsmcertd_initrc_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read rhsmcertd log files.
|
|
+## Read rhsmcertd's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -60,7 +59,7 @@ interface(`rhsmcertd_read_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Append rhsmcertd log files.
|
|
+## Append to rhsmcertd log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -79,8 +78,7 @@ interface(`rhsmcertd_append_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rhsmcertd log files.
|
|
+## Manage rhsmcertd log files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -114,8 +112,8 @@ interface(`rhsmcertd_search_lib',`
|
|
type rhsmcertd_var_lib_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
allow $1 rhsmcertd_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
@@ -139,8 +137,7 @@ interface(`rhsmcertd_read_lib_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rhsmcertd lib files.
|
|
+## Manage rhsmcertd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -159,8 +156,7 @@ interface(`rhsmcertd_manage_lib_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rhsmcertd lib directories.
|
|
+## Manage rhsmcertd lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -179,7 +175,7 @@ interface(`rhsmcertd_manage_lib_dirs',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read rhsmcertd pid files.
|
|
+## Read rhsmcertd PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -196,10 +192,9 @@ interface(`rhsmcertd_read_pid_files',`
|
|
allow $1 rhsmcertd_var_run_t:file read_file_perms;
|
|
')
|
|
|
|
-####################################
|
|
+########################################
|
|
## <summary>
|
|
-## Connect to rhsmcertd with a
|
|
-## unix domain stream socket.
|
|
+## Read/wirte inherited lock files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -207,6 +202,26 @@ interface(`rhsmcertd_read_pid_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
+interface(`rhsmcertd_rw_inherited_lock_files',`
|
|
+ gen_require(`
|
|
+ type rhsmcertd_lock_t;
|
|
+ ')
|
|
+
|
|
+ files_search_locks($1)
|
|
+ allow $1 rhsmcertd_lock_t:file rw_inherited_file_perms;
|
|
+')
|
|
+
|
|
+####################################
|
|
+## <summary>
|
|
+## Connect to rhsmcertd over a unix domain
|
|
+## stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
interface(`rhsmcertd_stream_connect',`
|
|
gen_require(`
|
|
type rhsmcertd_t, rhsmcertd_var_run_t;
|
|
@@ -239,30 +254,29 @@ interface(`rhsmcertd_dbus_chat',`
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Do not audit attempts to send
|
|
-## and receive messages from
|
|
-## rhsmcertd over dbus.
|
|
+## Dontaudit Send and receive messages from
|
|
+## rhsmcertd over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain to not audit.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rhsmcertd_dontaudit_dbus_chat',`
|
|
- gen_require(`
|
|
- type rhsmcertd_t;
|
|
- class dbus send_msg;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type rhsmcertd_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
|
|
- dontaudit $1 rhsmcertd_t:dbus send_msg;
|
|
- dontaudit rhsmcertd_t $1:dbus send_msg;
|
|
+ dontaudit $1 rhsmcertd_t:dbus send_msg;
|
|
+ dontaudit rhsmcertd_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an rhsmcertd environment.
|
|
+## All of the rules required to administrate
|
|
+## an rhsmcertd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -270,35 +284,41 @@ interface(`rhsmcertd_dontaudit_dbus_chat',`
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
+
|
|
interface(`rhsmcertd_admin',`
|
|
gen_require(`
|
|
type rhsmcertd_t, rhsmcertd_initrc_exec_t, rhsmcertd_log_t;
|
|
- type rhsmcertd_var_lib_t, rhsmcertd_var_run_t, rhsmcertd_lock_t;
|
|
+ type rhsmcertd_var_lib_t, rhsmcertd_lock_t, rhsmcertd_var_run_t;
|
|
')
|
|
|
|
- allow $1 rhsmcertd_t:process { ptrace signal_perms };
|
|
+ allow $1 rhsmcertd_t:process signal_perms;
|
|
ps_process_pattern($1, rhsmcertd_t)
|
|
|
|
- rhsmcertd_initrc_domtrans($1)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 rhsmcertd_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 rhsmcertd_t:process ptrace;
|
|
+ ')
|
|
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, rhsmcertd_log_t)
|
|
+ rhsmcertd_initrc_domtrans($1)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 rhsmcertd_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, rhsmcertd_var_lib_t)
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, rhsmcertd_log_t)
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, rhsmcertd_var_run_t)
|
|
+ files_search_var_lib($1)
|
|
+ admin_pattern($1, rhsmcertd_var_lib_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, rhsmcertd_var_run_t)
|
|
+
|
|
+ files_search_locks($1)
|
|
+ admin_pattern($1, rhsmcertd_lock_t)
|
|
|
|
- files_search_locks($1)
|
|
- admin_pattern($1, rhsmcertd_lock_t)
|
|
')
|
|
diff --git a/rhsmcertd.te b/rhsmcertd.te
|
|
index d32e1a2..73051fc 100644
|
|
--- a/rhsmcertd.te
|
|
+++ b/rhsmcertd.te
|
|
@@ -30,14 +30,13 @@ files_pid_file(rhsmcertd_var_run_t)
|
|
#
|
|
|
|
allow rhsmcertd_t self:capability sys_nice;
|
|
-allow rhsmcertd_t self:process { signal setsched };
|
|
+allow rhsmcertd_t self:process { signal_perms setsched };
|
|
+
|
|
allow rhsmcertd_t self:fifo_file rw_fifo_file_perms;
|
|
allow rhsmcertd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
manage_dirs_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
|
|
-append_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
|
|
-create_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
|
|
-setattr_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
|
|
+manage_files_pattern(rhsmcertd_t, rhsmcertd_log_t, rhsmcertd_log_t)
|
|
|
|
manage_files_pattern(rhsmcertd_t, rhsmcertd_lock_t, rhsmcertd_lock_t)
|
|
files_lock_filetrans(rhsmcertd_t, rhsmcertd_lock_t, file)
|
|
@@ -52,23 +51,39 @@ files_pid_filetrans(rhsmcertd_t, rhsmcertd_var_run_t, { file dir })
|
|
kernel_read_network_state(rhsmcertd_t)
|
|
kernel_read_system_state(rhsmcertd_t)
|
|
|
|
+corenet_tcp_connect_http_port(rhsmcertd_t)
|
|
+
|
|
corecmd_exec_bin(rhsmcertd_t)
|
|
+corecmd_exec_shell(rhsmcertd_t)
|
|
|
|
dev_read_sysfs(rhsmcertd_t)
|
|
dev_read_rand(rhsmcertd_t)
|
|
dev_read_urand(rhsmcertd_t)
|
|
+dev_read_raw_memory(rhsmcertd_t)
|
|
|
|
files_list_tmp(rhsmcertd_t)
|
|
-files_read_etc_files(rhsmcertd_t)
|
|
-files_read_usr_files(rhsmcertd_t)
|
|
+files_manage_generic_locks(rhsmcertd_t)
|
|
+files_manage_system_conf_files(rhsmcertd_t)
|
|
+
|
|
+auth_read_passwd(rhsmcertd_t)
|
|
|
|
init_read_state(rhsmcertd_t)
|
|
|
|
-miscfiles_read_localization(rhsmcertd_t)
|
|
-miscfiles_read_generic_certs(rhsmcertd_t)
|
|
+logging_send_syslog_msg(rhsmcertd_t)
|
|
+
|
|
+miscfiles_manage_cert_files(rhsmcertd_t)
|
|
+miscfiles_manage_cert_dirs(rhsmcertd_t)
|
|
|
|
sysnet_dns_name_resolve(rhsmcertd_t)
|
|
|
|
optional_policy(`
|
|
+ dmidecode_domtrans(rhsmcertd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_dontaudit_search_config(rhsmcertd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
rpm_read_db(rhsmcertd_t)
|
|
')
|
|
diff --git a/ricci.if b/ricci.if
|
|
index 2ab3ed1..23d579c 100644
|
|
--- a/ricci.if
|
|
+++ b/ricci.if
|
|
@@ -1,13 +1,13 @@
|
|
-## <summary>Ricci cluster management agent.</summary>
|
|
+## <summary>Ricci cluster management agent</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to run ricci.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`ricci_domtrans',`
|
|
@@ -15,19 +15,35 @@ interface(`ricci_domtrans',`
|
|
type ricci_t, ricci_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, ricci_exec_t, ricci_t)
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run ricci modcluster.
|
|
+## Execute ricci server in the ricci domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ricci_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type ricci_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, ricci_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Execute a domain transition to run ricci_modcluster.
|
|
## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`ricci_domtrans_modcluster',`
|
|
@@ -35,14 +51,13 @@ interface(`ricci_domtrans_modcluster',`
|
|
type ricci_modcluster_t, ricci_modcluster_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, ricci_modcluster_exec_t, ricci_modcluster_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to use
|
|
-## ricci modcluster file descriptors.
|
|
+## ricci_modcluster file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -61,7 +76,7 @@ interface(`ricci_dontaudit_use_modcluster_fds',`
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read write
|
|
-## ricci modcluster unamed pipes.
|
|
+## ricci_modcluster unamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -74,13 +89,12 @@ interface(`ricci_dontaudit_rw_modcluster_pipes',`
|
|
type ricci_modcluster_t;
|
|
')
|
|
|
|
- dontaudit $1 ricci_modcluster_t:fifo_file { read write };
|
|
+ dontaudit $1 ricci_modcluster_t:fifo_file rw_inherited_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to ricci_modclusterd with
|
|
-## a unix domain stream socket.
|
|
+## Connect to ricci_modclusterd over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -99,8 +113,26 @@ interface(`ricci_stream_connect_modclusterd',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run ricci modlog.
|
|
+## Read and write to ricci_modcluserd temporary file system.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ricci_rw_modclusterd_tmpfs_files',`
|
|
+ gen_require(`
|
|
+ type ricci_modclusterd_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ fs_search_tmpfs($1)
|
|
+ allow $1 ricci_modclusterd_tmpfs_t:file rw_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute a domain transition to run ricci_modlog.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -113,14 +145,12 @@ interface(`ricci_domtrans_modlog',`
|
|
type ricci_modlog_t, ricci_modlog_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, ricci_modlog_exec_t, ricci_modlog_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run ricci modrpm.
|
|
+## Execute a domain transition to run ricci_modrpm.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -133,14 +163,12 @@ interface(`ricci_domtrans_modrpm',`
|
|
type ricci_modrpm_t, ricci_modrpm_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, ricci_modrpm_exec_t, ricci_modrpm_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run ricci modservice.
|
|
+## Execute a domain transition to run ricci_modservice.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -153,14 +181,12 @@ interface(`ricci_domtrans_modservice',`
|
|
type ricci_modservice_t, ricci_modservice_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, ricci_modservice_exec_t, ricci_modservice_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run ricci modstorage.
|
|
+## Execute a domain transition to run ricci_modstorage.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -173,14 +199,33 @@ interface(`ricci_domtrans_modstorage',`
|
|
type ricci_modstorage_t, ricci_modstorage_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, ricci_modstorage_exec_t, ricci_modstorage_t)
|
|
')
|
|
|
|
+####################################
|
|
+## <summary>
|
|
+## Allow the specified domain to manage ricci's lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ricci_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type ricci_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
|
|
+ manage_files_pattern($1, ricci_var_lib_t, ricci_var_lib_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an ricci environment.
|
|
+## All of the rules required to administrate
|
|
+## an ricci environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -200,10 +245,13 @@ interface(`ricci_admin',`
|
|
type ricci_var_lib_t, ricci_var_log_t, ricci_var_run_t;
|
|
')
|
|
|
|
- allow $1 ricci_t:process { ptrace signal_perms };
|
|
+ allow $1 ricci_t:process signal_perms;
|
|
ps_process_pattern($1, ricci_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ricci_t:process ptrace;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, ricci_initrc_exec_t)
|
|
+ ricci_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 ricci_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
diff --git a/ricci.te b/ricci.te
|
|
index 0ba2569..64a0237 100644
|
|
--- a/ricci.te
|
|
+++ b/ricci.te
|
|
@@ -115,7 +115,6 @@ kernel_read_system_state(ricci_t)
|
|
|
|
corecmd_exec_bin(ricci_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(ricci_t)
|
|
corenet_all_recvfrom_netlabel(ricci_t)
|
|
corenet_tcp_sendrecv_generic_if(ricci_t)
|
|
corenet_tcp_sendrecv_generic_node(ricci_t)
|
|
@@ -136,7 +135,6 @@ dev_read_urand(ricci_t)
|
|
|
|
domain_read_all_domains_state(ricci_t)
|
|
|
|
-files_read_etc_files(ricci_t)
|
|
files_read_etc_runtime_files(ricci_t)
|
|
files_create_boot_flag(ricci_t)
|
|
|
|
@@ -149,7 +147,7 @@ locallogin_dontaudit_use_fds(ricci_t)
|
|
|
|
logging_send_syslog_msg(ricci_t)
|
|
|
|
-miscfiles_read_localization(ricci_t)
|
|
+systemd_start_power_services(ricci_t)
|
|
|
|
sysnet_dns_name_resolve(ricci_t)
|
|
|
|
@@ -235,13 +233,8 @@ init_domtrans_script(ricci_modcluster_t)
|
|
|
|
logging_send_syslog_msg(ricci_modcluster_t)
|
|
|
|
-miscfiles_read_localization(ricci_modcluster_t)
|
|
-
|
|
-ricci_stream_connect_modclusterd(ricci_modcluster_t)
|
|
-
|
|
optional_policy(`
|
|
- aisexec_stream_connect(ricci_modcluster_t)
|
|
- corosync_stream_connect(ricci_modcluster_t)
|
|
+ ricci_stream_connect_modclusterd(ricci_modcluster_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -271,7 +264,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- rgmanager_stream_connect(ricci_modcluster_t)
|
|
+ rhcs_stream_connect_cluster(ricci_modcluster_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -336,23 +329,16 @@ locallogin_dontaudit_use_fds(ricci_modclusterd_t)
|
|
|
|
logging_send_syslog_msg(ricci_modclusterd_t)
|
|
|
|
-miscfiles_read_localization(ricci_modclusterd_t)
|
|
-
|
|
sysnet_domtrans_ifconfig(ricci_modclusterd_t)
|
|
|
|
optional_policy(`
|
|
- aisexec_stream_connect(ricci_modclusterd_t)
|
|
- corosync_stream_connect(ricci_modclusterd_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
ccs_domtrans(ricci_modclusterd_t)
|
|
ccs_stream_connect(ricci_modclusterd_t)
|
|
ccs_read_config(ricci_modclusterd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- rgmanager_stream_connect(ricci_modclusterd_t)
|
|
+ rhcs_stream_connect_cluster(ricci_modclusterd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -374,12 +360,10 @@ corecmd_exec_bin(ricci_modlog_t)
|
|
|
|
domain_read_all_domains_state(ricci_modlog_t)
|
|
|
|
-files_read_etc_files(ricci_modlog_t)
|
|
files_search_usr(ricci_modlog_t)
|
|
|
|
logging_read_generic_logs(ricci_modlog_t)
|
|
|
|
-miscfiles_read_localization(ricci_modlog_t)
|
|
|
|
optional_policy(`
|
|
nscd_dontaudit_search_pid(ricci_modlog_t)
|
|
@@ -401,9 +385,8 @@ kernel_read_kernel_sysctls(ricci_modrpm_t)
|
|
corecmd_exec_bin(ricci_modrpm_t)
|
|
|
|
files_search_usr(ricci_modrpm_t)
|
|
-files_read_etc_files(ricci_modrpm_t)
|
|
|
|
-miscfiles_read_localization(ricci_modrpm_t)
|
|
+logging_send_syslog_msg(ricci_modrpm_t)
|
|
|
|
optional_policy(`
|
|
oddjob_system_entry(ricci_modrpm_t, ricci_modrpm_exec_t)
|
|
@@ -428,14 +411,13 @@ kernel_read_system_state(ricci_modservice_t)
|
|
corecmd_exec_bin(ricci_modservice_t)
|
|
corecmd_exec_shell(ricci_modservice_t)
|
|
|
|
-files_read_etc_files(ricci_modservice_t)
|
|
files_read_etc_runtime_files(ricci_modservice_t)
|
|
files_search_usr(ricci_modservice_t)
|
|
files_manage_etc_symlinks(ricci_modservice_t)
|
|
|
|
init_domtrans_script(ricci_modservice_t)
|
|
|
|
-miscfiles_read_localization(ricci_modservice_t)
|
|
+logging_send_syslog_msg(ricci_modservice_t)
|
|
|
|
optional_policy(`
|
|
ccs_read_config(ricci_modservice_t)
|
|
@@ -460,7 +442,6 @@ optional_policy(`
|
|
|
|
allow ricci_modstorage_t self:capability { mknod sys_nice };
|
|
allow ricci_modstorage_t self:process { setsched signal };
|
|
-dontaudit ricci_modstorage_t self:process ptrace;
|
|
allow ricci_modstorage_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
kernel_read_kernel_sysctls(ricci_modstorage_t)
|
|
@@ -480,21 +461,21 @@ domain_read_all_domains_state(ricci_modstorage_t)
|
|
|
|
files_manage_etc_files(ricci_modstorage_t)
|
|
files_read_etc_runtime_files(ricci_modstorage_t)
|
|
-files_read_usr_files(ricci_modstorage_t)
|
|
files_read_kernel_modules(ricci_modstorage_t)
|
|
|
|
+files_create_default_dir(ricci_modstorage_t)
|
|
+files_root_filetrans_default(ricci_modstorage_t, dir)
|
|
+files_mounton_default(ricci_modstorage_t)
|
|
+files_manage_default_dirs(ricci_modstorage_t)
|
|
+files_manage_default_files(ricci_modstorage_t)
|
|
+
|
|
storage_raw_read_fixed_disk(ricci_modstorage_t)
|
|
|
|
term_dontaudit_use_console(ricci_modstorage_t)
|
|
|
|
-logging_send_syslog_msg(ricci_modstorage_t)
|
|
-
|
|
-miscfiles_read_localization(ricci_modstorage_t)
|
|
+auth_use_nsswitch(ricci_modstorage_t)
|
|
|
|
-optional_policy(`
|
|
- aisexec_stream_connect(ricci_modstorage_t)
|
|
- corosync_stream_connect(ricci_modstorage_t)
|
|
-')
|
|
+logging_send_syslog_msg(ricci_modstorage_t)
|
|
|
|
optional_policy(`
|
|
ccs_stream_connect(ricci_modstorage_t)
|
|
diff --git a/rlogin.fc b/rlogin.fc
|
|
index f111877..e361ee9 100644
|
|
--- a/rlogin.fc
|
|
+++ b/rlogin.fc
|
|
@@ -1,5 +1,7 @@
|
|
-HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
|
|
-HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
|
|
+HOME_DIR/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
|
|
+HOME_DIR/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
|
|
+/root/\.rlogin -- gen_context(system_u:object_r:rlogind_home_t,s0)
|
|
+/root/\.rhosts -- gen_context(system_u:object_r:rlogind_home_t,s0)
|
|
|
|
/usr/kerberos/sbin/klogind -- gen_context(system_u:object_r:rlogind_exec_t,s0)
|
|
|
|
diff --git a/rlogin.if b/rlogin.if
|
|
index 050479d..0e1b364 100644
|
|
--- a/rlogin.if
|
|
+++ b/rlogin.if
|
|
@@ -29,7 +29,7 @@ interface(`rlogin_domtrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-template(`rlogin_read_home_content',`
|
|
+interface(`rlogin_read_home_content',`
|
|
gen_require(`
|
|
type rlogind_home_t;
|
|
')
|
|
diff --git a/rlogin.te b/rlogin.te
|
|
index ee27948..2a5413a 100644
|
|
--- a/rlogin.te
|
|
+++ b/rlogin.te
|
|
@@ -34,7 +34,9 @@ files_pid_file(rlogind_var_run_t)
|
|
allow rlogind_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
|
|
allow rlogind_t self:process signal_perms;
|
|
allow rlogind_t self:fifo_file rw_fifo_file_perms;
|
|
-allow rlogind_t self:tcp_socket { accept listen };
|
|
+allow rlogind_t self:tcp_socket connected_stream_socket_perms;
|
|
+# for identd; cjp: this should probably only be inetd_child rules?
|
|
+allow rlogind_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
|
|
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
|
term_create_pty(rlogind_t, rlogind_devpts_t)
|
|
@@ -45,7 +47,6 @@ allow rlogind_t rlogind_keytab_t:file read_file_perms;
|
|
|
|
manage_dirs_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
|
|
manage_files_pattern(rlogind_t, rlogind_tmp_t, rlogind_tmp_t)
|
|
-files_tmp_filetrans(rlogind_t, rlogind_tmp_t, { dir file })
|
|
|
|
manage_files_pattern(rlogind_t, rlogind_var_run_t, rlogind_var_run_t)
|
|
files_pid_filetrans(rlogind_t, rlogind_var_run_t, file)
|
|
@@ -56,7 +57,6 @@ kernel_read_kernel_sysctls(rlogind_t)
|
|
kernel_read_system_state(rlogind_t)
|
|
kernel_read_network_state(rlogind_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(rlogind_t)
|
|
corenet_all_recvfrom_netlabel(rlogind_t)
|
|
corenet_tcp_sendrecv_generic_if(rlogind_t)
|
|
corenet_tcp_sendrecv_generic_node(rlogind_t)
|
|
@@ -73,6 +73,7 @@ fs_getattr_all_fs(rlogind_t)
|
|
fs_search_auto_mountpoints(rlogind_t)
|
|
|
|
auth_domtrans_chk_passwd(rlogind_t)
|
|
+auth_signal_chk_passwd(rlogind_t)
|
|
auth_rw_login_records(rlogind_t)
|
|
auth_use_nsswitch(rlogind_t)
|
|
|
|
@@ -83,29 +84,23 @@ init_rw_utmp(rlogind_t)
|
|
|
|
logging_send_syslog_msg(rlogind_t)
|
|
|
|
-miscfiles_read_localization(rlogind_t)
|
|
-
|
|
seutil_read_config(rlogind_t)
|
|
|
|
userdom_search_user_home_dirs(rlogind_t)
|
|
userdom_setattr_user_ptys(rlogind_t)
|
|
+# cjp: this is egregious
|
|
+userdom_read_user_home_content_files(rlogind_t)
|
|
+userdom_search_admin_dir(rlogind_t)
|
|
+userdom_manage_user_tmp_files(rlogind_t)
|
|
+userdom_tmp_filetrans_user_tmp(rlogind_t, file)
|
|
userdom_use_user_terminals(rlogind_t)
|
|
+userdom_home_reader(rlogind_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_list_nfs(rlogind_t)
|
|
- fs_read_nfs_files(rlogind_t)
|
|
- fs_read_nfs_symlinks(rlogind_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_list_cifs(rlogind_t)
|
|
- fs_read_cifs_files(rlogind_t)
|
|
- fs_read_cifs_symlinks(rlogind_t)
|
|
-')
|
|
+rlogin_read_home_content(rlogind_t)
|
|
|
|
optional_policy(`
|
|
kerberos_read_keytab(rlogind_t)
|
|
- kerberos_tmp_filetrans_host_rcache(rlogind_t, file, "host_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(rlogind_t, "host_0")
|
|
kerberos_manage_host_rcache(rlogind_t)
|
|
kerberos_use(rlogind_t)
|
|
')
|
|
diff --git a/rngd.fc b/rngd.fc
|
|
index fa19aa8..90eb481 100644
|
|
--- a/rngd.fc
|
|
+++ b/rngd.fc
|
|
@@ -1,5 +1,7 @@
|
|
/etc/rc\.d/init\.d/rngd -- gen_context(system_u:object_r:rngd_initrc_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/rngd.* -- gen_context(system_u:object_r:rngd_unit_file_t,s0)
|
|
+
|
|
/usr/sbin/rngd -- gen_context(system_u:object_r:rngd_exec_t,s0)
|
|
|
|
/var/run/rngd\.pid -- gen_context(system_u:object_r:rngd_var_run_t,s0)
|
|
diff --git a/rngd.if b/rngd.if
|
|
index 13f788f..e01572a 100644
|
|
--- a/rngd.if
|
|
+++ b/rngd.if
|
|
@@ -2,6 +2,28 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Execute rngd in the rngd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rng_systemctl_rngd',`
|
|
+ gen_require(`
|
|
+ type rngd_t, rngd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 rngd_unit_file_t:file read_file_perms;
|
|
+ allow $1 rngd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, rngd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an rng environment.
|
|
## </summary>
|
|
@@ -17,14 +39,18 @@
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
-interface(`rngd_admin',`
|
|
+interface(`rng_admin',`
|
|
gen_require(`
|
|
- type rngd_t, rngd_initrc_exec_t, rngd_var_run_t;
|
|
+ type rngd_t, rngd_initrc_exec_t, rngd_var_run_t, rngd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 rngd_t:process { ptrace signal_perms };
|
|
+ allow $1 rngd_t:process signal_perms;
|
|
ps_process_pattern($1, rngd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 rngd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, rngd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 rngd_initrc_exec_t system_r;
|
|
@@ -32,4 +58,8 @@ interface(`rngd_admin',`
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, rngd_var_run_t)
|
|
+
|
|
+ rng_systemctl_rngd($1)
|
|
+ admin_pattern($1, rngd_unit_file_t)
|
|
+ allow $1 rngd_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/rngd.te b/rngd.te
|
|
index a7b7717..861aa31 100644
|
|
--- a/rngd.te
|
|
+++ b/rngd.te
|
|
@@ -12,6 +12,9 @@ init_daemon_domain(rngd_t, rngd_exec_t)
|
|
type rngd_initrc_exec_t;
|
|
init_script_file(rngd_initrc_exec_t)
|
|
|
|
+type rngd_unit_file_t;
|
|
+systemd_unit_file(rngd_unit_file_t)
|
|
+
|
|
type rngd_var_run_t;
|
|
files_pid_file(rngd_var_run_t)
|
|
|
|
@@ -35,8 +38,5 @@ dev_read_urand(rngd_t)
|
|
dev_rw_tpm(rngd_t)
|
|
dev_write_rand(rngd_t)
|
|
|
|
-files_read_etc_files(rngd_t)
|
|
-
|
|
logging_send_syslog_msg(rngd_t)
|
|
|
|
-miscfiles_read_localization(rngd_t)
|
|
diff --git a/roundup.if b/roundup.if
|
|
index 975bb6a..ce4f5ea 100644
|
|
--- a/roundup.if
|
|
+++ b/roundup.if
|
|
@@ -23,8 +23,11 @@ interface(`roundup_admin',`
|
|
type roundup_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 roundup_t:process { ptrace signal_perms };
|
|
+ allow $1 roundup_t:process signal_perms;
|
|
ps_process_pattern($1, roundup_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 roundup_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, roundup_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/roundup.te b/roundup.te
|
|
index ccb5991..189ac01 100644
|
|
--- a/roundup.te
|
|
+++ b/roundup.te
|
|
@@ -41,7 +41,6 @@ kernel_read_proc_symlinks(roundup_t)
|
|
|
|
corecmd_exec_bin(roundup_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(roundup_t)
|
|
corenet_all_recvfrom_netlabel(roundup_t)
|
|
corenet_tcp_sendrecv_generic_if(roundup_t)
|
|
corenet_tcp_sendrecv_generic_node(roundup_t)
|
|
@@ -60,16 +59,11 @@ dev_read_urand(roundup_t)
|
|
|
|
domain_use_interactive_fds(roundup_t)
|
|
|
|
-files_read_etc_files(roundup_t)
|
|
-files_read_usr_files(roundup_t)
|
|
-
|
|
fs_getattr_all_fs(roundup_t)
|
|
fs_search_auto_mountpoints(roundup_t)
|
|
|
|
logging_send_syslog_msg(roundup_t)
|
|
|
|
-miscfiles_read_localization(roundup_t)
|
|
-
|
|
sysnet_dns_name_resolve(roundup_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(roundup_t)
|
|
diff --git a/rpc.fc b/rpc.fc
|
|
index a6fb30c..b0c22f7 100644
|
|
--- a/rpc.fc
|
|
+++ b/rpc.fc
|
|
@@ -1,12 +1,23 @@
|
|
-/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
|
|
+#
|
|
+# /etc
|
|
+#
|
|
+/etc/exports -- gen_context(system_u:object_r:exports_t,s0)
|
|
+/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/nfs -- gen_context(system_u:object_r:nfsd_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
|
+/usr/lib/systemd/system/nfs.* -- gen_context(system_u:object_r:nfsd_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/rpc.* -- gen_context(system_u:object_r:rpcd_unit_file_t,s0)
|
|
|
|
-/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
|
-/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
|
+#
|
|
+# /sbin
|
|
+#
|
|
+/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
|
+/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
|
|
|
+#
|
|
+# /usr
|
|
+#
|
|
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
|
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
|
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
|
@@ -16,7 +27,11 @@
|
|
/usr/sbin/rpc\.svcgssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
|
/usr/sbin/sm-notify -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
|
|
|
-/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
|
|
+#
|
|
+# /var
|
|
+#
|
|
+/var/lib/nfs(/.*)? gen_context(system_u:object_r:var_lib_nfs_t,s0)
|
|
|
|
/var/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
|
-/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
|
+/var/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
|
|
+
|
|
diff --git a/rpc.if b/rpc.if
|
|
index 0bf13c2..d59aef7 100644
|
|
--- a/rpc.if
|
|
+++ b/rpc.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Remote Procedure Call Daemon.</summary>
|
|
+## <summary>Remote Procedure Call Daemon for managment of network based process communication</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -20,15 +20,21 @@ interface(`rpc_stub',`
|
|
## <summary>
|
|
## The template to define a rpc domain.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <desc>
|
|
+## <p>
|
|
+## This template creates a domain to be used for
|
|
+## a new rpc daemon.
|
|
+## </p>
|
|
+## </desc>
|
|
+## <param name="userdomain_prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## The type of daemon to be used.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`rpc_domain_template',`
|
|
gen_require(`
|
|
- attribute rpc_domain;
|
|
+ attribute rpc_domain;
|
|
')
|
|
|
|
########################################
|
|
@@ -42,12 +48,19 @@ template(`rpc_domain_template',`
|
|
|
|
domain_use_interactive_fds($1_t)
|
|
|
|
- ########################################
|
|
+ ####################################
|
|
#
|
|
- # Policy
|
|
+ # Local Policy
|
|
#
|
|
|
|
+ kernel_read_system_state($1_t)
|
|
+
|
|
+ corenet_all_recvfrom_unlabeled($1_t)
|
|
+ corenet_all_recvfrom_netlabel($1_t)
|
|
+
|
|
auth_use_nsswitch($1_t)
|
|
+
|
|
+ logging_send_syslog_msg($1_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -66,8 +79,8 @@ interface(`rpc_udp_send',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to get
|
|
-## attributes of export files.
|
|
+## Do not audit attempts to get the attributes
|
|
+## of the NFS export file.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -80,12 +93,12 @@ interface(`rpc_dontaudit_getattr_exports',`
|
|
type exports_t;
|
|
')
|
|
|
|
- dontaudit $1 exports_t:file getattr;
|
|
+ dontaudit $1 exports_t:file getattr_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read export files.
|
|
+## Allow read access to exports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -103,7 +116,7 @@ interface(`rpc_read_exports',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Write export files.
|
|
+## Allow write access to exports.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -116,12 +129,12 @@ interface(`rpc_write_exports',`
|
|
type exports_t;
|
|
')
|
|
|
|
- allow $1 exports_t:file write;
|
|
+ allow $1 exports_t:file write_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute nfsd in the nfsd domain.
|
|
+## Execute domain in nfsd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -134,14 +147,12 @@ interface(`rpc_domtrans_nfsd',`
|
|
type nfsd_t, nfsd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, nfsd_exec_t, nfsd_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Execute nfsd init scripts in
|
|
-## the initrc domain.
|
|
+## Execute domain in nfsd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -159,7 +170,7 @@ interface(`rpc_initrc_domtrans_nfsd',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute rpcd in the rpcd domain.
|
|
+## Execute nfsd server in the nfsd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -167,120 +178,126 @@ interface(`rpc_initrc_domtrans_nfsd',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rpc_domtrans_rpcd',`
|
|
+interface(`rpc_systemctl_nfsd',`
|
|
gen_require(`
|
|
- type rpcd_t, rpcd_exec_t;
|
|
+ type nfsd_unit_file_t;
|
|
+ type nfsd_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, rpcd_exec_t, rpcd_t)
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 nfsd_unit_file_t:file read_file_perms;
|
|
+ allow $1 nfsd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, nfsd_t)
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Execute rpcd init scripts in
|
|
-## the initrc domain.
|
|
+## Send kill signals to rpcd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rpc_initrc_domtrans_rpcd',`
|
|
+interface(`rpc_kill_rpcd',`
|
|
gen_require(`
|
|
- type rpcd_initrc_exec_t;
|
|
+ type rpcd_t;
|
|
')
|
|
|
|
- init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
|
|
+ allow $1 rpcd_t:process sigkill;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read nfs exported content.
|
|
+## Execute domain in rpcd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`rpc_read_nfs_content',`
|
|
+interface(`rpc_domtrans_rpcd',`
|
|
gen_require(`
|
|
- type nfsd_ro_t, nfsd_rw_t;
|
|
+ type rpcd_t, rpcd_exec_t;
|
|
')
|
|
|
|
- allow $1 { nfsd_ro_t nfsd_rw_t }:dir list_dir_perms;
|
|
- allow $1 { nfsd_ro_t nfsd_rw_t }:file read_file_perms;
|
|
- allow $1 { nfsd_ro_t nfsd_rw_t }:lnk_file read_lnk_file_perms;
|
|
+ domtrans_pattern($1, rpcd_exec_t, rpcd_t)
|
|
+ allow rpcd_t $1:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## nfs exported read write content.
|
|
+## Execute rpcd in the rcpd domain, and
|
|
+## allow the specified role the rpcd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
## <rolecap/>
|
|
#
|
|
-interface(`rpc_manage_nfs_rw_content',`
|
|
+interface(`rpc_run_rpcd',`
|
|
gen_require(`
|
|
- type nfsd_rw_t;
|
|
+ type rpcd_t;
|
|
')
|
|
|
|
- manage_dirs_pattern($1, nfsd_rw_t, nfsd_rw_t)
|
|
- manage_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
|
|
- manage_lnk_files_pattern($1, nfsd_rw_t, nfsd_rw_t)
|
|
+ rpc_domtrans_rpcd($1)
|
|
+ role $2 types rpcd_t;
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## nfs exported read only content.
|
|
+## Execute domain in rpcd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`rpc_manage_nfs_ro_content',`
|
|
+interface(`rpc_initrc_domtrans_rpcd',`
|
|
gen_require(`
|
|
- type nfsd_ro_t;
|
|
+ type rpcd_initrc_exec_t;
|
|
')
|
|
|
|
- manage_dirs_pattern($1, nfsd_ro_t, nfsd_ro_t)
|
|
- manage_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
|
|
- manage_lnk_files_pattern($1, nfsd_ro_t, nfsd_ro_t)
|
|
+ init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write to nfsd tcp sockets.
|
|
+## Execute rpcd server in the rpcd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rpc_tcp_rw_nfs_sockets',`
|
|
+interface(`rpc_systemctl_rpcd',`
|
|
gen_require(`
|
|
- type nfsd_t;
|
|
+ type rpcd_unit_file_t;
|
|
+ type rpcd_t;
|
|
')
|
|
|
|
- allow $1 nfsd_t:tcp_socket rw_socket_perms;
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 rpcd_unit_file_t:file read_file_perms;
|
|
+ allow $1 rpcd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, rpcd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write to nfsd udp sockets.
|
|
+## Allow domain to read and write to an NFS UDP socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -312,7 +329,7 @@ interface(`rpc_udp_send_nfs',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search nfs lib directories.
|
|
+## Search NFS state data in /var/lib/nfs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -326,12 +343,12 @@ interface(`rpc_search_nfs_state_data',`
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
- allow $1 var_lib_nfs_t:dir search;
|
|
+ allow $1 var_lib_nfs_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read nfs lib files.
|
|
+## List NFS state data in /var/lib/nfs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -339,19 +356,18 @@ interface(`rpc_search_nfs_state_data',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rpc_read_nfs_state_data',`
|
|
+interface(`rpc_list_nfs_state_data',`
|
|
gen_require(`
|
|
type var_lib_nfs_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
- read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
|
+ allow $1 var_lib_nfs_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## nfs lib files.
|
|
+## Read NFS state data in /var/lib/nfs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -359,34 +375,54 @@ interface(`rpc_read_nfs_state_data',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rpc_manage_nfs_state_data',`
|
|
+interface(`rpc_read_nfs_state_data',`
|
|
gen_require(`
|
|
type var_lib_nfs_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
- manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
|
+ read_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an rpc environment.
|
|
+## Manage NFS state data in /var/lib/nfs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+#
|
|
+interface(`rpc_manage_nfs_state_data',`
|
|
+ gen_require(`
|
|
+ type var_lib_nfs_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
|
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## All of the rules required to
|
|
+## administrate an rpc environment.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`rpc_admin',`
|
|
- gen_require(`
|
|
+ gen_require(`
|
|
attribute rpc_domain;
|
|
type nfsd_initrc_exec_t, rpcd_initrc_exec_t, exports_t;
|
|
type var_lib_nfs_t, rpcd_var_run_t, gssd_tmp_t;
|
|
diff --git a/rpc.te b/rpc.te
|
|
index 2da9fca..b96da60 100644
|
|
--- a/rpc.te
|
|
+++ b/rpc.te
|
|
@@ -6,22 +6,20 @@ policy_module(rpc, 1.15.1)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether gssd can read
|
|
-## generic user temporary content.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow gssd to list tmp directories and read the kerberos credential cache.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_gssd_read_tmp, false)
|
|
+gen_tunable(gssd_read_tmp, true)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether nfs can modify
|
|
-## public files used for public file
|
|
-## transfer services. Directories/Files must
|
|
-## be labeled public_content_rw_t.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow nfs servers to modify public files
|
|
+## used for public file transfer services. Files/Directories must be
|
|
+## labeled public_content_rw_t.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_nfsd_anon_write, false)
|
|
+gen_tunable(nfsd_anon_write, false)
|
|
|
|
attribute rpc_domain;
|
|
|
|
@@ -39,21 +37,23 @@ files_tmp_file(gssd_tmp_t)
|
|
type rpcd_var_run_t;
|
|
files_pid_file(rpcd_var_run_t)
|
|
|
|
+# rpcd_t is the domain of rpc daemons.
|
|
+# rpc_exec_t is the type of rpc daemon programs.
|
|
rpc_domain_template(rpcd)
|
|
|
|
type rpcd_initrc_exec_t;
|
|
init_script_file(rpcd_initrc_exec_t)
|
|
|
|
+type rpcd_unit_file_t;
|
|
+systemd_unit_file(rpcd_unit_file_t)
|
|
+
|
|
rpc_domain_template(nfsd)
|
|
|
|
type nfsd_initrc_exec_t;
|
|
init_script_file(nfsd_initrc_exec_t)
|
|
|
|
-type nfsd_rw_t;
|
|
-files_type(nfsd_rw_t)
|
|
-
|
|
-type nfsd_ro_t;
|
|
-files_type(nfsd_ro_t)
|
|
+type nfsd_unit_file_t;
|
|
+systemd_unit_file(nfsd_unit_file_t)
|
|
|
|
type var_lib_nfs_t;
|
|
files_mountpoint(var_lib_nfs_t)
|
|
@@ -71,7 +71,6 @@ allow rpc_domain self:tcp_socket { accept listen };
|
|
manage_dirs_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
|
|
manage_files_pattern(rpc_domain, var_lib_nfs_t, var_lib_nfs_t)
|
|
|
|
-kernel_read_system_state(rpc_domain)
|
|
kernel_read_kernel_sysctls(rpc_domain)
|
|
kernel_rw_rpc_sysctls(rpc_domain)
|
|
|
|
@@ -79,8 +78,6 @@ dev_read_sysfs(rpc_domain)
|
|
dev_read_urand(rpc_domain)
|
|
dev_read_rand(rpc_domain)
|
|
|
|
-corenet_all_recvfrom_unlabeled(rpc_domain)
|
|
-corenet_all_recvfrom_netlabel(rpc_domain)
|
|
corenet_tcp_sendrecv_generic_if(rpc_domain)
|
|
corenet_udp_sendrecv_generic_if(rpc_domain)
|
|
corenet_tcp_sendrecv_generic_node(rpc_domain)
|
|
@@ -108,41 +105,42 @@ files_read_etc_runtime_files(rpc_domain)
|
|
files_read_usr_files(rpc_domain)
|
|
files_list_home(rpc_domain)
|
|
|
|
-logging_send_syslog_msg(rpc_domain)
|
|
-
|
|
-miscfiles_read_localization(rpc_domain)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(rpc_domain)
|
|
|
|
optional_policy(`
|
|
- rpcbind_stream_connect(rpc_domain)
|
|
+ rpcbind_stream_connect(rpc_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
- seutil_sigchld_newrole(rpc_domain)
|
|
+ seutil_sigchld_newrole(rpc_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
- udev_read_db(rpc_domain)
|
|
+ udev_read_db(rpc_domain)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# RPC local policy
|
|
#
|
|
|
|
allow rpcd_t self:capability { setpcap sys_admin chown dac_override setgid setuid };
|
|
allow rpcd_t self:capability2 block_suspend;
|
|
+
|
|
allow rpcd_t self:process { getcap setcap };
|
|
allow rpcd_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
+allow rpcd_t rpcd_var_run_t:dir setattr_dir_perms;
|
|
manage_dirs_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
|
|
manage_files_pattern(rpcd_t, rpcd_var_run_t, rpcd_var_run_t)
|
|
files_pid_filetrans(rpcd_t, rpcd_var_run_t, { file dir })
|
|
|
|
+# rpc.statd executes sm-notify
|
|
can_exec(rpcd_t, rpcd_exec_t)
|
|
|
|
+kernel_read_system_state(rpcd_t)
|
|
kernel_read_network_state(rpcd_t)
|
|
+# for rpc.rquotad
|
|
kernel_read_sysctl(rpcd_t)
|
|
kernel_rw_fs_sysctls(rpcd_t)
|
|
kernel_dontaudit_getattr_core_if(rpcd_t)
|
|
@@ -163,13 +161,14 @@ fs_getattr_all_fs(rpcd_t)
|
|
|
|
storage_getattr_fixed_disk_dev(rpcd_t)
|
|
|
|
+init_read_utmp(rpcd_t)
|
|
+
|
|
selinux_dontaudit_read_fs(rpcd_t)
|
|
|
|
miscfiles_read_generic_certs(rpcd_t)
|
|
|
|
-seutil_dontaudit_search_config(rpcd_t)
|
|
-
|
|
-userdom_signal_all_users(rpcd_t)
|
|
+userdom_signal_unpriv_users(rpcd_t)
|
|
+userdom_read_user_home_content_files(rpcd_t)
|
|
|
|
ifdef(`distro_debian',`
|
|
term_dontaudit_use_unallocated_ttys(rpcd_t)
|
|
@@ -181,19 +180,23 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- nis_read_ypserv_config(rpcd_t)
|
|
+ domain_unconfined_signal(rpcd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- quota_manage_db_files(rpcd_t)
|
|
+ quota_manage_db(rpcd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- rgmanager_manage_tmp_files(rpcd_t)
|
|
+ nis_read_ypserv_config(rpcd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- unconfined_signal(rpcd_t)
|
|
+ quota_read_db(rpcd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rhcs_manage_cluster_tmp_files(rpcd_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -202,41 +205,56 @@ optional_policy(`
|
|
#
|
|
|
|
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
|
|
+dontaudit nfsd_t self:capability sys_rawio;
|
|
|
|
allow nfsd_t exports_t:file read_file_perms;
|
|
-allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
|
|
|
+# for /proc/fs/nfs/exports - should we have a new type?
|
|
+kernel_read_system_state(nfsd_t)
|
|
kernel_read_network_state(nfsd_t)
|
|
kernel_dontaudit_getattr_core_if(nfsd_t)
|
|
kernel_setsched(nfsd_t)
|
|
kernel_request_load_module(nfsd_t)
|
|
-# kernel_mounton_proc(nfsd_t)
|
|
+kernel_mounton_proc(nfsd_t)
|
|
+
|
|
+corecmd_exec_shell(nfsd_t)
|
|
|
|
-corenet_sendrecv_nfs_server_packets(nfsd_t)
|
|
+corenet_tcp_bind_all_rpc_ports(nfsd_t)
|
|
+corenet_udp_bind_all_rpc_ports(nfsd_t)
|
|
corenet_tcp_bind_nfs_port(nfsd_t)
|
|
corenet_udp_bind_nfs_port(nfsd_t)
|
|
-
|
|
-corecmd_exec_shell(nfsd_t)
|
|
+corenet_udp_bind_mountd_port(nfsd_t)
|
|
+corenet_tcp_bind_mountd_port(nfsd_t)
|
|
|
|
dev_dontaudit_getattr_all_blk_files(nfsd_t)
|
|
dev_dontaudit_getattr_all_chr_files(nfsd_t)
|
|
dev_rw_lvm_control(nfsd_t)
|
|
|
|
+# does not really need this, but it is easier to just allow it
|
|
+files_search_pids(nfsd_t)
|
|
+# for exportfs and rpc.mountd
|
|
files_getattr_tmp_dirs(nfsd_t)
|
|
+# cjp: this should really have its own type
|
|
files_manage_mounttab(nfsd_t)
|
|
+files_read_etc_runtime_files(nfsd_t)
|
|
|
|
+fs_mounton_nfsd_fs(nfsd_t)
|
|
fs_mount_nfsd_fs(nfsd_t)
|
|
fs_getattr_all_fs(nfsd_t)
|
|
fs_getattr_all_dirs(nfsd_t)
|
|
-fs_rw_nfsd_fs(nfsd_t)
|
|
-# fs_manage_nfsd_fs(nfsd_t)
|
|
+fs_manage_nfsd_fs(nfsd_t)
|
|
|
|
storage_dontaudit_read_fixed_disk(nfsd_t)
|
|
storage_raw_read_removable_device(nfsd_t)
|
|
|
|
+# Read access to public_content_t and public_content_rw_t
|
|
miscfiles_read_public_files(nfsd_t)
|
|
|
|
-tunable_policy(`allow_nfsd_anon_write',`
|
|
+userdom_filetrans_home_content(nfsd_t)
|
|
+userdom_list_user_tmp(nfsd_t)
|
|
+
|
|
+# Write access to public_content_t and public_content_rw_t
|
|
+tunable_policy(`nfsd_anon_write',`
|
|
miscfiles_manage_public_files(nfsd_t)
|
|
')
|
|
|
|
@@ -245,7 +263,6 @@ tunable_policy(`nfs_export_all_rw',`
|
|
dev_getattr_all_chr_files(nfsd_t)
|
|
|
|
fs_read_noxattr_fs_files(nfsd_t)
|
|
- files_manage_non_auth_files(nfsd_t)
|
|
')
|
|
|
|
tunable_policy(`nfs_export_all_ro',`
|
|
@@ -257,12 +274,12 @@ tunable_policy(`nfs_export_all_ro',`
|
|
|
|
fs_read_noxattr_fs_files(nfsd_t)
|
|
|
|
- files_list_non_auth_dirs(nfsd_t)
|
|
- files_read_non_auth_files(nfsd_t)
|
|
+ files_read_non_security_files(nfsd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mount_exec(nfsd_t)
|
|
+ mount_manage_pid_files(nfsd_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -280,6 +297,7 @@ manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
|
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
|
files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
|
|
|
|
+kernel_read_system_state(gssd_t)
|
|
kernel_read_network_state(gssd_t)
|
|
kernel_read_network_state_symlinks(gssd_t)
|
|
kernel_request_load_module(gssd_t)
|
|
@@ -288,25 +306,29 @@ kernel_signal(gssd_t)
|
|
|
|
corecmd_exec_bin(gssd_t)
|
|
|
|
-fs_list_inotifyfs(gssd_t)
|
|
fs_list_rpc(gssd_t)
|
|
fs_rw_rpc_sockets(gssd_t)
|
|
fs_read_rpc_files(gssd_t)
|
|
-fs_read_nfs_files(gssd_t)
|
|
+fs_read_nfsd_files(gssd_t)
|
|
|
|
+fs_list_inotifyfs(gssd_t)
|
|
files_list_tmp(gssd_t)
|
|
+files_read_usr_symlinks(gssd_t)
|
|
files_dontaudit_write_var_dirs(gssd_t)
|
|
|
|
+auth_use_nsswitch(gssd_t)
|
|
auth_manage_cache(gssd_t)
|
|
|
|
miscfiles_read_generic_certs(gssd_t)
|
|
|
|
userdom_signal_all_users(gssd_t)
|
|
|
|
-tunable_policy(`allow_gssd_read_tmp',`
|
|
+tunable_policy(`gssd_read_tmp',`
|
|
userdom_list_user_tmp(gssd_t)
|
|
userdom_read_user_tmp_files(gssd_t)
|
|
userdom_read_user_tmp_symlinks(gssd_t)
|
|
+ userdom_manage_user_tmp_files(gssd_t)
|
|
+ files_read_generic_tmp_files(gssd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -314,9 +336,12 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gssproxy_stream_connect(gssd_t)
|
|
+')
|
|
+optional_policy(`
|
|
kerberos_manage_host_rcache(gssd_t)
|
|
kerberos_read_keytab(gssd_t)
|
|
- kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(gssd_t, "nfs_0")
|
|
kerberos_use(gssd_t)
|
|
')
|
|
|
|
diff --git a/rpcbind.if b/rpcbind.if
|
|
index 3b5e9ee..ff1163f 100644
|
|
--- a/rpcbind.if
|
|
+++ b/rpcbind.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Universal Addresses to RPC Program Number Mapper.</summary>
|
|
+## <summary>Universal Addresses to RPC Program Number Mapper</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,14 +15,12 @@ interface(`rpcbind_domtrans',`
|
|
type rpcbind_t, rpcbind_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, rpcbind_exec_t, rpcbind_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to rpcbindd with a
|
|
-## unix domain stream socket.
|
|
+## Connect to rpcbindd over an unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -41,7 +39,7 @@ interface(`rpcbind_stream_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read rpcbind pid files.
|
|
+## Read rpcbind PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -73,8 +71,8 @@ interface(`rpcbind_search_lib',`
|
|
type rpcbind_var_lib_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
allow $1 rpcbind_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
@@ -92,8 +90,8 @@ interface(`rpcbind_read_lib_files',`
|
|
type rpcbind_var_lib_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
read_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
|
|
+ files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
@@ -112,13 +110,13 @@ interface(`rpcbind_manage_lib_files',`
|
|
type rpcbind_var_lib_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
|
|
+ files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send null signals to rpcbind.
|
|
+## Send a null signal to rpcbind.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -136,8 +134,44 @@ interface(`rpcbind_signull',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an rpcbind environment.
|
|
+## Transition to rpcbind named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rpcbind_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type rpcbind_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_pid_filetrans($1, rpcbind_var_run_t, sock_file, "rpcbind.sock")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Relabel from rpcbind sock file.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rpcbind_relabel_sock_file',`
|
|
+ gen_require(`
|
|
+ type rpcbind_var_run_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 rpcbind_var_run_t:sock_file relabel_sock_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an rpcbind environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -146,7 +180,7 @@ interface(`rpcbind_signull',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the rpcbind domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -157,17 +191,20 @@ interface(`rpcbind_admin',`
|
|
type rpcbind_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 rpcbind_t:process { ptrace signal_perms };
|
|
+ allow $1 rpcbind_t:process signal_perms;
|
|
ps_process_pattern($1, rpcbind_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 rpcbind_t:process ptrace;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
|
|
+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 rpcbind_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, rpcbind_var_run_t)
|
|
-
|
|
- files_search_var_lib($1)
|
|
+ files_list_var_lib($1)
|
|
admin_pattern($1, rpcbind_var_lib_t)
|
|
+
|
|
+ files_list_pids($1)
|
|
+ admin_pattern($1, rpcbind_var_run_t)
|
|
')
|
|
diff --git a/rpcbind.te b/rpcbind.te
|
|
index 54de77c..cb05fbf 100644
|
|
--- a/rpcbind.te
|
|
+++ b/rpcbind.te
|
|
@@ -42,7 +42,6 @@ kernel_read_system_state(rpcbind_t)
|
|
kernel_read_network_state(rpcbind_t)
|
|
kernel_request_load_module(rpcbind_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(rpcbind_t)
|
|
corenet_all_recvfrom_netlabel(rpcbind_t)
|
|
corenet_tcp_sendrecv_generic_if(rpcbind_t)
|
|
corenet_udp_sendrecv_generic_if(rpcbind_t)
|
|
@@ -68,7 +67,11 @@ auth_use_nsswitch(rpcbind_t)
|
|
|
|
logging_send_syslog_msg(rpcbind_t)
|
|
|
|
-miscfiles_read_localization(rpcbind_t)
|
|
+sysnet_dns_name_resolve(rpcbind_t)
|
|
+
|
|
+optional_policy(`
|
|
+ nis_use_ypbind(rpcbind_t)
|
|
+')
|
|
|
|
ifdef(`distro_debian',`
|
|
term_dontaudit_use_unallocated_ttys(rpcbind_t)
|
|
diff --git a/rpm.fc b/rpm.fc
|
|
index ebe91fc..6392cad 100644
|
|
--- a/rpm.fc
|
|
+++ b/rpm.fc
|
|
@@ -1,61 +1,72 @@
|
|
-/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:rpm_initrc_exec_t,s0)
|
|
-
|
|
-/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
|
|
+/usr/bin/anaconda-yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
|
|
-/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/dnf -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+
|
|
+/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/yum-builddep -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/repoquery -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/zif -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
|
|
/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/libexec/pegasus/pycmpiLMI_Software-cimprovagt -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
|
|
-/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-
|
|
-ifdef(`distro_redhat',`
|
|
-/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
|
-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
|
-')
|
|
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
|
|
-/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
-/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/sbin/yum-cron -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
|
|
-/var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
|
-/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
|
+/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
|
|
-/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
|
-/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
|
-/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
|
-/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
|
+ifdef(`distro_redhat', `
|
|
+/usr/sbin/bcfg2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/package-cleanup -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+')
|
|
+
|
|
+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
|
+/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
|
+/var/cache/dnf(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
|
|
|
-/var/lock/bcfg2\.run -- gen_context(system_u:object_r:rpm_lock_t,s0)
|
|
+/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
|
+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
|
+/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
|
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
|
+/var/lib/dnf(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
|
|
|
-/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
|
|
-/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
|
|
+/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
|
|
|
|
-/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
|
+/var/spool/up2date(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
|
|
|
|
-/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
|
|
-/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
|
|
+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
|
|
+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
|
|
+
|
|
+# SuSE
|
|
+ifdef(`distro_suse', `
|
|
+/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
|
|
+/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
|
|
+')
|
|
|
|
ifdef(`enable_mls',`
|
|
-/usr/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
+/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
|
|
')
|
|
diff --git a/rpm.if b/rpm.if
|
|
index ef3b225..fbef499 100644
|
|
--- a/rpm.if
|
|
+++ b/rpm.if
|
|
@@ -1,8 +1,8 @@
|
|
-## <summary>Redhat package manager.</summary>
|
|
+## <summary>Policy for the RPM package manager.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute rpm in the rpm domain.
|
|
+## Execute rpm programs in the rpm domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -13,16 +13,18 @@
|
|
interface(`rpm_domtrans',`
|
|
gen_require(`
|
|
type rpm_t, rpm_exec_t;
|
|
+ attribute rpm_transition_domain;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, rpm_exec_t, rpm_t)
|
|
+ typeattribute $1 rpm_transition_domain;
|
|
+ rpm_debuginfo_domtrans($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute debuginfo install
|
|
-## in the rpm domain.
|
|
+## Execute debuginfo_install programs in the rpm domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -41,7 +43,7 @@ interface(`rpm_debuginfo_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute rpm scripts in the rpm script domain.
|
|
+## Execute rpm_script programs in the rpm_script domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -54,18 +56,16 @@ interface(`rpm_domtrans_script',`
|
|
type rpm_script_t;
|
|
')
|
|
|
|
+ # transition to rpm script:
|
|
corecmd_shell_domtrans($1, rpm_script_t)
|
|
-
|
|
allow rpm_script_t $1:fd use;
|
|
- allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
|
|
+ allow rpm_script_t $1:fifo_file rw_file_perms;
|
|
allow rpm_script_t $1:process sigchld;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute rpm in the rpm domain,
|
|
-## and allow the specified roles the
|
|
-## rpm domain.
|
|
+## Execute RPM programs in the RPM domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -74,23 +74,28 @@ interface(`rpm_domtrans_script',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to allow the RPM domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`rpm_run',`
|
|
gen_require(`
|
|
- attribute_role rpm_roles;
|
|
+ type rpm_t, rpm_script_t;
|
|
+ attribute_role rpm_script_roles;
|
|
')
|
|
|
|
rpm_domtrans($1)
|
|
- roleattribute $2 rpm_roles;
|
|
+ roleattribute $2 rpm_script_roles;
|
|
+
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 rpm_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the rpm in the caller domain.
|
|
+## Execute the rpm client in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -109,7 +114,7 @@ interface(`rpm_exec',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send null signals to rpm.
|
|
+## Send a null signal to rpm.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -127,7 +132,7 @@ interface(`rpm_signull',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Inherit and use file descriptors from rpm.
|
|
+## Inherit and use file descriptors from RPM.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -145,7 +150,7 @@ interface(`rpm_use_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read rpm unnamed pipes.
|
|
+## Read from an unnamed RPM pipe.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -163,7 +168,7 @@ interface(`rpm_read_pipes',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write rpm unnamed pipes.
|
|
+## Read and write an unnamed RPM pipe.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -181,6 +186,60 @@ interface(`rpm_rw_pipes',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Read and write an unnamed RPM script pipe.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rpm_rw_script_inherited_pipes',`
|
|
+ gen_require(`
|
|
+ type rpm_script_tmp_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## dontaudit read and write an leaked file descriptors
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rpm_dontaudit_leaks',`
|
|
+ gen_require(`
|
|
+ type rpm_t, rpm_var_cache_t;
|
|
+ type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
|
|
+ type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+ dontaudit $1 rpm_t:tcp_socket { read write };
|
|
+ dontaudit $1 rpm_t:unix_dgram_socket { read write };
|
|
+ dontaudit $1 rpm_t:shm rw_shm_perms;
|
|
+
|
|
+ dontaudit $1 rpm_script_t:fd use;
|
|
+ dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
|
|
+
|
|
+ dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
|
|
+
|
|
+ dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
|
|
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
|
|
+ dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
|
|
+ dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
|
|
+ dontaudit $1 rpm_var_lib_t:dir getattr;
|
|
+ dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
|
|
+ dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Send and receive messages from
|
|
## rpm over dbus.
|
|
## </summary>
|
|
@@ -224,7 +283,7 @@ interface(`rpm_dontaudit_dbus_chat',`
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
-## rpm script over dbus.
|
|
+## rpm_script over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -244,7 +303,7 @@ interface(`rpm_script_dbus_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search rpm log directories.
|
|
+## Search RPM log directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -263,7 +322,8 @@ interface(`rpm_search_log',`
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Append rpm log files.
|
|
+## Allow the specified domain to append
|
|
+## to rpm log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -276,14 +336,30 @@ interface(`rpm_append_log',`
|
|
type rpm_log_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
- append_files_pattern($1, rpm_log_t, rpm_log_t)
|
|
+ allow $1 rpm_log_t:file append_inherited_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete the RPM log.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rpm_read_log',`
|
|
+ gen_require(`
|
|
+ type rpm_log_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, rpm_log_t, rpm_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rpm log files.
|
|
+## Create, read, write, and delete the RPM log.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -302,7 +378,7 @@ interface(`rpm_manage_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Inherit and use rpm script file descriptors.
|
|
+## Inherit and use file descriptors from RPM scripts.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -320,8 +396,8 @@ interface(`rpm_use_script_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rpm script temporary files.
|
|
+## Create, read, write, and delete RPM
|
|
+## script temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -335,12 +411,15 @@ interface(`rpm_manage_script_tmp_files',`
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
+ manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
|
|
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
|
|
+ manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
|
|
')
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Append rpm temporary files.
|
|
+## Allow the specified domain to append
|
|
+## to rpm tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -353,14 +432,13 @@ interface(`rpm_append_tmp_files',`
|
|
type rpm_tmp_t;
|
|
')
|
|
|
|
- files_search_tmp($1)
|
|
- append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
|
|
+ allow $1 rpm_tmp_t:file append_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rpm temporary files.
|
|
+## Create, read, write, and delete RPM
|
|
+## temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -374,12 +452,14 @@ interface(`rpm_manage_tmp_files',`
|
|
')
|
|
|
|
files_search_tmp($1)
|
|
+ manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
|
|
manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
|
|
+ manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read rpm script temporary files.
|
|
+## Read RPM script temporary files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -399,7 +479,7 @@ interface(`rpm_read_script_tmp_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read rpm cache content.
|
|
+## Read the RPM cache.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -420,8 +500,7 @@ interface(`rpm_read_cache',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rpm cache content.
|
|
+## Create, read, write, and delete the RPM package database.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -442,7 +521,7 @@ interface(`rpm_manage_cache',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read rpm lib content.
|
|
+## Read the RPM package database.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -459,11 +538,12 @@ interface(`rpm_read_db',`
|
|
allow $1 rpm_var_lib_t:dir list_dir_perms;
|
|
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
|
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
|
|
+ rpm_read_cache($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Delete rpm lib files.
|
|
+## Delete the RPM package database.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -482,8 +562,7 @@ interface(`rpm_delete_db',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rpm lib files.
|
|
+## Create, read, write, and delete the RPM package database.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -503,8 +582,28 @@ interface(`rpm_manage_db',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Do not audit attempts to create, read,the RPM package database.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rpm_dontaudit_read_db',`
|
|
+ gen_require(`
|
|
+ type rpm_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
|
|
+ dontaudit $1 rpm_var_lib_t:file read_file_perms;
|
|
+ dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Do not audit attempts to create, read,
|
|
-## write, and delete rpm lib content.
|
|
+## write, and delete the RPM package database.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -517,7 +616,7 @@ interface(`rpm_dontaudit_manage_db',`
|
|
type rpm_var_lib_t;
|
|
')
|
|
|
|
- dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
|
|
+ dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
|
|
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
|
|
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
|
|
')
|
|
@@ -543,8 +642,7 @@ interface(`rpm_read_pid_files',`
|
|
|
|
#####################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rpm pid files.
|
|
+## Create, read, write, and delete rpm pid files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -563,8 +661,7 @@ interface(`rpm_manage_pid_files',`
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Create files in pid directories
|
|
-## with the rpm pid file type.
|
|
+## Create files in /var/run with the rpm pid file type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -573,66 +670,104 @@ interface(`rpm_manage_pid_files',`
|
|
## </param>
|
|
#
|
|
interface(`rpm_pid_filetrans',`
|
|
- refpolicywarn(`$0($*) has been deprecated, rpm_pid_filetrans_rpm_pid() instead.')
|
|
- rpm_pid_filetrans_rpm_pid($1, file)
|
|
+ gen_require(`
|
|
+ type rpm_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_pid_filetrans($1, rpm_var_run_t, file)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified objects in pid directories
|
|
-## with the rpm pid file type.
|
|
+## Send a null signal to rpm.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
+#
|
|
+interface(`rpm_inherited_fifo',`
|
|
+ gen_require(`
|
|
+ attribute rpm_transition_domain;
|
|
+ ')
|
|
+
|
|
+ allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Make rpm_exec_t an entry point for
|
|
+## the specified domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-#
|
|
-interface(`rpm_pid_filetrans_rpm_pid',`
|
|
+#
|
|
+interface(`rpm_entry_type',`
|
|
gen_require(`
|
|
- type rpm_var_run_t;
|
|
+ type rpm_exec_t;
|
|
')
|
|
|
|
- files_pid_filetrans($1, rpm_var_run_t, $3, $4)
|
|
+ domain_entry_file($1, rpm_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an rpm environment.
|
|
+## Allow application to transition to rpm_script domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+#
|
|
+interface(`rpm_transition_script',`
|
|
+ gen_require(`
|
|
+ type rpm_script_t;
|
|
+ attribute rpm_transition_domain;
|
|
+ ')
|
|
+
|
|
+ typeattribute $1 rpm_transition_domain;
|
|
+ allow $1 rpm_script_t:process transition;
|
|
+
|
|
+ allow $1 rpm_script_t:fd use;
|
|
+ allow rpm_script_t $1:fd use;
|
|
+ allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
|
|
+ allow rpm_script_t $1:process sigchld;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## All of the rules required to
|
|
+## administrate an rpm environment.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`rpm_admin',`
|
|
- gen_require(`
|
|
- type rpm_t, rpm_script_t, rpm_initrc_exec_t;
|
|
- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
|
|
- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
|
|
- type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type rpm_t, rpm_script_t, rpm_initrc_exec_t;
|
|
+ type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
|
|
+
|
|
+ type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
|
|
+ type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
|
|
+ ')
|
|
|
|
- allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { rpm_t rpm_script_t })
|
|
+ allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, { rpm_t rpm_script_t })
|
|
|
|
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/rpm.te b/rpm.te
|
|
index 6fc360e..dfa0f04 100644
|
|
--- a/rpm.te
|
|
+++ b/rpm.te
|
|
@@ -1,15 +1,13 @@
|
|
policy_module(rpm, 1.16.0)
|
|
|
|
+attribute rpm_transition_domain;
|
|
+attribute_role rpm_script_roles;
|
|
+roleattribute system_r rpm_script_roles;
|
|
+
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
-
|
|
-attribute_role rpm_roles;
|
|
-
|
|
-type debuginfo_exec_t;
|
|
-domain_entry_file(rpm_t, debuginfo_exec_t)
|
|
-
|
|
type rpm_t;
|
|
type rpm_exec_t;
|
|
init_system_domain(rpm_t, rpm_exec_t)
|
|
@@ -17,10 +15,10 @@ domain_obj_id_change_exemption(rpm_t)
|
|
domain_role_change_exemption(rpm_t)
|
|
domain_system_change_exemption(rpm_t)
|
|
domain_interactive_fd(rpm_t)
|
|
-role rpm_roles types rpm_t;
|
|
+role rpm_script_roles types rpm_t;
|
|
|
|
-type rpm_initrc_exec_t;
|
|
-init_script_file(rpm_initrc_exec_t)
|
|
+type debuginfo_exec_t;
|
|
+domain_entry_file(rpm_t, debuginfo_exec_t)
|
|
|
|
type rpm_file_t;
|
|
files_type(rpm_file_t)
|
|
@@ -31,9 +29,6 @@ files_tmp_file(rpm_tmp_t)
|
|
type rpm_tmpfs_t;
|
|
files_tmpfs_file(rpm_tmpfs_t)
|
|
|
|
-type rpm_lock_t;
|
|
-files_lock_file(rpm_lock_t)
|
|
-
|
|
type rpm_log_t;
|
|
logging_log_file(rpm_log_t)
|
|
|
|
@@ -56,8 +51,7 @@ corecmd_bin_entry_type(rpm_script_t)
|
|
domain_type(rpm_script_t)
|
|
domain_entry_file(rpm_t, rpm_script_exec_t)
|
|
domain_interactive_fd(rpm_script_t)
|
|
-role rpm_roles types rpm_script_t;
|
|
-role system_r types rpm_script_t;
|
|
+role rpm_script_roles types rpm_script_t;
|
|
|
|
type rpm_script_tmp_t;
|
|
files_tmp_file(rpm_script_tmp_t)
|
|
@@ -70,28 +64,34 @@ files_tmpfs_file(rpm_script_tmpfs_t)
|
|
# rpm Local policy
|
|
#
|
|
|
|
+allow rpm_t self:capability2 block_suspend;
|
|
allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
|
|
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
|
|
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
|
|
allow rpm_t self:fd use;
|
|
allow rpm_t self:fifo_file rw_fifo_file_perms;
|
|
+allow rpm_t self:unix_dgram_socket create_socket_perms;
|
|
+allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
|
|
allow rpm_t self:unix_dgram_socket sendto;
|
|
-allow rpm_t self:unix_stream_socket { accept connectto listen };
|
|
-allow rpm_t self:udp_socket connect;
|
|
-allow rpm_t self:tcp_socket { accept listen };
|
|
+allow rpm_t self:unix_stream_socket connectto;
|
|
+allow rpm_t self:udp_socket { connect };
|
|
+allow rpm_t self:udp_socket create_socket_perms;
|
|
+allow rpm_t self:tcp_socket create_stream_socket_perms;
|
|
allow rpm_t self:shm create_shm_perms;
|
|
allow rpm_t self:sem create_sem_perms;
|
|
allow rpm_t self:msgq create_msgq_perms;
|
|
allow rpm_t self:msg { send receive };
|
|
-allow rpm_t self:file rw_file_perms;
|
|
+allow rpm_t self:dir search;
|
|
+allow rpm_t self:file rw_file_perms;;
|
|
allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
-allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+allow rpm_t rpm_log_t:file manage_file_perms;
|
|
logging_log_filetrans(rpm_t, rpm_log_t, file)
|
|
|
|
manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
|
|
manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
|
|
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
|
|
+can_exec(rpm_t, rpm_tmp_t)
|
|
|
|
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
|
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
|
@@ -99,23 +99,19 @@ manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
|
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
|
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
|
|
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
|
+can_exec(rpm_t, rpm_tmpfs_t)
|
|
|
|
manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
|
|
manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
|
|
files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
|
|
|
|
-manage_files_pattern(rpm_t, rpm_lock_t, rpm_lock_t)
|
|
-files_lock_filetrans(rpm_t, rpm_lock_t, file)
|
|
-
|
|
-manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
|
|
+# Access /var/lib/rpm files
|
|
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
|
|
-files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file })
|
|
+files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
|
|
|
|
manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
|
|
manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
|
|
-files_pid_filetrans(rpm_t, rpm_var_run_t, { dir file })
|
|
-
|
|
-can_exec(rpm_t, { rpm_tmp_t rpm_tmpfs_t })
|
|
+files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
|
|
|
|
kernel_read_crypto_sysctls(rpm_t)
|
|
kernel_read_network_state(rpm_t)
|
|
@@ -126,41 +122,34 @@ kernel_rw_irq_sysctls(rpm_t)
|
|
|
|
corecmd_exec_all_executables(rpm_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(rpm_t)
|
|
corenet_all_recvfrom_netlabel(rpm_t)
|
|
corenet_tcp_sendrecv_generic_if(rpm_t)
|
|
+corenet_raw_sendrecv_generic_if(rpm_t)
|
|
+corenet_udp_sendrecv_generic_if(rpm_t)
|
|
corenet_tcp_sendrecv_generic_node(rpm_t)
|
|
+corenet_raw_sendrecv_generic_node(rpm_t)
|
|
+corenet_udp_sendrecv_generic_node(rpm_t)
|
|
corenet_tcp_sendrecv_all_ports(rpm_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(rpm_t)
|
|
+corenet_udp_sendrecv_all_ports(rpm_t)
|
|
corenet_tcp_connect_all_ports(rpm_t)
|
|
+corenet_sendrecv_all_client_packets(rpm_t)
|
|
|
|
dev_list_sysfs(rpm_t)
|
|
dev_list_usbfs(rpm_t)
|
|
dev_read_urand(rpm_t)
|
|
dev_read_raw_memory(rpm_t)
|
|
-
|
|
dev_manage_all_dev_nodes(rpm_t)
|
|
-dev_relabel_all_dev_nodes(rpm_t)
|
|
|
|
+#devices_manage_all_device_types(rpm_t)
|
|
dev_create_generic_blk_files(rpm_t)
|
|
dev_create_generic_chr_files(rpm_t)
|
|
-
|
|
-domain_read_all_domains_state(rpm_t)
|
|
-domain_getattr_all_domains(rpm_t)
|
|
-domain_use_interactive_fds(rpm_t)
|
|
-domain_dontaudit_getattr_all_pipes(rpm_t)
|
|
-domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
|
|
-domain_dontaudit_getattr_all_udp_sockets(rpm_t)
|
|
-domain_dontaudit_getattr_all_packet_sockets(rpm_t)
|
|
-domain_dontaudit_getattr_all_raw_sockets(rpm_t)
|
|
-domain_dontaudit_getattr_all_stream_sockets(rpm_t)
|
|
-domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
|
|
-domain_signull_all_domains(rpm_t)
|
|
-
|
|
-files_exec_etc_files(rpm_t)
|
|
-files_relabel_non_auth_files(rpm_t)
|
|
-files_manage_non_auth_files(rpm_t)
|
|
+dev_delete_all_blk_files(rpm_t)
|
|
+dev_delete_all_chr_files(rpm_t)
|
|
+dev_relabel_all_dev_nodes(rpm_t)
|
|
+dev_rename_generic_blk_files(rpm_t)
|
|
+dev_rename_generic_chr_files(rpm_t)
|
|
+dev_setattr_all_blk_files(rpm_t)
|
|
+dev_setattr_all_chr_files(rpm_t)
|
|
|
|
fs_getattr_all_dirs(rpm_t)
|
|
fs_list_inotifyfs(rpm_t)
|
|
@@ -183,29 +172,49 @@ selinux_compute_relabel_context(rpm_t)
|
|
selinux_compute_user_contexts(rpm_t)
|
|
|
|
storage_raw_write_fixed_disk(rpm_t)
|
|
+# for installing kernel packages
|
|
storage_raw_read_fixed_disk(rpm_t)
|
|
|
|
term_list_ptys(rpm_t)
|
|
|
|
+files_relabel_all_files(rpm_t)
|
|
+files_manage_all_files(rpm_t)
|
|
auth_dontaudit_read_shadow(rpm_t)
|
|
auth_use_nsswitch(rpm_t)
|
|
|
|
+# transition to rpm script:
|
|
rpm_domtrans_script(rpm_t)
|
|
|
|
+domain_read_all_domains_state(rpm_t)
|
|
+domain_getattr_all_domains(rpm_t)
|
|
+domain_use_interactive_fds(rpm_t)
|
|
+domain_dontaudit_getattr_all_pipes(rpm_t)
|
|
+domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
|
|
+domain_dontaudit_getattr_all_udp_sockets(rpm_t)
|
|
+domain_dontaudit_getattr_all_packet_sockets(rpm_t)
|
|
+domain_dontaudit_getattr_all_raw_sockets(rpm_t)
|
|
+domain_dontaudit_getattr_all_stream_sockets(rpm_t)
|
|
+domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
|
|
+domain_signull_all_domains(rpm_t)
|
|
+
|
|
+files_exec_etc_files(rpm_t)
|
|
+
|
|
init_domtrans_script(rpm_t)
|
|
init_use_script_ptys(rpm_t)
|
|
init_signull_script(rpm_t)
|
|
|
|
libs_exec_ld_so(rpm_t)
|
|
libs_exec_lib_files(rpm_t)
|
|
-libs_run_ldconfig(rpm_t, rpm_roles)
|
|
|
|
logging_send_syslog_msg(rpm_t)
|
|
|
|
+miscfiles_filetrans_named_content(rpm_t)
|
|
+
|
|
+# allow compiling and loading new policy
|
|
seutil_manage_src_policy(rpm_t)
|
|
seutil_manage_bin_policy(rpm_t)
|
|
|
|
-userdom_use_user_terminals(rpm_t)
|
|
+userdom_use_inherited_user_terminals(rpm_t)
|
|
userdom_use_unpriv_users_fds(rpm_t)
|
|
|
|
optional_policy(`
|
|
@@ -224,13 +233,17 @@ optional_policy(`
|
|
networkmanager_dbus_chat(rpm_t)
|
|
')
|
|
|
|
- optional_policy(`
|
|
- unconfined_dbus_chat(rpm_t)
|
|
- ')
|
|
')
|
|
|
|
optional_policy(`
|
|
- prelink_run(rpm_t, rpm_roles)
|
|
+ prelink_domtrans(rpm_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain_noaudit(rpm_t)
|
|
+ # yum-updatesd requires this
|
|
+ unconfined_dbus_chat(rpm_t)
|
|
+ unconfined_dbus_chat(rpm_script_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -239,18 +252,20 @@ optional_policy(`
|
|
#
|
|
|
|
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
|
|
+
|
|
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
|
|
allow rpm_script_t self:fd use;
|
|
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
|
|
+allow rpm_script_t self:unix_dgram_socket create_socket_perms;
|
|
+allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
|
|
allow rpm_script_t self:unix_dgram_socket sendto;
|
|
-allow rpm_script_t self:unix_stream_socket { accept connectto listen };
|
|
+allow rpm_script_t self:unix_stream_socket connectto;
|
|
allow rpm_script_t self:shm create_shm_perms;
|
|
allow rpm_script_t self:sem create_sem_perms;
|
|
allow rpm_script_t self:msgq create_msgq_perms;
|
|
allow rpm_script_t self:msg { send receive };
|
|
allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
-
|
|
-allow rpm_script_t rpm_t:netlink_route_socket { read write };
|
|
+allow rpm_script_t self:netlink_audit_socket { create_socket_perms nlmsg_relay };
|
|
|
|
allow rpm_script_t rpm_tmp_t:file read_file_perms;
|
|
|
|
@@ -267,8 +282,9 @@ manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
|
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
|
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
|
|
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
|
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
|
|
|
|
-can_exec(rpm_script_t, { rpm_script_tmp_t rpm_script_tmpfs_t })
|
|
+allow rpm_script_t rpm_t:netlink_route_socket { read write };
|
|
|
|
kernel_read_crypto_sysctls(rpm_script_t)
|
|
kernel_read_kernel_sysctls(rpm_script_t)
|
|
@@ -277,45 +293,27 @@ kernel_read_network_state(rpm_script_t)
|
|
kernel_list_all_proc(rpm_script_t)
|
|
kernel_read_software_raid_state(rpm_script_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(rpm_script_t)
|
|
-corenet_all_recvfrom_netlabel(rpm_script_t)
|
|
-corenet_tcp_sendrecv_generic_if(rpm_script_t)
|
|
-corenet_tcp_sendrecv_generic_node(rpm_script_t)
|
|
-
|
|
-corenet_sendrecv_http_client_packets(rpm_script_t)
|
|
+# needed by rhn_check
|
|
corenet_tcp_connect_http_port(rpm_script_t)
|
|
-corenet_tcp_sendrecv_http_port(rpm_script_t)
|
|
-
|
|
-corecmd_exec_all_executables(rpm_script_t)
|
|
|
|
dev_list_sysfs(rpm_script_t)
|
|
+
|
|
+# ideally we would not need this
|
|
dev_manage_generic_blk_files(rpm_script_t)
|
|
dev_manage_generic_chr_files(rpm_script_t)
|
|
dev_manage_all_blk_files(rpm_script_t)
|
|
dev_manage_all_chr_files(rpm_script_t)
|
|
|
|
-domain_read_all_domains_state(rpm_script_t)
|
|
-domain_getattr_all_domains(rpm_script_t)
|
|
-domain_use_interactive_fds(rpm_script_t)
|
|
-domain_signal_all_domains(rpm_script_t)
|
|
-domain_signull_all_domains(rpm_script_t)
|
|
-
|
|
-files_exec_etc_files(rpm_script_t)
|
|
-files_exec_usr_files(rpm_script_t)
|
|
-files_manage_non_auth_files(rpm_script_t)
|
|
-files_relabel_non_auth_files(rpm_script_t)
|
|
-
|
|
fs_manage_nfs_files(rpm_script_t)
|
|
fs_getattr_nfs(rpm_script_t)
|
|
fs_search_all(rpm_script_t)
|
|
fs_getattr_all_fs(rpm_script_t)
|
|
+# why is this not using mount?
|
|
fs_getattr_xattr_fs(rpm_script_t)
|
|
fs_mount_xattr_fs(rpm_script_t)
|
|
fs_unmount_xattr_fs(rpm_script_t)
|
|
fs_search_auto_mountpoints(rpm_script_t)
|
|
|
|
-mcs_killall(rpm_script_t)
|
|
-
|
|
mls_file_read_all_levels(rpm_script_t)
|
|
mls_file_write_all_levels(rpm_script_t)
|
|
|
|
@@ -331,30 +329,48 @@ storage_raw_write_fixed_disk(rpm_script_t)
|
|
|
|
term_getattr_unallocated_ttys(rpm_script_t)
|
|
term_list_ptys(rpm_script_t)
|
|
-term_use_all_terms(rpm_script_t)
|
|
+term_use_all_inherited_terms(rpm_script_t)
|
|
|
|
auth_dontaudit_getattr_shadow(rpm_script_t)
|
|
auth_use_nsswitch(rpm_script_t)
|
|
|
|
+corecmd_exec_all_executables(rpm_script_t)
|
|
+can_exec(rpm_script_t, rpm_script_tmp_t)
|
|
+can_exec(rpm_script_t, rpm_script_tmpfs_t)
|
|
+
|
|
+domain_read_all_domains_state(rpm_script_t)
|
|
+domain_getattr_all_domains(rpm_script_t)
|
|
+domain_use_interactive_fds(rpm_script_t)
|
|
+domain_signal_all_domains(rpm_script_t)
|
|
+domain_signull_all_domains(rpm_script_t)
|
|
+
|
|
+# ideally we would not need this
|
|
+files_manage_all_files(rpm_script_t)
|
|
+files_exec_etc_files(rpm_script_t)
|
|
+files_read_etc_runtime_files(rpm_script_t)
|
|
+files_exec_usr_files(rpm_script_t)
|
|
+files_relabel_all_files(rpm_script_t)
|
|
+
|
|
init_domtrans_script(rpm_script_t)
|
|
init_telinit(rpm_script_t)
|
|
|
|
+systemd_config_all_services(rpm_script_t)
|
|
+
|
|
libs_exec_ld_so(rpm_script_t)
|
|
libs_exec_lib_files(rpm_script_t)
|
|
-libs_run_ldconfig(rpm_script_t, rpm_roles)
|
|
+libs_ldconfig_exec_entry_type(rpm_script_t)
|
|
|
|
logging_send_syslog_msg(rpm_script_t)
|
|
|
|
-miscfiles_read_localization(rpm_script_t)
|
|
-
|
|
-modutils_run_depmod(rpm_script_t, rpm_roles)
|
|
-modutils_run_insmod(rpm_script_t, rpm_roles)
|
|
+miscfiles_filetrans_named_content(rpm_script_t)
|
|
|
|
-seutil_run_loadpolicy(rpm_script_t, rpm_roles)
|
|
-seutil_run_setfiles(rpm_script_t, rpm_roles)
|
|
-seutil_run_semanage(rpm_script_t, rpm_roles)
|
|
+seutil_run_loadpolicy(rpm_script_t, rpm_script_roles)
|
|
+seutil_run_setfiles(rpm_script_t, rpm_script_roles)
|
|
+seutil_run_semanage(rpm_script_t, rpm_script_roles)
|
|
+seutil_run_setsebool(rpm_script_t, rpm_script_roles)
|
|
|
|
userdom_use_all_users_fds(rpm_script_t)
|
|
+userdom_exec_admin_home_files(rpm_script_t)
|
|
|
|
ifdef(`distro_redhat',`
|
|
optional_policy(`
|
|
@@ -363,41 +379,61 @@ ifdef(`distro_redhat',`
|
|
')
|
|
')
|
|
|
|
-tunable_policy(`allow_execmem',`
|
|
+tunable_policy(`deny_execmem',`',`
|
|
allow rpm_script_t self:process execmem;
|
|
')
|
|
|
|
optional_policy(`
|
|
- bootloader_run(rpm_script_t, rpm_roles)
|
|
+ bootloader_run(rpm_script_t, rpm_script_roles)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ certmonger_dbus_chat(rpm_script_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ cups_filetrans_named_content(rpm_script_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(rpm_script_t)
|
|
|
|
- optional_policy(`
|
|
- unconfined_dbus_chat(rpm_script_t)
|
|
- ')
|
|
+ optional_policy(`
|
|
+ systemd_dbus_chat_logind(rpm_script_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ lvm_domtrans(rpm_script_t, rpm_script_roles)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ntp_run(rpm_script_t, rpm_script_roles)
|
|
')
|
|
|
|
optional_policy(`
|
|
- lvm_run(rpm_script_t, rpm_roles)
|
|
+ modutils_run_depmod(rpm_script_t, rpm_script_roles)
|
|
+ modutils_run_insmod(rpm_script_t, rpm_script_roles)
|
|
')
|
|
|
|
optional_policy(`
|
|
- ntp_domtrans(rpm_script_t)
|
|
+ openshift_initrc_run(rpm_script_t, rpm_script_roles)
|
|
')
|
|
|
|
optional_policy(`
|
|
- tzdata_run(rpm_t, rpm_roles)
|
|
- tzdata_run(rpm_script_t, rpm_roles)
|
|
+ tzdata_domtrans(rpm_t)
|
|
+ tzdata_run(rpm_script_t, rpm_script_roles)
|
|
')
|
|
|
|
optional_policy(`
|
|
- udev_domtrans(rpm_script_t)
|
|
+ udev_run(rpm_script_t, rpm_script_roles)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ unconfined_domain_noaudit(rpm_script_t)
|
|
unconfined_domtrans(rpm_script_t)
|
|
+ domain_named_filetrans(rpm_script_t)
|
|
+
|
|
|
|
optional_policy(`
|
|
java_domtrans_unconfined(rpm_script_t)
|
|
@@ -409,6 +445,6 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- usermanage_run_groupadd(rpm_script_t, rpm_roles)
|
|
- usermanage_run_useradd(rpm_script_t, rpm_roles)
|
|
+ usermanage_run_groupadd(rpm_script_t, rpm_script_roles)
|
|
+ usermanage_run_useradd(rpm_script_t, rpm_script_roles)
|
|
')
|
|
diff --git a/rshd.fc b/rshd.fc
|
|
index 9ad0d58..6a4db03 100644
|
|
--- a/rshd.fc
|
|
+++ b/rshd.fc
|
|
@@ -1,3 +1,4 @@
|
|
+
|
|
/usr/kerberos/sbin/kshd -- gen_context(system_u:object_r:rshd_exec_t,s0)
|
|
|
|
/usr/sbin/in\.rexecd -- gen_context(system_u:object_r:rshd_exec_t,s0)
|
|
diff --git a/rshd.if b/rshd.if
|
|
index 7ad29c0..2e87d76 100644
|
|
--- a/rshd.if
|
|
+++ b/rshd.if
|
|
@@ -2,7 +2,7 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute rshd in the rshd domain.
|
|
+## Domain transition to rshd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -15,6 +15,7 @@ interface(`rshd_domtrans',`
|
|
type rshd_exec_t, rshd_t;
|
|
')
|
|
|
|
+ files_search_usr($1)
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, rshd_exec_t, rshd_t)
|
|
')
|
|
diff --git a/rshd.te b/rshd.te
|
|
index 864e089..925203c 100644
|
|
--- a/rshd.te
|
|
+++ b/rshd.te
|
|
@@ -4,11 +4,12 @@ policy_module(rshd, 1.8.1)
|
|
#
|
|
# Declarations
|
|
#
|
|
-
|
|
type rshd_t;
|
|
type rshd_exec_t;
|
|
-auth_login_pgm_domain(rshd_t)
|
|
inetd_tcp_service_domain(rshd_t, rshd_exec_t)
|
|
+domain_subj_id_change_exemption(rshd_t)
|
|
+domain_role_change_exemption(rshd_t)
|
|
+role system_r types rshd_t;
|
|
|
|
type rshd_keytab_t;
|
|
files_type(rshd_keytab_t)
|
|
@@ -17,9 +18,8 @@ files_type(rshd_keytab_t)
|
|
#
|
|
# Local policy
|
|
#
|
|
-
|
|
allow rshd_t self:capability { kill setuid setgid fowner fsetid chown dac_override };
|
|
-allow rshd_t self:process { signal_perms setsched setpgid setexec };
|
|
+allow rshd_t self:process { signal_perms fork setsched setpgid setexec };
|
|
allow rshd_t self:fifo_file rw_fifo_file_perms;
|
|
allow rshd_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
@@ -27,41 +27,56 @@ allow rshd_t rshd_keytab_t:file read_file_perms;
|
|
|
|
kernel_read_kernel_sysctls(rshd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(rshd_t)
|
|
corenet_all_recvfrom_netlabel(rshd_t)
|
|
corenet_tcp_sendrecv_generic_if(rshd_t)
|
|
+corenet_udp_sendrecv_generic_if(rshd_t)
|
|
corenet_tcp_sendrecv_generic_node(rshd_t)
|
|
+corenet_udp_sendrecv_generic_node(rshd_t)
|
|
corenet_tcp_sendrecv_all_ports(rshd_t)
|
|
+corenet_udp_sendrecv_all_ports(rshd_t)
|
|
corenet_tcp_bind_generic_node(rshd_t)
|
|
-
|
|
-corenet_sendrecv_all_server_packets(rshd_t)
|
|
corenet_tcp_bind_rsh_port(rshd_t)
|
|
corenet_tcp_bind_all_rpc_ports(rshd_t)
|
|
corenet_tcp_connect_all_ports(rshd_t)
|
|
corenet_tcp_connect_all_rpc_ports(rshd_t)
|
|
+corenet_sendrecv_rsh_server_packets(rshd_t)
|
|
+
|
|
+dev_read_urand(rshd_t)
|
|
+
|
|
+domain_interactive_fd(rshd_t)
|
|
+
|
|
+selinux_get_fs_mount(rshd_t)
|
|
+selinux_validate_context(rshd_t)
|
|
+selinux_compute_access_vector(rshd_t)
|
|
+selinux_compute_create_context(rshd_t)
|
|
+selinux_compute_relabel_context(rshd_t)
|
|
+selinux_compute_user_contexts(rshd_t)
|
|
|
|
corecmd_read_bin_symlinks(rshd_t)
|
|
|
|
files_list_home(rshd_t)
|
|
+files_search_tmp(rshd_t)
|
|
+
|
|
+auth_login_pgm_domain(rshd_t)
|
|
+auth_write_login_records(rshd_t)
|
|
|
|
+init_rw_utmp(rshd_t)
|
|
+
|
|
+logging_send_syslog_msg(rshd_t)
|
|
logging_search_logs(rshd_t)
|
|
|
|
-miscfiles_read_localization(rshd_t)
|
|
+seutil_read_config(rshd_t)
|
|
+seutil_read_default_contexts(rshd_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_read_nfs_files(rshd_t)
|
|
- fs_read_nfs_symlinks(rshd_t)
|
|
-')
|
|
+userdom_search_user_home_content(rshd_t)
|
|
+userdom_manage_tmp_role(system_r, rshd_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_read_cifs_files(rshd_t)
|
|
- fs_read_cifs_symlinks(rshd_t)
|
|
-')
|
|
+userdom_home_reader(rshd_t)
|
|
|
|
optional_policy(`
|
|
kerberos_manage_host_rcache(rshd_t)
|
|
kerberos_read_keytab(rshd_t)
|
|
- kerberos_tmp_filetrans_host_rcache(rshd_t, file, "host_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(rshd_t, "host_0")
|
|
kerberos_use(rshd_t)
|
|
')
|
|
|
|
diff --git a/rssh.te b/rssh.te
|
|
index 5c5465f..6005932 100644
|
|
--- a/rssh.te
|
|
+++ b/rssh.te
|
|
@@ -60,18 +60,14 @@ manage_files_pattern(rssh_t, rssh_rw_t, rssh_rw_t)
|
|
kernel_read_system_state(rssh_t)
|
|
kernel_read_kernel_sysctls(rssh_t)
|
|
|
|
-files_read_etc_files(rssh_t)
|
|
files_read_etc_runtime_files(rssh_t)
|
|
files_list_home(rssh_t)
|
|
-files_read_usr_files(rssh_t)
|
|
files_list_var(rssh_t)
|
|
|
|
fs_search_auto_mountpoints(rssh_t)
|
|
|
|
logging_send_syslog_msg(rssh_t)
|
|
|
|
-miscfiles_read_localization(rssh_t)
|
|
-
|
|
rssh_domtrans_chroot_helper(rssh_t)
|
|
|
|
ssh_rw_tcp_sockets(rssh_t)
|
|
@@ -95,5 +91,3 @@ domain_use_interactive_fds(rssh_chroot_helper_t)
|
|
auth_use_nsswitch(rssh_chroot_helper_t)
|
|
|
|
logging_send_syslog_msg(rssh_chroot_helper_t)
|
|
-
|
|
-miscfiles_read_localization(rssh_chroot_helper_t)
|
|
diff --git a/rsync.fc b/rsync.fc
|
|
index d25301b..f3eeec7 100644
|
|
--- a/rsync.fc
|
|
+++ b/rsync.fc
|
|
@@ -1,7 +1,8 @@
|
|
/etc/rsyncd\.conf -- gen_context(system_u:object_r:rsync_etc_t, s0)
|
|
|
|
-/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
|
|
+/usr/bin/rsync -- gen_context(system_u:object_r:rsync_exec_t,s0)
|
|
|
|
-/var/log/rsync\.log.* -- gen_context(system_u:object_r:rsync_log_t,s0)
|
|
+/var/log/rsync.* gen_context(system_u:object_r:rsync_log_t,s0)
|
|
|
|
/var/run/rsyncd\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
|
|
+/var/run/swift_server\.lock -- gen_context(system_u:object_r:rsync_var_run_t,s0)
|
|
diff --git a/rsync.if b/rsync.if
|
|
index f1140ef..642e062 100644
|
|
--- a/rsync.if
|
|
+++ b/rsync.if
|
|
@@ -1,16 +1,32 @@
|
|
-## <summary>Fast incremental file transfer for synchronization.</summary>
|
|
+## <summary>Fast incremental file transfer for synchronization</summary>
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Sendmail stub interface. No access allowed.
|
|
+## </summary>
|
|
+## <param name="domain" unused="true">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rsync_stub',`
|
|
+ gen_require(`
|
|
+ type rsync_t;
|
|
+ ')
|
|
+')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Make rsync executable file an
|
|
-## entry point for the specified domain.
|
|
+## Make rsync an entry point for
|
|
+## the specified domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## The domain for which rsync_exec_t is an entrypoint.
|
|
+## The domain for which init scripts are an entrypoint.
|
|
## </summary>
|
|
## </param>
|
|
-#
|
|
+# cjp: added for portage
|
|
interface(`rsync_entry_type',`
|
|
gen_require(`
|
|
type rsync_exec_t;
|
|
@@ -43,14 +59,13 @@ interface(`rsync_entry_type',`
|
|
## Domain to transition to.
|
|
## </summary>
|
|
## </param>
|
|
-#
|
|
+# cjp: added for portage
|
|
interface(`rsync_entry_spec_domtrans',`
|
|
gen_require(`
|
|
type rsync_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- auto_trans($1, rsync_exec_t, $2)
|
|
+ domain_trans($1, rsync_exec_t, $2)
|
|
')
|
|
|
|
########################################
|
|
@@ -77,82 +92,56 @@ interface(`rsync_entry_spec_domtrans',`
|
|
## Domain to transition to.
|
|
## </summary>
|
|
## </param>
|
|
-#
|
|
+# cjp: added for portage
|
|
interface(`rsync_entry_domtrans',`
|
|
gen_require(`
|
|
type rsync_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domain_auto_trans($1, rsync_exec_t, $2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the rsync program in the rsync domain.
|
|
+## Execute rsync in the caller domain domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
-interface(`rsync_domtrans',`
|
|
+interface(`rsync_exec',`
|
|
gen_require(`
|
|
- type rsync_t, rsync_exec_t;
|
|
+ type rsync_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, rsync_exec_t, rsync_t)
|
|
+ can_exec($1, rsync_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute rsync in the rsync domain, and
|
|
-## allow the specified role the rsync domain.
|
|
+## Read rsync config files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`rsync_run',`
|
|
- gen_require(`
|
|
- attribute_role rsync_roles;
|
|
- ')
|
|
-
|
|
- rsync_domtrans($1)
|
|
- roleattribute $2 rsync_roles;
|
|
-')
|
|
-
|
|
-########################################
|
|
## <summary>
|
|
-## Execute rsync in the caller domain.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rsync_exec',`
|
|
+interface(`rsync_read_config',`
|
|
gen_require(`
|
|
- type rsync_exec_t;
|
|
+ type rsync_etc_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- can_exec($1, rsync_exec_t)
|
|
+ read_files_pattern($1, rsync_etc_t, rsync_etc_t)
|
|
+ files_search_etc($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read rsync config files.
|
|
+## Read rsync data files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -160,23 +149,23 @@ interface(`rsync_exec',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rsync_read_config',`
|
|
+interface(`rsync_read_data',`
|
|
gen_require(`
|
|
- type rsync_etc_t;
|
|
+ type rsync_data_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
- allow $1 rsync_etc_t:file read_file_perms;
|
|
+ read_files_pattern($1, rsync_data_t, rsync_data_t)
|
|
')
|
|
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Write rsync config files.
|
|
+## Write to rsync config files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`rsync_write_config',`
|
|
@@ -184,14 +173,13 @@ interface(`rsync_write_config',`
|
|
type rsync_etc_t;
|
|
')
|
|
|
|
+ write_files_pattern($1, rsync_etc_t, rsync_etc_t)
|
|
files_search_etc($1)
|
|
- allow $1 rsync_etc_t:file write_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## rsync config files.
|
|
+## Manage rsync config files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -199,18 +187,18 @@ interface(`rsync_write_config',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rsync_manage_config_files',`
|
|
+interface(`rsync_manage_config',`
|
|
gen_require(`
|
|
type rsync_etc_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
|
|
+ files_search_etc($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified objects in etc directories
|
|
+## Create objects in etc directories
|
|
## with rsync etc type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -239,43 +227,21 @@ interface(`rsync_etc_filetrans_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an rsync environment.
|
|
+## Transition to rsync named content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`rsync_admin',`
|
|
+interface(`rsync_filetrans_named_content',`
|
|
gen_require(`
|
|
- type rsync_t, rsync_etc_t, rsync_data_t;
|
|
- type rsync_log_t, rsync_tmp_t. rsync_var_run_t;
|
|
+ type rsync_etc_t;
|
|
+ type rsync_var_run_t;
|
|
')
|
|
|
|
- allow $1 rsync_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, rsync_t)
|
|
-
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, rsync_etc_t)
|
|
-
|
|
- admin_pattern($1, rsync_data_t)
|
|
-
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, rsync_log_t)
|
|
-
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, rsync_tmp_t)
|
|
-
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, rsync_var_run_t)
|
|
-
|
|
- rsync_run($1, $2)
|
|
+ files_etc_filetrans($1, rsync_etc_t, file, "rsyncd.cond")
|
|
+ files_pid_filetrans($1, rsync_var_run_t, file, "swift_server.lock")
|
|
+ files_pid_filetrans($1, rsync_var_run_t, file, "rsyncd.lock")
|
|
')
|
|
diff --git a/rsync.te b/rsync.te
|
|
index abeb302..382a1bf 100644
|
|
--- a/rsync.te
|
|
+++ b/rsync.te
|
|
@@ -6,67 +6,45 @@ policy_module(rsync, 1.13.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether rsync can use
|
|
-## cifs file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow rsync to run as a client
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(rsync_use_cifs, false)
|
|
+gen_tunable(rsync_client, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether rsync can
|
|
-## use fuse file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow rsync to export any files/directories read only.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(rsync_use_fusefs, false)
|
|
+gen_tunable(rsync_export_all_ro, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether rsync can use
|
|
-## nfs file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow rsync to modify public files
|
|
+## used for public file transfer services. Files/Directories must be
|
|
+## labeled public_content_rw_t.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(rsync_use_nfs, false)
|
|
+gen_tunable(rsync_anon_write, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
-## Determine whether rsync can
|
|
-## run as a client
|
|
+## Allow rsync server to manage all files/directories on the system.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(rsync_client, false)
|
|
+gen_tunable(rsync_full_access, false)
|
|
|
|
-## <desc>
|
|
-## <p>
|
|
-## Determine whether rsync can
|
|
-## export all content read only.
|
|
-## </p>
|
|
-## </desc>
|
|
-gen_tunable(rsync_export_all_ro, false)
|
|
-
|
|
-## <desc>
|
|
-## <p>
|
|
-## Determine whether rsync can modify
|
|
-## public files used for public file
|
|
-## transfer services. Directories/Files must
|
|
-## be labeled public_content_rw_t.
|
|
-## </p>
|
|
-## </desc>
|
|
-gen_tunable(allow_rsync_anon_write, false)
|
|
-
|
|
-attribute_role rsync_roles;
|
|
|
|
type rsync_t;
|
|
type rsync_exec_t;
|
|
-init_daemon_domain(rsync_t, rsync_exec_t)
|
|
-application_domain(rsync_t, rsync_exec_t)
|
|
-role rsync_roles types rsync_t;
|
|
+application_executable_file(rsync_exec_t)
|
|
+role system_r types rsync_t;
|
|
|
|
type rsync_etc_t;
|
|
files_config_file(rsync_etc_t)
|
|
|
|
-type rsync_data_t; # customizable
|
|
+type rsync_data_t;
|
|
files_type(rsync_data_t)
|
|
|
|
type rsync_log_t;
|
|
@@ -86,15 +64,25 @@ files_pid_file(rsync_var_run_t)
|
|
allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
|
|
allow rsync_t self:process signal_perms;
|
|
allow rsync_t self:fifo_file rw_fifo_file_perms;
|
|
-allow rsync_t self:tcp_socket { accept listen };
|
|
+allow rsync_t self:tcp_socket create_stream_socket_perms;
|
|
+allow rsync_t self:udp_socket connected_socket_perms;
|
|
+
|
|
+# for identd
|
|
+# cjp: this should probably only be inetd_child_t rules?
|
|
+# search home and kerberos also.
|
|
+allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
+#end for identd
|
|
|
|
-allow rsync_t rsync_etc_t:file read_file_perms;
|
|
+read_files_pattern(rsync_t, rsync_etc_t, rsync_etc_t)
|
|
|
|
allow rsync_t rsync_data_t:dir list_dir_perms;
|
|
-allow rsync_t rsync_data_t:file read_file_perms;
|
|
-allow rsync_t rsync_data_t:lnk_file read_lnk_file_perms;
|
|
+read_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
|
+read_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
|
+allow rsync_t rsync_data_t:dir_file_class_set getattr;
|
|
+allow rsync_t rsync_data_t:socket_class_set getattr;
|
|
+allow rsync_t rsync_data_t:sock_file setattr;
|
|
|
|
-allow rsync_t rsync_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+manage_files_pattern(rsync_t, rsync_log_t, rsync_log_t)
|
|
logging_log_filetrans(rsync_t, rsync_log_t, file)
|
|
|
|
manage_dirs_pattern(rsync_t, rsync_tmp_t, rsync_tmp_t)
|
|
@@ -108,91 +96,80 @@ kernel_read_kernel_sysctls(rsync_t)
|
|
kernel_read_system_state(rsync_t)
|
|
kernel_read_network_state(rsync_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(rsync_t)
|
|
corenet_all_recvfrom_netlabel(rsync_t)
|
|
corenet_tcp_sendrecv_generic_if(rsync_t)
|
|
+corenet_udp_sendrecv_generic_if(rsync_t)
|
|
corenet_tcp_sendrecv_generic_node(rsync_t)
|
|
+corenet_udp_sendrecv_generic_node(rsync_t)
|
|
+corenet_tcp_sendrecv_all_ports(rsync_t)
|
|
+corenet_udp_sendrecv_all_ports(rsync_t)
|
|
corenet_tcp_bind_generic_node(rsync_t)
|
|
-
|
|
-corenet_sendrecv_rsync_server_packets(rsync_t)
|
|
corenet_tcp_bind_rsync_port(rsync_t)
|
|
-corenet_tcp_sendrecv_rsync_port(rsync_t)
|
|
+corenet_sendrecv_rsync_server_packets(rsync_t)
|
|
|
|
dev_read_urand(rsync_t)
|
|
|
|
-fs_getattr_all_fs(rsync_t)
|
|
+fs_getattr_xattr_fs(rsync_t)
|
|
fs_search_auto_mountpoints(rsync_t)
|
|
|
|
files_search_home(rsync_t)
|
|
|
|
-auth_can_read_shadow_passwords(rsync_t)
|
|
auth_use_nsswitch(rsync_t)
|
|
|
|
logging_send_syslog_msg(rsync_t)
|
|
|
|
-miscfiles_read_localization(rsync_t)
|
|
miscfiles_read_public_files(rsync_t)
|
|
|
|
-tunable_policy(`allow_rsync_anon_write',`
|
|
- miscfiles_manage_public_files(rsync_t)
|
|
+userdom_home_manager(rsync_t)
|
|
+
|
|
+optional_policy(`
|
|
+ daemontools_service_domain(rsync_t, rsync_exec_t)
|
|
')
|
|
|
|
-tunable_policy(`rsync_client',`
|
|
- corenet_sendrecv_rsync_client_packets(rsync_t)
|
|
- corenet_tcp_connect_rsync_port(rsync_t)
|
|
+optional_policy(`
|
|
+ kerberos_use(rsync_t)
|
|
+')
|
|
|
|
- corenet_sendrecv_ssh_client_packets(rsync_t)
|
|
- corenet_tcp_connect_ssh_port(rsync_t)
|
|
- corenet_tcp_sendrecv_ssh_port(rsync_t)
|
|
+optional_policy(`
|
|
+ inetd_service_domain(rsync_t, rsync_exec_t)
|
|
+')
|
|
|
|
- manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
|
- manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
|
- manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
|
+tunable_policy(`rsync_anon_write',`
|
|
+ miscfiles_manage_public_files(rsync_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`rsync_full_access',`
|
|
+ allow rsync_t self:capability { dac_override dac_read_search };
|
|
+ files_manage_non_security_dirs(rsync_t)
|
|
+ files_manage_non_security_files(rsync_t)
|
|
+ #files_relabel_non_security_files(rsync_t)
|
|
')
|
|
|
|
tunable_policy(`rsync_export_all_ro',`
|
|
- fs_read_noxattr_fs_files(rsync_t)
|
|
+ files_getattr_all_pipes(rsync_t)
|
|
+ fs_read_noxattr_fs_files(rsync_t)
|
|
fs_read_nfs_files(rsync_t)
|
|
- fs_read_fusefs_files(rsync_t)
|
|
fs_read_cifs_files(rsync_t)
|
|
- files_list_non_auth_dirs(rsync_t)
|
|
- files_read_non_auth_files(rsync_t)
|
|
- files_read_non_auth_symlinks(rsync_t)
|
|
+ files_read_non_security_files(rsync_t)
|
|
auth_tunable_read_shadow(rsync_t)
|
|
')
|
|
|
|
-tunable_policy(`rsync_use_cifs',`
|
|
- fs_list_cifs(rsync_t)
|
|
- fs_read_cifs_files(rsync_t)
|
|
- fs_read_cifs_symlinks(rsync_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`rsync_use_fusefs',`
|
|
- fs_search_fusefs(rsync_t)
|
|
- fs_read_fusefs_files(rsync_t)
|
|
- fs_read_fusefs_symlinks(rsync_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`rsync_use_nfs',`
|
|
- fs_list_nfs(rsync_t)
|
|
- fs_read_nfs_files(rsync_t)
|
|
- fs_read_nfs_symlinks(rsync_t)
|
|
+tunable_policy(`rsync_client',`
|
|
+ corenet_tcp_connect_rsync_port(rsync_t)
|
|
+ corenet_tcp_connect_ssh_port(rsync_t)
|
|
+ manage_dirs_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
|
+ manage_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
|
+ manage_lnk_files_pattern(rsync_t, rsync_data_t, rsync_data_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tunable_policy(`rsync_client',`
|
|
- ssh_exec(rsync_t)
|
|
+ ssh_exec(rsync_t)
|
|
')
|
|
')
|
|
|
|
-optional_policy(`
|
|
- daemontools_service_domain(rsync_t, rsync_exec_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- kerberos_use(rsync_t)
|
|
-')
|
|
+auth_can_read_shadow_passwords(rsync_t)
|
|
|
|
optional_policy(`
|
|
- inetd_service_domain(rsync_t, rsync_exec_t)
|
|
+ swift_manage_data_files(rsync_t)
|
|
')
|
|
diff --git a/rtas.fc b/rtas.fc
|
|
new file mode 100644
|
|
index 0000000..25d96cb
|
|
--- /dev/null
|
|
+++ b/rtas.fc
|
|
@@ -0,0 +1,13 @@
|
|
+/usr/lib/systemd/system/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_unit_file_t,s0)
|
|
+
|
|
+/usr/sbin/rtas_errd -- gen_context(system_u:object_r:rtas_errd_exec_t,s0)
|
|
+
|
|
+/var/lock/subsys/rtas_errd -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
|
|
+/var/lock/.*librtas -- gen_context(system_u:object_r:rtas_errd_var_lock_t)
|
|
+
|
|
+/var/log/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_log_t)
|
|
+/var/log/platform -- gen_context(system_u:object_r:rtas_errd_log_t)
|
|
+/var/log/epow_status -- gen_context(system_u:object_r:rtas_errd_log_t)
|
|
+
|
|
+/var/run/rtas_errd.* -- gen_context(system_u:object_r:rtas_errd_var_run_t,s0)
|
|
+
|
|
diff --git a/rtas.if b/rtas.if
|
|
new file mode 100644
|
|
index 0000000..9381936
|
|
--- /dev/null
|
|
+++ b/rtas.if
|
|
@@ -0,0 +1,166 @@
|
|
+
|
|
+## <summary>rtas_errd - Platform diagnostics report firmware events</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the rtas_errd domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rtas_errd_domtrans',`
|
|
+ gen_require(`
|
|
+ type rtas_errd_t, rtas_errd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, rtas_errd_exec_t, rtas_errd_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Read rtas_errd's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`rtas_errd_read_log',`
|
|
+ gen_require(`
|
|
+ type rtas_errd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to rtas_errd log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rtas_errd_append_log',`
|
|
+ gen_require(`
|
|
+ type rtas_errd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage rtas_errd log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rtas_errd_manage_log',`
|
|
+ gen_require(`
|
|
+ type rtas_errd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
|
|
+ manage_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
|
|
+ manage_lnk_files_pattern($1, rtas_errd_log_t, rtas_errd_log_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Read rtas_errd PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rtas_errd_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type rtas_errd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, rtas_errd_var_run_t, rtas_errd_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute rtas_errd server in the rtas_errd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`rtas_errd_systemctl',`
|
|
+ gen_require(`
|
|
+ type rtas_errd_t;
|
|
+ type rtas_errd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ allow $1 rtas_errd_unit_file_t:file read_file_perms;
|
|
+ allow $1 rtas_errd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, rtas_errd_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an rtas_errd environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`rtas_errd_admin',`
|
|
+ gen_require(`
|
|
+ type rtas_errd_t;
|
|
+ type rtas_errd_log_t;
|
|
+ type rtas_errd_var_run_t;
|
|
+ type rtas_errd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 rtas_errd_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, rtas_errd_t)
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, rtas_errd_log_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, rtas_errd_var_run_t)
|
|
+
|
|
+ rtas_errd_systemctl($1)
|
|
+ admin_pattern($1, rtas_errd_unit_file_t)
|
|
+ allow $1 rtas_errd_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/rtas.te b/rtas.te
|
|
new file mode 100644
|
|
index 0000000..4e6663f
|
|
--- /dev/null
|
|
+++ b/rtas.te
|
|
@@ -0,0 +1,60 @@
|
|
+policy_module(rtas, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type rtas_errd_t;
|
|
+type rtas_errd_exec_t;
|
|
+init_daemon_domain(rtas_errd_t, rtas_errd_exec_t)
|
|
+
|
|
+type rtas_errd_log_t;
|
|
+logging_log_file(rtas_errd_log_t)
|
|
+
|
|
+type rtas_errd_var_run_t;
|
|
+files_pid_file(rtas_errd_var_run_t)
|
|
+
|
|
+type rtas_errd_var_lock_t;
|
|
+files_lock_file(rtas_errd_var_lock_t)
|
|
+
|
|
+type rtas_errd_unit_file_t;
|
|
+systemd_unit_file(rtas_errd_unit_file_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# rtas_errd local policy
|
|
+#
|
|
+
|
|
+allow rtas_errd_t self:capability sys_admin;
|
|
+allow rtas_errd_t self:process fork;
|
|
+allow rtas_errd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow rtas_errd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
|
|
+manage_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
|
|
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_log_t, rtas_errd_log_t)
|
|
+logging_log_filetrans(rtas_errd_t, rtas_errd_log_t, { dir file lnk_file })
|
|
+
|
|
+manage_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t)
|
|
+manage_lnk_files_pattern(rtas_errd_t,rtas_errd_var_lock_t,rtas_errd_var_lock_t)
|
|
+files_lock_filetrans(rtas_errd_t,rtas_errd_var_lock_t, { dir file } )
|
|
+
|
|
+manage_dirs_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
|
|
+manage_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
|
|
+manage_lnk_files_pattern(rtas_errd_t, rtas_errd_var_run_t, rtas_errd_var_run_t)
|
|
+files_pid_filetrans(rtas_errd_t, rtas_errd_var_run_t, { dir file lnk_file })
|
|
+
|
|
+kernel_read_system_state(rtas_errd_t)
|
|
+
|
|
+auth_use_nsswitch(rtas_errd_t)
|
|
+
|
|
+corecmd_exec_bin(rtas_errd_t)
|
|
+
|
|
+dev_read_raw_memory(rtas_errd_t)
|
|
+dev_write_raw_memory(rtas_errd_t)
|
|
+
|
|
+files_manage_system_db_files(rtas_errd_t)
|
|
+
|
|
+logging_read_generic_logs(rtas_errd_t)
|
|
+
|
|
diff --git a/rtkit.if b/rtkit.if
|
|
index e904ec4..e0dd20e 100644
|
|
--- a/rtkit.if
|
|
+++ b/rtkit.if
|
|
@@ -15,7 +15,6 @@ interface(`rtkit_daemon_domtrans',`
|
|
type rtkit_daemon_t, rtkit_daemon_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, rtkit_daemon_exec_t, rtkit_daemon_t)
|
|
')
|
|
|
|
@@ -42,56 +41,47 @@ interface(`rtkit_daemon_dbus_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Allow rtkit to control scheduling for your process.
|
|
+## Do not audit send and receive messages from
|
|
+## rtkit_daemon over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`rtkit_scheduled',`
|
|
+interface(`rtkit_daemon_dontaudit_dbus_chat',`
|
|
gen_require(`
|
|
type rtkit_daemon_t;
|
|
+ class dbus send_msg;
|
|
')
|
|
|
|
- allow rtkit_daemon_t $1:process { getsched setsched };
|
|
-
|
|
- kernel_search_proc($1)
|
|
- ps_process_pattern(rtkit_daemon_t, $1)
|
|
-
|
|
- optional_policy(`
|
|
- rtkit_daemon_dbus_chat($1)
|
|
- ')
|
|
+ dontaudit $1 rtkit_daemon_t:dbus send_msg;
|
|
+ dontaudit rtkit_daemon_t $1:dbus send_msg;
|
|
+ dontaudit rtkit_daemon_t $1:process { getsched setsched };
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an rtkit environment.
|
|
+## Allow rtkit to control scheduling for your process
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`rtkit_admin',`
|
|
+interface(`rtkit_scheduled',`
|
|
gen_require(`
|
|
- type rtkit_daemon_t, rtkit_daemon_initrc_exec_t;
|
|
+ type rtkit_daemon_t;
|
|
')
|
|
|
|
- allow $1 rtkit_daemon_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, rtkit_daemon_t)
|
|
+ allow rtkit_daemon_t $1:process { getsched setsched };
|
|
+
|
|
+ kernel_search_proc($1)
|
|
+ ps_process_pattern(rtkit_daemon_t, $1)
|
|
|
|
- init_labeled_script_domtrans($1, rtkit_daemon_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 rtkit_daemon_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ optional_policy(`
|
|
+ rtkit_daemon_dbus_chat($1)
|
|
+ ')
|
|
')
|
|
diff --git a/rtkit.te b/rtkit.te
|
|
index 7eea21f..7140646 100644
|
|
--- a/rtkit.te
|
|
+++ b/rtkit.te
|
|
@@ -31,8 +31,6 @@ auth_use_nsswitch(rtkit_daemon_t)
|
|
|
|
logging_send_syslog_msg(rtkit_daemon_t)
|
|
|
|
-miscfiles_read_localization(rtkit_daemon_t)
|
|
-
|
|
optional_policy(`
|
|
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
|
|
|
|
diff --git a/rwho.if b/rwho.if
|
|
index 0360ff0..e6cb34f 100644
|
|
--- a/rwho.if
|
|
+++ b/rwho.if
|
|
@@ -139,8 +139,11 @@ interface(`rwho_admin',`
|
|
type rwho_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 rwho_t:process { ptrace signal_perms };
|
|
+ allow $1 rwho_t:process signal_perms;
|
|
ps_process_pattern($1, rwho_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 rwho_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, rwho_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/rwho.te b/rwho.te
|
|
index 7fb75f4..27f5e22 100644
|
|
--- a/rwho.te
|
|
+++ b/rwho.te
|
|
@@ -16,7 +16,7 @@ type rwho_log_t;
|
|
files_type(rwho_log_t)
|
|
|
|
type rwho_spool_t;
|
|
-files_type(rwho_spool_t)
|
|
+files_spool_file(rwho_spool_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -38,7 +38,6 @@ files_spool_filetrans(rwho_t, rwho_spool_t, { file dir })
|
|
|
|
kernel_read_system_state(rwho_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(rwho_t)
|
|
corenet_all_recvfrom_netlabel(rwho_t)
|
|
corenet_udp_sendrecv_generic_if(rwho_t)
|
|
corenet_udp_sendrecv_generic_node(rwho_t)
|
|
@@ -50,15 +49,13 @@ corenet_udp_sendrecv_rwho_port(rwho_t)
|
|
|
|
domain_use_interactive_fds(rwho_t)
|
|
|
|
-files_read_etc_files(rwho_t)
|
|
|
|
init_read_utmp(rwho_t)
|
|
init_dontaudit_write_utmp(rwho_t)
|
|
|
|
logging_send_syslog_msg(rwho_t)
|
|
|
|
-miscfiles_read_localization(rwho_t)
|
|
-
|
|
sysnet_dns_name_resolve(rwho_t)
|
|
|
|
-# userdom_getattr_user_terminals(rwho_t)
|
|
+userdom_getattr_user_terminals(rwho_t)
|
|
+
|
|
diff --git a/samba.fc b/samba.fc
|
|
index b8b66ff..2ccac49 100644
|
|
--- a/samba.fc
|
|
+++ b/samba.fc
|
|
@@ -1,42 +1,54 @@
|
|
-/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
|
|
+
|
|
+#
|
|
+# /etc
|
|
+#
|
|
+/etc/rc\.d/init\.d/nmb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/smb -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
|
|
/etc/rc\.d/init\.d/winbind -- gen_context(system_u:object_r:samba_initrc_exec_t,s0)
|
|
+/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
|
|
+/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
|
|
+/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
|
|
+/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
|
|
+/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
|
|
|
|
-/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
|
|
-/etc/samba/passdb\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
|
|
-/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
|
|
-/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
|
|
-/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
|
|
+#
|
|
+# /usr
|
|
+#
|
|
+/usr/lib/systemd/system/smb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
|
|
|
|
-/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
|
|
-/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
|
|
-/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
|
|
-/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
|
|
-/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
|
|
+/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
|
|
+/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
|
|
+/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
|
|
+/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
|
|
+/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
|
|
|
|
-/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
|
|
-/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
|
|
-/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
|
|
-/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
|
|
+/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
|
|
+/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
|
|
+/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
|
|
+/usr/sbin/winbindd -- gen_context(system_u:object_r:winbind_exec_t,s0)
|
|
|
|
-/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
|
|
-/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
|
|
+#
|
|
+# /var
|
|
+#
|
|
+/var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
|
|
+/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
|
|
|
|
-/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
|
|
-/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
|
|
+/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
|
|
|
|
-/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
|
|
+/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
|
|
+/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
|
|
|
|
-/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
|
|
+/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
|
|
|
|
-/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
|
|
-/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
|
|
+/var/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
|
|
+/var/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
|
|
|
|
-/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
|
|
+/var/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
|
|
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
|
/var/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
|
/var/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
|
-/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
|
+/var/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
|
/var/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
|
|
/var/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
|
|
/var/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
|
|
@@ -45,7 +57,11 @@
|
|
/var/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
|
|
/var/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
|
|
|
|
-/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
|
|
-/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
|
|
+/var/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
|
|
+/var/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
|
|
+
|
|
+/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
|
|
|
|
-/var/spool/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
|
|
+ifndef(`enable_mls',`
|
|
+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
|
|
+')
|
|
diff --git a/samba.if b/samba.if
|
|
index 50d07fb..bada62f 100644
|
|
--- a/samba.if
|
|
+++ b/samba.if
|
|
@@ -1,8 +1,12 @@
|
|
-## <summary>SMB and CIFS client/server programs.</summary>
|
|
+## <summary>
|
|
+## SMB and CIFS client/server programs for UNIX and
|
|
+## name Service Switch daemon for resolving names
|
|
+## from Windows NT servers.
|
|
+## </summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute nmbd in the nmbd domain.
|
|
+## Execute nmbd net in the nmbd_t domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -21,7 +25,7 @@ interface(`samba_domtrans_nmbd',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Send generic signals to nmbd.
|
|
+## Allow domain to signal samba
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -38,8 +42,26 @@ interface(`samba_signal_nmbd',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to nmbd with a unix domain
|
|
-## stream socket.
|
|
+## Search the samba pid directory.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`samba_search_pid',`
|
|
+ gen_require(`
|
|
+ type smbd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 smbd_var_run_t:dir search_dir_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to nmbd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -49,17 +71,16 @@ interface(`samba_signal_nmbd',`
|
|
#
|
|
interface(`samba_stream_connect_nmbd',`
|
|
gen_require(`
|
|
- type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t;
|
|
+ type nmbd_t, nmbd_var_run_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t)
|
|
+ samba_search_pid($1)
|
|
+ stream_connect_pattern($1, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute samba init scripts in
|
|
-## the init script domain.
|
|
+## Execute samba server in the samba domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -77,7 +98,30 @@ interface(`samba_initrc_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute samba net in the samba net domain.
|
|
+## Execute samba server in the samba domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`samba_systemctl',`
|
|
+ gen_require(`
|
|
+ type samba_unit_file_t;
|
|
+ type smbd_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 samba_unit_file_t:file read_file_perms;
|
|
+ allow $1 samba_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, smbd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute samba net in the samba_net domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -96,9 +140,27 @@ interface(`samba_domtrans_net',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute samba net in the samba net
|
|
-## domain, and allow the specified
|
|
-## role the samba net domain.
|
|
+## Execute samba net in the samba_unconfined_net domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`samba_domtrans_unconfined_net',`
|
|
+ gen_require(`
|
|
+ type samba_unconfined_net_t, samba_net_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute samba net in the samba_net domain, and
|
|
+## allow the specified role the samba_net domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -114,11 +176,56 @@ interface(`samba_domtrans_net',`
|
|
#
|
|
interface(`samba_run_net',`
|
|
gen_require(`
|
|
- attribute_role samba_net_roles;
|
|
+ type samba_net_t;
|
|
')
|
|
|
|
samba_domtrans_net($1)
|
|
- roleattribute $2 samba_net_roles;
|
|
+ role $2 types samba_net_t;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## The role for the samba module.
|
|
+## </summary>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the samba_net domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`samba_role_notrans',`
|
|
+ gen_require(`
|
|
+ type smbd_t;
|
|
+ ')
|
|
+
|
|
+ role $1 types smbd_t;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute samba net in the samba_unconfined_net domain, and
|
|
+## allow the specified role the samba_unconfined_net domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the samba_unconfined_net domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`samba_run_unconfined_net',`
|
|
+ gen_require(`
|
|
+ type samba_unconfined_net_t;
|
|
+ ')
|
|
+
|
|
+ samba_domtrans_unconfined_net($1)
|
|
+ role $2 types samba_unconfined_net_t;
|
|
')
|
|
|
|
########################################
|
|
@@ -142,9 +249,8 @@ interface(`samba_domtrans_smbmount',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute smbmount in the smbmount
|
|
-## domain, and allow the specified
|
|
-## role the smbmount domain.
|
|
+## Execute smbmount interactively and do
|
|
+## a domain transition to the smbmount domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -160,16 +266,17 @@ interface(`samba_domtrans_smbmount',`
|
|
#
|
|
interface(`samba_run_smbmount',`
|
|
gen_require(`
|
|
- attribute_role smbmount_roles;
|
|
+ type smbmount_t;
|
|
')
|
|
|
|
samba_domtrans_smbmount($1)
|
|
- roleattribute $2 smbmount_roles;
|
|
+ role $2 types smbmount_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read samba configuration files.
|
|
+## Allow the specified domain to read
|
|
+## samba configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -184,12 +291,14 @@ interface(`samba_read_config',`
|
|
')
|
|
|
|
files_search_etc($1)
|
|
+ list_dirs_pattern($1, samba_etc_t, samba_etc_t)
|
|
read_files_pattern($1, samba_etc_t, samba_etc_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write samba configuration files.
|
|
+## Allow the specified domain to read
|
|
+## and write samba configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -209,8 +318,8 @@ interface(`samba_rw_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## samba configuration files.
|
|
+## Allow the specified domain to read
|
|
+## and write samba configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -231,7 +340,7 @@ interface(`samba_manage_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read samba log files.
|
|
+## Allow the specified domain to read samba's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -252,7 +361,7 @@ interface(`samba_read_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Append to samba log files.
|
|
+## Allow the specified domain to append to samba's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -273,7 +382,7 @@ interface(`samba_append_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute samba log files in the caller domain.
|
|
+## Execute samba log in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -292,7 +401,7 @@ interface(`samba_exec_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read samba secret files.
|
|
+## Allow the specified domain to read samba's secrets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -311,7 +420,7 @@ interface(`samba_read_secrets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read samba share files.
|
|
+## Allow the specified domain to read samba's shares
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -330,7 +439,8 @@ interface(`samba_read_share_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search samba var directories.
|
|
+## Allow the specified domain to search
|
|
+## samba /var directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -343,13 +453,15 @@ interface(`samba_search_var',`
|
|
type samba_var_t;
|
|
')
|
|
|
|
+ files_search_var($1)
|
|
files_search_var_lib($1)
|
|
allow $1 samba_var_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read samba var files.
|
|
+## Allow the specified domain to
|
|
+## read samba /var files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -362,14 +474,15 @@ interface(`samba_read_var_files',`
|
|
type samba_var_t;
|
|
')
|
|
|
|
+ files_search_var($1)
|
|
files_search_var_lib($1)
|
|
read_files_pattern($1, samba_var_t, samba_var_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to write
|
|
-## samba var files.
|
|
+## Do not audit attempts to write samba
|
|
+## /var files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -387,7 +500,8 @@ interface(`samba_dontaudit_write_var_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write samba var files.
|
|
+## Allow the specified domain to
|
|
+## read and write samba /var files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -400,14 +514,15 @@ interface(`samba_rw_var_files',`
|
|
type samba_var_t;
|
|
')
|
|
|
|
+ files_search_var($1)
|
|
files_search_var_lib($1)
|
|
rw_files_pattern($1, samba_var_t, samba_var_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## samba var files.
|
|
+## Allow the specified domain to
|
|
+## read and write samba /var files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -421,33 +536,34 @@ interface(`samba_manage_var_files',`
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
+ files_search_var_lib($1)
|
|
manage_files_pattern($1, samba_var_t, samba_var_t)
|
|
+ manage_lnk_files_pattern($1, samba_var_t, samba_var_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute smbcontrol in the smbcontrol domain.
|
|
+## Execute a domain transition to run smbcontrol.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`samba_domtrans_smbcontrol',`
|
|
gen_require(`
|
|
- type smbcontrol_t, smbcontrol_exec_t;
|
|
+ type smbcontrol_t;
|
|
+ type smbcontrol_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute smbcontrol in the smbcontrol
|
|
-## domain, and allow the specified
|
|
-## role the smbcontrol domain.
|
|
+## Execute smbcontrol in the smbcontrol domain, and
|
|
+## allow the specified role the smbcontrol domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -462,16 +578,16 @@ interface(`samba_domtrans_smbcontrol',`
|
|
#
|
|
interface(`samba_run_smbcontrol',`
|
|
gen_require(`
|
|
- attribute_role smbcontrol_roles;
|
|
+ type smbcontrol_t;
|
|
')
|
|
|
|
samba_domtrans_smbcontrol($1)
|
|
- roleattribute $2 smbcontrol_roles;
|
|
+ role $2 types smbcontrol_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute smbd in the smbd domain.
|
|
+## Execute smbd in the smbd_t domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -490,7 +606,7 @@ interface(`samba_domtrans_smbd',`
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Send generic signals to smbd.
|
|
+## Allow domain to signal samba
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -507,8 +623,7 @@ interface(`samba_signal_smbd',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to inherit
|
|
-## and use smbd file descriptors.
|
|
+## Do not audit attempts to use file descriptors from samba.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -526,7 +641,7 @@ interface(`samba_dontaudit_use_fds',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Write smbmount tcp sockets.
|
|
+## Allow the specified domain to write to smbmount tcp sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -544,7 +659,7 @@ interface(`samba_write_smbmount_tcp_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write smbmount tcp sockets.
|
|
+## Allow the specified domain to read and write to smbmount tcp sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -560,49 +675,47 @@ interface(`samba_rw_smbmount_tcp_sockets',`
|
|
allow $1 smbmount_t:tcp_socket { read write };
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Execute winbind helper in the
|
|
-## winbind helper domain.
|
|
+## Allow to getattr on winbind binary.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`samba_domtrans_winbind_helper',`
|
|
- gen_require(`
|
|
- type winbind_helper_t, winbind_helper_exec_t;
|
|
- ')
|
|
+interface(`samba_getattr_winbind',`
|
|
+ gen_require(`
|
|
+ type winbind_exec_t;
|
|
+ ')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
|
|
+ allow $1 winbind_exec_t:file getattr;
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Get attributes of winbind executable files.
|
|
+## Execute winbind_helper in the winbind_helper domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`samba_getattr_winbind_exec',`
|
|
+interface(`samba_domtrans_winbind_helper',`
|
|
gen_require(`
|
|
- type winbind_exec_t;
|
|
+ type winbind_helper_t, winbind_helper_exec_t;
|
|
')
|
|
|
|
- allow $1 winbind_exec_t:file getattr_file_perms;
|
|
+ domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
|
|
+ allow $1 winbind_helper_t:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute winbind helper in the winbind
|
|
-## helper domain, and allow the specified
|
|
-## role the winbind helper domain.
|
|
+## Execute winbind_helper in the winbind_helper domain, and
|
|
+## allow the specified role the winbind_helper domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -618,16 +731,16 @@ interface(`samba_getattr_winbind_exec',`
|
|
#
|
|
interface(`samba_run_winbind_helper',`
|
|
gen_require(`
|
|
- attribute_role winbind_helper_roles;
|
|
+ type winbind_helper_t;
|
|
')
|
|
|
|
samba_domtrans_winbind_helper($1)
|
|
- roleattribute $2 winbind_helper_roles;
|
|
+ role $2 types winbind_helper_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read winbind pid files.
|
|
+## Allow the specified domain to read the winbind pid files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -637,17 +750,16 @@ interface(`samba_run_winbind_helper',`
|
|
#
|
|
interface(`samba_read_winbind_pid',`
|
|
gen_require(`
|
|
- type winbind_var_run_t, smbd_var_run_t;
|
|
+ type winbind_var_run_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
|
|
+ samba_search_pid($1)
|
|
+ allow $1 winbind_var_run_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to winbind with a unix
|
|
-## domain stream socket.
|
|
+## Connect to winbind.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -657,17 +769,61 @@ interface(`samba_read_winbind_pid',`
|
|
#
|
|
interface(`samba_stream_connect_winbind',`
|
|
gen_require(`
|
|
- type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t;
|
|
+ type samba_var_t, winbind_t, winbind_var_run_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t)
|
|
+ samba_search_pid($1)
|
|
+ allow $1 samba_var_t:dir search_dir_perms;
|
|
+ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
|
|
+ samba_read_config($1)
|
|
+
|
|
+ ifndef(`distro_redhat',`
|
|
+ gen_require(`
|
|
+ type winbind_tmp_t;
|
|
+ ')
|
|
+
|
|
+ # the default for the socket is (poorly named):
|
|
+ # /tmp/.winbindd/pipe
|
|
+ files_search_tmp($1)
|
|
+ stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an samba environment.
|
|
+## Create a set of derived types for apache
|
|
+## web content.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## The prefix to be used for deriving type names.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`samba_helper_template',`
|
|
+ gen_require(`
|
|
+ type smbd_t;
|
|
+ role system_r;
|
|
+ ')
|
|
+
|
|
+ #This type is for samba helper scripts
|
|
+ type samba_$1_script_t;
|
|
+ domain_type(samba_$1_script_t)
|
|
+ role system_r types samba_$1_script_t;
|
|
+
|
|
+ # This type is used for executable scripts files
|
|
+ type samba_$1_script_exec_t;
|
|
+ corecmd_shell_entry_type(samba_$1_script_t)
|
|
+ domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t)
|
|
+
|
|
+ domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t)
|
|
+ allow smbd_t samba_$1_script_exec_t:file ioctl;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an samba environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -676,7 +832,7 @@ interface(`samba_stream_connect_winbind',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the samba domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -689,11 +845,28 @@ interface(`samba_admin',`
|
|
type samba_etc_t, samba_share_t, samba_initrc_exec_t;
|
|
type swat_var_run_t, swat_tmp_t, winbind_log_t;
|
|
type winbind_var_run_t, winbind_tmp_t;
|
|
- type smbd_keytab_t;
|
|
+ type smbd_keytab_t, samba_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 smbd_t:process signal_perms;
|
|
+ ps_process_pattern($1, smbd_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 smbd_t:process ptrace;
|
|
+ allow $1 nmbd_t:process ptrace;
|
|
+ allow $1 samba_unconfined_script_t:process ptrace;
|
|
')
|
|
|
|
- allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { nmbd_t smbd_t })
|
|
+ allow $1 nmbd_t:process signal_perms;
|
|
+ ps_process_pattern($1, nmbd_t)
|
|
+
|
|
+ allow $1 samba_unconfined_script_t:process signal_perms;
|
|
+ ps_process_pattern($1, samba_unconfined_script_t)
|
|
+
|
|
+ samba_run_smbcontrol($1, $2)
|
|
+ samba_run_winbind_helper($1, $2)
|
|
+ samba_run_smbmount($1, $2)
|
|
+ samba_run_net($1, $2)
|
|
|
|
init_labeled_script_domtrans($1, samba_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -703,23 +876,34 @@ interface(`samba_admin',`
|
|
files_list_etc($1)
|
|
admin_pattern($1, { samba_etc_t smbd_keytab_t })
|
|
|
|
+ admin_pattern($1, samba_log_t)
|
|
logging_list_logs($1)
|
|
- admin_pattern($1, { samba_log_t winbind_log_t })
|
|
|
|
- files_list_var($1)
|
|
- admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t })
|
|
+ admin_pattern($1, samba_secrets_t)
|
|
|
|
- files_list_spool($1)
|
|
- admin_pattern($1, smbd_spool_t)
|
|
+ admin_pattern($1, samba_share_t)
|
|
+
|
|
+ admin_pattern($1, samba_var_t)
|
|
+ files_list_var($1)
|
|
|
|
+ admin_pattern($1, smbd_var_run_t)
|
|
files_list_pids($1)
|
|
- admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t })
|
|
|
|
+ admin_pattern($1, smbd_tmp_t)
|
|
files_list_tmp($1)
|
|
- admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
|
|
|
|
- samba_run_smbcontrol($1, $2)
|
|
- samba_run_winbind_helper($1, $2)
|
|
- samba_run_smbmount($1, $2)
|
|
- samba_run_net($1, $2)
|
|
+ admin_pattern($1, swat_var_run_t)
|
|
+
|
|
+ admin_pattern($1, swat_tmp_t)
|
|
+
|
|
+ admin_pattern($1, winbind_log_t)
|
|
+
|
|
+ admin_pattern($1, winbind_tmp_t)
|
|
+
|
|
+ admin_pattern($1, winbind_var_run_t)
|
|
+ admin_pattern($1, samba_unconfined_script_exec_t)
|
|
+
|
|
+ samba_systemctl($1)
|
|
+ admin_pattern($1, samba_unit_file_t)
|
|
+ allow $1 samba_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/samba.te b/samba.te
|
|
index 2b7c441..d768a98 100644
|
|
--- a/samba.te
|
|
+++ b/samba.te
|
|
@@ -6,100 +6,80 @@ policy_module(samba, 1.16.3)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether samba can modify
|
|
-## public files used for public file
|
|
-## transfer services. Directories/Files must
|
|
-## be labeled public_content_rw_t.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow samba to modify public files used for public file
|
|
+## transfer services. Files/Directories must be labeled
|
|
+## public_content_rw_t.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_smbd_anon_write, false)
|
|
+gen_tunable(smbd_anon_write, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether samba can
|
|
-## create home directories via pam.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow samba to create new home directories (e.g. via PAM)
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(samba_create_home_dirs, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether samba can act as the
|
|
-## domain controller, add users, groups
|
|
-## and change passwords.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow samba to act as the domain controller, add users,
|
|
+## groups and change passwords.
|
|
+##
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(samba_domain_controller, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether samba can
|
|
-## act as a portmapper.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow samba to act as a portmapper
|
|
+##
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(samba_portmapper, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether samba can share
|
|
-## users home directories.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow samba to share users home directories.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(samba_enable_home_dirs, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether samba can share
|
|
-## any content read only.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow samba to share any file/directory read only.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(samba_export_all_ro, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether samba can share any
|
|
-## content readable and writable.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow samba to share any file/directory read/write.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(samba_export_all_rw, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether samba can
|
|
-## run unconfined scripts.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow samba to run unconfined scripts
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(samba_run_unconfined, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether samba can
|
|
-## use nfs file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow samba to export NFS volumes.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(samba_share_nfs, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether samba can
|
|
-## use fuse file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow samba to export ntfs/fusefs volumes.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(samba_share_fusefs, false)
|
|
|
|
-attribute_role samba_net_roles;
|
|
-roleattribute system_r samba_net_roles;
|
|
-
|
|
-attribute_role smbcontrol_roles;
|
|
-roleattribute system_r smbcontrol_roles;
|
|
-
|
|
-attribute_role smbmount_roles;
|
|
-roleattribute system_r smbmount_roles;
|
|
-
|
|
-attribute_role winbind_helper_roles;
|
|
-roleattribute system_r winbind_helper_roles;
|
|
-
|
|
type nmbd_t;
|
|
type nmbd_exec_t;
|
|
init_daemon_domain(nmbd_t, nmbd_exec_t)
|
|
@@ -113,13 +93,16 @@ files_config_file(samba_etc_t)
|
|
type samba_initrc_exec_t;
|
|
init_script_file(samba_initrc_exec_t)
|
|
|
|
+type samba_unit_file_t;
|
|
+systemd_unit_file(samba_unit_file_t)
|
|
+
|
|
type samba_log_t;
|
|
logging_log_file(samba_log_t)
|
|
|
|
type samba_net_t;
|
|
type samba_net_exec_t;
|
|
application_domain(samba_net_t, samba_net_exec_t)
|
|
-role samba_net_roles types samba_net_t;
|
|
+role system_r types samba_net_t;
|
|
|
|
type samba_net_tmp_t;
|
|
files_tmp_file(samba_net_tmp_t)
|
|
@@ -136,7 +119,7 @@ files_type(samba_var_t)
|
|
type smbcontrol_t;
|
|
type smbcontrol_exec_t;
|
|
application_domain(smbcontrol_t, smbcontrol_exec_t)
|
|
-role smbcontrol_roles types smbcontrol_t;
|
|
+role system_r types smbcontrol_t;
|
|
|
|
type smbd_t;
|
|
type smbd_exec_t;
|
|
@@ -152,9 +135,10 @@ type smbd_var_run_t;
|
|
files_pid_file(smbd_var_run_t)
|
|
|
|
type smbmount_t;
|
|
+domain_type(smbmount_t)
|
|
+
|
|
type smbmount_exec_t;
|
|
-application_domain(smbmount_t, smbmount_exec_t)
|
|
-role smbmount_roles types smbmount_t;
|
|
+domain_entry_file(smbmount_t, smbmount_exec_t)
|
|
|
|
type swat_t;
|
|
type swat_exec_t;
|
|
@@ -173,28 +157,29 @@ type winbind_exec_t;
|
|
init_daemon_domain(winbind_t, winbind_exec_t)
|
|
|
|
type winbind_helper_t;
|
|
+domain_type(winbind_helper_t)
|
|
+role system_r types winbind_helper_t;
|
|
+
|
|
type winbind_helper_exec_t;
|
|
-application_domain(winbind_helper_t, winbind_helper_exec_t)
|
|
-role winbind_helper_roles types winbind_helper_t;
|
|
+domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
|
|
|
|
type winbind_log_t;
|
|
logging_log_file(winbind_log_t)
|
|
|
|
-type winbind_tmp_t;
|
|
-files_tmp_file(winbind_tmp_t)
|
|
-
|
|
type winbind_var_run_t;
|
|
files_pid_file(winbind_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
-# Net local policy
|
|
+# Samba net local policy
|
|
#
|
|
-
|
|
allow samba_net_t self:capability { sys_chroot sys_nice dac_read_search dac_override };
|
|
allow samba_net_t self:capability2 block_suspend;
|
|
allow samba_net_t self:process { getsched setsched };
|
|
-allow samba_net_t self:unix_stream_socket { accept listen };
|
|
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
|
|
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow samba_net_t self:udp_socket create_socket_perms;
|
|
+allow samba_net_t self:tcp_socket create_socket_perms;
|
|
|
|
allow samba_net_t samba_etc_t:file read_file_perms;
|
|
|
|
@@ -210,17 +195,22 @@ manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
|
|
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
|
|
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
|
|
|
|
+kernel_read_proc_symlinks(samba_net_t)
|
|
kernel_read_system_state(samba_net_t)
|
|
kernel_read_network_state(samba_net_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(samba_net_t)
|
|
corenet_all_recvfrom_netlabel(samba_net_t)
|
|
+corenet_tcp_sendrecv_generic_if(samba_net_t)
|
|
corenet_udp_sendrecv_generic_if(samba_net_t)
|
|
+corenet_raw_sendrecv_generic_if(samba_net_t)
|
|
corenet_tcp_sendrecv_generic_node(samba_net_t)
|
|
-
|
|
-corenet_sendrecv_smbd_client_packets(samba_net_t)
|
|
+corenet_udp_sendrecv_generic_node(samba_net_t)
|
|
+corenet_raw_sendrecv_generic_node(samba_net_t)
|
|
+corenet_tcp_sendrecv_all_ports(samba_net_t)
|
|
+corenet_udp_sendrecv_all_ports(samba_net_t)
|
|
+corenet_tcp_bind_generic_node(samba_net_t)
|
|
+corenet_udp_bind_generic_node(samba_net_t)
|
|
corenet_tcp_connect_smbd_port(samba_net_t)
|
|
-corenet_tcp_sendrecv_smbd_port(samba_net_t)
|
|
|
|
dev_read_urand(samba_net_t)
|
|
|
|
@@ -233,15 +223,16 @@ auth_manage_cache(samba_net_t)
|
|
|
|
logging_send_syslog_msg(samba_net_t)
|
|
|
|
-miscfiles_read_localization(samba_net_t)
|
|
-
|
|
samba_read_var_files(samba_net_t)
|
|
|
|
-userdom_use_user_terminals(samba_net_t)
|
|
+sysnet_use_ldap(samba_net_t)
|
|
+
|
|
+userdom_use_inherited_user_terminals(samba_net_t)
|
|
userdom_list_user_home_dirs(samba_net_t)
|
|
|
|
optional_policy(`
|
|
- ldap_stream_connect(samba_net_t)
|
|
+ ldap_stream_connect(samba_net_t)
|
|
+ dirsrv_stream_connect(samba_net_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -249,46 +240,58 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ realmd_manage_cache_files(samba_net_t)
|
|
+ realmd_read_tmp_files(samba_net_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
kerberos_use(samba_net_t)
|
|
- kerberos_etc_filetrans_keytab(samba_net_t, file)
|
|
+ kerberos_etc_filetrans_keytab(samba_net_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Smbd Local policy
|
|
+# smbd Local policy
|
|
#
|
|
|
|
allow smbd_t self:capability { chown fowner kill fsetid setgid setuid sys_chroot sys_nice sys_admin sys_resource lease dac_override dac_read_search };
|
|
dontaudit smbd_t self:capability sys_tty_config;
|
|
-allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
|
|
+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
+allow smbd_t self:process setrlimit;
|
|
allow smbd_t self:fd use;
|
|
allow smbd_t self:fifo_file rw_fifo_file_perms;
|
|
allow smbd_t self:msg { send receive };
|
|
allow smbd_t self:msgq create_msgq_perms;
|
|
allow smbd_t self:sem create_sem_perms;
|
|
allow smbd_t self:shm create_shm_perms;
|
|
-allow smbd_t self:tcp_socket { accept listen };
|
|
-allow smbd_t self:unix_dgram_socket sendto;
|
|
-allow smbd_t self:unix_stream_socket { accept connectto listen };
|
|
+allow smbd_t self:key manage_key_perms;
|
|
+allow smbd_t self:sock_file read_sock_file_perms;
|
|
+allow smbd_t self:tcp_socket create_stream_socket_perms;
|
|
+allow smbd_t self:udp_socket create_socket_perms;
|
|
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+
|
|
+allow smbd_t nmbd_t:process { signal signull };
|
|
|
|
-allow smbd_t { swat_t winbind_t smbcontrol_t nmbd_t }:process { signal signull };
|
|
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
|
|
+stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
|
|
|
|
-allow smbd_t samba_etc_t:file { rw_file_perms setattr_file_perms };
|
|
+allow smbd_t samba_etc_t:file { rw_file_perms setattr };
|
|
|
|
allow smbd_t smbd_keytab_t:file read_file_perms;
|
|
|
|
manage_dirs_pattern(smbd_t, samba_log_t, samba_log_t)
|
|
-append_files_pattern(smbd_t, samba_log_t, samba_log_t)
|
|
-create_files_pattern(smbd_t, samba_log_t, samba_log_t)
|
|
-setattr_files_pattern(smbd_t, samba_log_t, samba_log_t)
|
|
+manage_files_pattern(smbd_t, samba_log_t, samba_log_t)
|
|
|
|
-allow smbd_t samba_net_tmp_t:file getattr_file_perms;
|
|
+allow smbd_t samba_net_tmp_t:file getattr;
|
|
|
|
manage_files_pattern(smbd_t, samba_secrets_t, samba_secrets_t)
|
|
filetrans_pattern(smbd_t, samba_etc_t, samba_secrets_t, file)
|
|
|
|
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
|
|
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
|
+manage_fifo_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
|
+manage_sock_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
|
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
|
|
allow smbd_t samba_share_t:filesystem { getattr quotaget };
|
|
|
|
@@ -298,6 +301,8 @@ manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
|
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
|
|
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
|
|
|
|
+allow smbd_t smbcontrol_t:process { signal signull };
|
|
+
|
|
manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
|
|
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
|
|
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
|
|
@@ -307,11 +312,11 @@ manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
|
|
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
|
|
files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
|
|
|
|
-allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms;
|
|
-stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
|
|
+allow smbd_t swat_t:process signal;
|
|
|
|
-allow smbd_t nmbd_var_run_t:file read_file_perms;
|
|
-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
|
|
+allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;
|
|
+
|
|
+allow smbd_t winbind_t:process { signal signull };
|
|
|
|
kernel_getattr_core_if(smbd_t)
|
|
kernel_getattr_message_if(smbd_t)
|
|
@@ -321,43 +326,33 @@ kernel_read_kernel_sysctls(smbd_t)
|
|
kernel_read_software_raid_state(smbd_t)
|
|
kernel_read_system_state(smbd_t)
|
|
|
|
-corecmd_exec_bin(smbd_t)
|
|
corecmd_exec_shell(smbd_t)
|
|
+corecmd_exec_bin(smbd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(smbd_t)
|
|
corenet_all_recvfrom_netlabel(smbd_t)
|
|
corenet_tcp_sendrecv_generic_if(smbd_t)
|
|
+corenet_udp_sendrecv_generic_if(smbd_t)
|
|
+corenet_raw_sendrecv_generic_if(smbd_t)
|
|
corenet_tcp_sendrecv_generic_node(smbd_t)
|
|
+corenet_udp_sendrecv_generic_node(smbd_t)
|
|
+corenet_raw_sendrecv_generic_node(smbd_t)
|
|
+corenet_tcp_sendrecv_all_ports(smbd_t)
|
|
+corenet_udp_sendrecv_all_ports(smbd_t)
|
|
corenet_tcp_bind_generic_node(smbd_t)
|
|
-
|
|
-corenet_sendrecv_smbd_client_packets(smbd_t)
|
|
-corenet_tcp_connect_smbd_port(smbd_t)
|
|
-corenet_sendrecv_smbd_server_packets(smbd_t)
|
|
+corenet_udp_bind_generic_node(smbd_t)
|
|
corenet_tcp_bind_smbd_port(smbd_t)
|
|
-corenet_tcp_sendrecv_smbd_port(smbd_t)
|
|
-
|
|
-corenet_sendrecv_ipp_client_packets(smbd_t)
|
|
corenet_tcp_connect_ipp_port(smbd_t)
|
|
-corenet_tcp_sendrecv_ipp_port(smbd_t)
|
|
+corenet_tcp_connect_smbd_port(smbd_t)
|
|
|
|
dev_read_sysfs(smbd_t)
|
|
dev_read_urand(smbd_t)
|
|
+dev_dontaudit_write_urand(smbd_t)
|
|
dev_getattr_mtrr_dev(smbd_t)
|
|
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
|
|
+# For redhat bug 566984
|
|
dev_getattr_all_blk_files(smbd_t)
|
|
dev_getattr_all_chr_files(smbd_t)
|
|
|
|
-domain_use_interactive_fds(smbd_t)
|
|
-domain_dontaudit_list_all_domains_state(smbd_t)
|
|
-
|
|
-files_list_var_lib(smbd_t)
|
|
-files_read_etc_runtime_files(smbd_t)
|
|
-files_read_usr_files(smbd_t)
|
|
-files_search_spool(smbd_t)
|
|
-files_dontaudit_getattr_all_dirs(smbd_t)
|
|
-files_dontaudit_list_all_mountpoints(smbd_t)
|
|
-files_list_mnt(smbd_t)
|
|
-
|
|
fs_getattr_all_fs(smbd_t)
|
|
fs_getattr_all_dirs(smbd_t)
|
|
fs_get_xattr_fs_quotas(smbd_t)
|
|
@@ -366,44 +361,54 @@ fs_getattr_rpc_dirs(smbd_t)
|
|
fs_list_inotifyfs(smbd_t)
|
|
fs_get_all_fs_quotas(smbd_t)
|
|
|
|
-term_use_ptmx(smbd_t)
|
|
-
|
|
auth_use_nsswitch(smbd_t)
|
|
auth_domtrans_chk_passwd(smbd_t)
|
|
auth_domtrans_upd_passwd(smbd_t)
|
|
auth_manage_cache(smbd_t)
|
|
auth_write_login_records(smbd_t)
|
|
|
|
+domain_use_interactive_fds(smbd_t)
|
|
+domain_dontaudit_list_all_domains_state(smbd_t)
|
|
+
|
|
+files_list_var_lib(smbd_t)
|
|
+files_read_etc_runtime_files(smbd_t)
|
|
+files_search_spool(smbd_t)
|
|
+# smbd seems to getattr all mountpoints
|
|
+files_dontaudit_getattr_all_dirs(smbd_t)
|
|
+files_dontaudit_list_all_mountpoints(smbd_t)
|
|
+# Allow samba to list mnt_t for potential mounted dirs
|
|
+files_list_mnt(smbd_t)
|
|
+
|
|
init_rw_utmp(smbd_t)
|
|
|
|
logging_search_logs(smbd_t)
|
|
logging_send_syslog_msg(smbd_t)
|
|
|
|
-miscfiles_read_localization(smbd_t)
|
|
miscfiles_read_public_files(smbd_t)
|
|
|
|
sysnet_use_ldap(smbd_t)
|
|
|
|
userdom_use_unpriv_users_fds(smbd_t)
|
|
+userdom_search_user_home_content(smbd_t)
|
|
userdom_signal_all_users(smbd_t)
|
|
-userdom_home_filetrans_user_home_dir(smbd_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(smbd_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
usermanage_read_crack_db(smbd_t)
|
|
|
|
-ifdef(`hide_broken_symptoms',`
|
|
+term_use_ptmx(smbd_t)
|
|
+
|
|
+ifdef(`hide_broken_symptoms', `
|
|
files_dontaudit_getattr_default_dirs(smbd_t)
|
|
files_dontaudit_getattr_boot_dirs(smbd_t)
|
|
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
|
|
')
|
|
|
|
-tunable_policy(`allow_smbd_anon_write',`
|
|
+tunable_policy(`smbd_anon_write',`
|
|
miscfiles_manage_public_files(smbd_t)
|
|
-')
|
|
+')
|
|
|
|
-tunable_policy(`samba_create_home_dirs',`
|
|
- allow smbd_t self:capability chown;
|
|
- userdom_create_user_home_dirs(smbd_t)
|
|
+tunable_policy(`samba_portmapper',`
|
|
+ corenet_tcp_bind_epmap_port(smbd_t)
|
|
+ corenet_tcp_bind_all_unreserved_ports(smbd_t)
|
|
')
|
|
|
|
tunable_policy(`samba_domain_controller',`
|
|
@@ -419,20 +424,10 @@ tunable_policy(`samba_domain_controller',`
|
|
')
|
|
|
|
tunable_policy(`samba_enable_home_dirs',`
|
|
- userdom_manage_user_home_content_dirs(smbd_t)
|
|
- userdom_manage_user_home_content_files(smbd_t)
|
|
- userdom_manage_user_home_content_symlinks(smbd_t)
|
|
- userdom_manage_user_home_content_sockets(smbd_t)
|
|
- userdom_manage_user_home_content_pipes(smbd_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`samba_portmapper',`
|
|
- corenet_sendrecv_all_server_packets(smbd_t)
|
|
- corenet_tcp_bind_epmap_port(smbd_t)
|
|
- corenet_tcp_bind_all_unreserved_ports(smbd_t)
|
|
- corenet_tcp_sendrecv_all_ports(smbd_t)
|
|
+ userdom_manage_user_home_content(smbd_t)
|
|
')
|
|
|
|
+# Support Samba sharing of NFS mount points
|
|
tunable_policy(`samba_share_nfs',`
|
|
fs_manage_nfs_dirs(smbd_t)
|
|
fs_manage_nfs_files(smbd_t)
|
|
@@ -441,6 +436,7 @@ tunable_policy(`samba_share_nfs',`
|
|
fs_manage_nfs_named_sockets(smbd_t)
|
|
')
|
|
|
|
+# Support Samba sharing of ntfs/fusefs mount points
|
|
tunable_policy(`samba_share_fusefs',`
|
|
fs_manage_fusefs_dirs(smbd_t)
|
|
fs_manage_fusefs_files(smbd_t)
|
|
@@ -448,17 +444,6 @@ tunable_policy(`samba_share_fusefs',`
|
|
fs_search_fusefs(smbd_t)
|
|
')
|
|
|
|
-tunable_policy(`samba_export_all_ro',`
|
|
- fs_read_noxattr_fs_files(smbd_t)
|
|
- files_list_non_auth_dirs(smbd_t)
|
|
- files_read_non_auth_files(smbd_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`samba_export_all_rw',`
|
|
- fs_read_noxattr_fs_files(smbd_t)
|
|
- files_manage_non_auth_files(smbd_t)
|
|
-')
|
|
-
|
|
optional_policy(`
|
|
ccs_read_config(smbd_t)
|
|
')
|
|
@@ -466,6 +451,7 @@ optional_policy(`
|
|
optional_policy(`
|
|
ctdbd_stream_connect(smbd_t)
|
|
ctdbd_manage_lib_files(smbd_t)
|
|
+ ctdbd_manage_var_files(smbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -479,6 +465,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ ldap_stream_connect(smbd_t)
|
|
+ dirsrv_stream_connect(smbd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
lpd_exec_lpr(smbd_t)
|
|
')
|
|
|
|
@@ -499,9 +490,33 @@ optional_policy(`
|
|
udev_read_db(smbd_t)
|
|
')
|
|
|
|
+tunable_policy(`samba_create_home_dirs',`
|
|
+ allow smbd_t self:capability chown;
|
|
+ userdom_create_user_home_dirs(smbd_t)
|
|
+')
|
|
+
|
|
+userdom_home_filetrans_user_home_dir(smbd_t)
|
|
+
|
|
+tunable_policy(`samba_export_all_ro',`
|
|
+ allow nmbd_t self:capability { dac_read_search dac_override };
|
|
+ fs_read_noxattr_fs_files(smbd_t)
|
|
+ files_read_non_security_files(smbd_t)
|
|
+ fs_read_noxattr_fs_files(nmbd_t)
|
|
+ files_read_non_security_files(nmbd_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`samba_export_all_rw',`
|
|
+ allow nmbd_t self:capability { dac_read_search dac_override };
|
|
+ fs_manage_noxattr_fs_files(smbd_t)
|
|
+ files_manage_non_security_files(smbd_t)
|
|
+ fs_manage_noxattr_fs_files(nmbd_t)
|
|
+ files_manage_non_security_files(nmbd_t)
|
|
+')
|
|
+userdom_filetrans_home_content(nmbd_t)
|
|
+
|
|
########################################
|
|
#
|
|
-# Nmbd Local policy
|
|
+# nmbd Local policy
|
|
#
|
|
|
|
dontaudit nmbd_t self:capability sys_tty_config;
|
|
@@ -512,9 +527,11 @@ allow nmbd_t self:msg { send receive };
|
|
allow nmbd_t self:msgq create_msgq_perms;
|
|
allow nmbd_t self:sem create_sem_perms;
|
|
allow nmbd_t self:shm create_shm_perms;
|
|
-allow nmbd_t self:tcp_socket { accept listen };
|
|
-allow nmbd_t self:unix_dgram_socket sendto;
|
|
-allow nmbd_t self:unix_stream_socket { accept connectto listen };
|
|
+allow nmbd_t self:sock_file read_sock_file_perms;
|
|
+allow nmbd_t self:tcp_socket create_stream_socket_perms;
|
|
+allow nmbd_t self:udp_socket create_socket_perms;
|
|
+allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
+allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
|
manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
|
|
manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
|
|
@@ -526,20 +543,15 @@ read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
|
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
|
|
|
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
|
|
-append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
|
-create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
|
-setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
|
+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
|
|
|
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
|
|
+manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t)
|
|
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
|
|
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
|
|
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
|
|
-files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
|
|
files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
|
|
|
|
-allow nmbd_t { swat_t smbcontrol_t }:process signal;
|
|
-
|
|
-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
|
|
+allow nmbd_t smbcontrol_t:process signal;
|
|
|
|
kernel_getattr_core_if(nmbd_t)
|
|
kernel_getattr_message_if(nmbd_t)
|
|
@@ -548,52 +560,41 @@ kernel_read_network_state(nmbd_t)
|
|
kernel_read_software_raid_state(nmbd_t)
|
|
kernel_read_system_state(nmbd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(nmbd_t)
|
|
corenet_all_recvfrom_netlabel(nmbd_t)
|
|
corenet_tcp_sendrecv_generic_if(nmbd_t)
|
|
corenet_udp_sendrecv_generic_if(nmbd_t)
|
|
corenet_tcp_sendrecv_generic_node(nmbd_t)
|
|
corenet_udp_sendrecv_generic_node(nmbd_t)
|
|
+corenet_tcp_sendrecv_all_ports(nmbd_t)
|
|
+corenet_udp_sendrecv_all_ports(nmbd_t)
|
|
corenet_udp_bind_generic_node(nmbd_t)
|
|
-
|
|
-corenet_sendrecv_nmbd_server_packets(nmbd_t)
|
|
corenet_udp_bind_nmbd_port(nmbd_t)
|
|
-corenet_udp_sendrecv_nmbd_port(nmbd_t)
|
|
-
|
|
-corenet_sendrecv_smbd_client_packets(nmbd_t)
|
|
+corenet_sendrecv_nmbd_server_packets(nmbd_t)
|
|
+corenet_sendrecv_nmbd_client_packets(nmbd_t)
|
|
corenet_tcp_connect_smbd_port(nmbd_t)
|
|
-corenet_tcp_sendrecv_smbd_port(nmbd_t)
|
|
|
|
-dev_read_sysfs(nmbd_t)
|
|
dev_getattr_mtrr_dev(nmbd_t)
|
|
+dev_read_sysfs(nmbd_t)
|
|
+dev_read_urand(nmbd_t)
|
|
+
|
|
+fs_getattr_all_fs(nmbd_t)
|
|
+fs_search_auto_mountpoints(nmbd_t)
|
|
|
|
domain_use_interactive_fds(nmbd_t)
|
|
|
|
-files_read_usr_files(nmbd_t)
|
|
files_list_var_lib(nmbd_t)
|
|
|
|
-fs_getattr_all_fs(nmbd_t)
|
|
-fs_search_auto_mountpoints(nmbd_t)
|
|
-
|
|
auth_use_nsswitch(nmbd_t)
|
|
|
|
logging_search_logs(nmbd_t)
|
|
logging_send_syslog_msg(nmbd_t)
|
|
|
|
-miscfiles_read_localization(nmbd_t)
|
|
-
|
|
userdom_use_unpriv_users_fds(nmbd_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
|
|
+userdom_dontaudit_search_user_home_dirs(nmbd_t)
|
|
|
|
-tunable_policy(`samba_export_all_ro',`
|
|
- fs_read_noxattr_fs_files(nmbd_t)
|
|
- files_list_non_auth_dirs(nmbd_t)
|
|
- files_read_non_auth_files(nmbd_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`samba_export_all_rw',`
|
|
- fs_read_noxattr_fs_files(nmbd_t)
|
|
- files_manage_non_auth_files(nmbd_t)
|
|
+optional_policy(`
|
|
+ ctdbd_stream_connect(nmbd_t)
|
|
+ ctdbd_manage_var_files(nmbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -606,16 +607,22 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Smbcontrol local policy
|
|
+# smbcontrol local policy
|
|
#
|
|
|
|
+
|
|
allow smbcontrol_t self:process signal;
|
|
-allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
|
|
+# internal communication is often done using fifo and unix sockets.
|
|
+allow smbcontrol_t self:fifo_file rw_file_perms;
|
|
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow smbcontrol_t self:process { signal signull };
|
|
|
|
-allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
|
|
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
|
|
+allow smbcontrol_t nmbd_t:process { signal signull };
|
|
+read_files_pattern(smbcontrol_t, nmbd_var_run_t, nmbd_var_run_t)
|
|
+
|
|
+allow smbcontrol_t smbd_t:process { signal signull };
|
|
+read_files_pattern(smbcontrol_t, smbd_var_run_t, smbd_var_run_t)
|
|
+allow smbcontrol_t winbind_t:process { signal signull };
|
|
|
|
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
|
|
|
|
@@ -627,16 +634,11 @@ domain_use_interactive_fds(smbcontrol_t)
|
|
|
|
dev_read_urand(smbcontrol_t)
|
|
|
|
-files_read_etc_files(smbcontrol_t)
|
|
-files_search_var_lib(smbcontrol_t)
|
|
-
|
|
term_use_console(smbcontrol_t)
|
|
|
|
-miscfiles_read_localization(smbcontrol_t)
|
|
-
|
|
sysnet_use_ldap(smbcontrol_t)
|
|
|
|
-userdom_use_user_terminals(smbcontrol_t)
|
|
+userdom_use_inherited_user_terminals(smbcontrol_t)
|
|
|
|
optional_policy(`
|
|
ctdbd_stream_connect(smbcontrol_t)
|
|
@@ -644,22 +646,23 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Smbmount Local policy
|
|
+# smbmount Local policy
|
|
#
|
|
|
|
-allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown };
|
|
-allow smbmount_t self:process signal_perms;
|
|
-allow smbmount_t self:tcp_socket { accept listen };
|
|
+allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
|
|
+allow smbmount_t self:process { fork signal_perms };
|
|
+allow smbmount_t self:tcp_socket create_stream_socket_perms;
|
|
+allow smbmount_t self:udp_socket connect;
|
|
allow smbmount_t self:unix_dgram_socket create_socket_perms;
|
|
allow smbmount_t self:unix_stream_socket create_socket_perms;
|
|
|
|
allow smbmount_t samba_etc_t:dir list_dir_perms;
|
|
allow smbmount_t samba_etc_t:file read_file_perms;
|
|
|
|
-allow smbmount_t samba_log_t:dir list_dir_perms;
|
|
-append_files_pattern(smbmount_t, samba_log_t, samba_log_t)
|
|
-create_files_pattern(smbmount_t, samba_log_t, samba_log_t)
|
|
-setattr_files_pattern(smbmount_t, samba_log_t, samba_log_t)
|
|
+can_exec(smbmount_t, smbmount_exec_t)
|
|
+
|
|
+allow smbmount_t samba_log_t:dir list_dir_perms;
|
|
+allow smbmount_t samba_log_t:file manage_file_perms;
|
|
|
|
allow smbmount_t samba_secrets_t:file manage_file_perms;
|
|
|
|
@@ -668,26 +671,22 @@ manage_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
|
manage_lnk_files_pattern(smbmount_t, samba_var_t, samba_var_t)
|
|
files_var_filetrans(smbmount_t, samba_var_t, dir, "samba")
|
|
|
|
-can_exec(smbmount_t, smbmount_exec_t)
|
|
+files_list_var_lib(smbmount_t)
|
|
|
|
kernel_read_system_state(smbmount_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(smbmount_t)
|
|
corenet_all_recvfrom_netlabel(smbmount_t)
|
|
corenet_tcp_sendrecv_generic_if(smbmount_t)
|
|
+corenet_raw_sendrecv_generic_if(smbmount_t)
|
|
+corenet_udp_sendrecv_generic_if(smbmount_t)
|
|
corenet_tcp_sendrecv_generic_node(smbmount_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(smbmount_t)
|
|
-corenet_tcp_connect_all_ports(smbmount_t)
|
|
+corenet_raw_sendrecv_generic_node(smbmount_t)
|
|
+corenet_udp_sendrecv_generic_node(smbmount_t)
|
|
corenet_tcp_sendrecv_all_ports(smbmount_t)
|
|
-
|
|
-corecmd_list_bin(smbmount_t)
|
|
-
|
|
-files_list_mnt(smbmount_t)
|
|
-files_list_var_lib(smbmount_t)
|
|
-files_mounton_mnt(smbmount_t)
|
|
-files_manage_etc_runtime_files(smbmount_t)
|
|
-files_etc_filetrans_etc_runtime(smbmount_t, file)
|
|
+corenet_udp_sendrecv_all_ports(smbmount_t)
|
|
+corenet_tcp_bind_generic_node(smbmount_t)
|
|
+corenet_udp_bind_generic_node(smbmount_t)
|
|
+corenet_tcp_connect_all_ports(smbmount_t)
|
|
|
|
fs_getattr_cifs(smbmount_t)
|
|
fs_mount_cifs(smbmount_t)
|
|
@@ -699,58 +698,77 @@ fs_read_cifs_files(smbmount_t)
|
|
storage_raw_read_fixed_disk(smbmount_t)
|
|
storage_raw_write_fixed_disk(smbmount_t)
|
|
|
|
-auth_use_nsswitch(smbmount_t)
|
|
+corecmd_list_bin(smbmount_t)
|
|
|
|
-miscfiles_read_localization(smbmount_t)
|
|
+files_list_mnt(smbmount_t)
|
|
+files_mounton_mnt(smbmount_t)
|
|
+files_manage_etc_runtime_files(smbmount_t)
|
|
+files_etc_filetrans_etc_runtime(smbmount_t, file)
|
|
+
|
|
+auth_use_nsswitch(smbmount_t)
|
|
|
|
-mount_use_fds(smbmount_t)
|
|
|
|
locallogin_use_fds(smbmount_t)
|
|
|
|
logging_search_logs(smbmount_t)
|
|
|
|
-userdom_use_user_terminals(smbmount_t)
|
|
+userdom_use_inherited_user_terminals(smbmount_t)
|
|
userdom_use_all_users_fds(smbmount_t)
|
|
|
|
optional_policy(`
|
|
cups_read_rw_config(smbmount_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ mount_use_fds(smbmount_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
-# Swat Local policy
|
|
+# SWAT Local policy
|
|
#
|
|
|
|
allow swat_t self:capability { dac_override setuid setgid sys_resource };
|
|
+allow swat_t self:capability2 block_suspend;
|
|
allow swat_t self:process { setrlimit signal_perms };
|
|
allow swat_t self:fifo_file rw_fifo_file_perms;
|
|
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
-allow swat_t self:tcp_socket { accept listen };
|
|
+allow swat_t self:tcp_socket create_stream_socket_perms;
|
|
+allow swat_t self:udp_socket create_socket_perms;
|
|
allow swat_t self:unix_stream_socket connectto;
|
|
|
|
-allow swat_t { nmbd_t smbd_t }:process { signal signull };
|
|
+samba_domtrans_smbd(swat_t)
|
|
+allow swat_t smbd_t:process { signal signull };
|
|
|
|
-allow swat_t smbd_var_run_t:file read_file_perms;
|
|
-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
|
|
+samba_domtrans_nmbd(swat_t)
|
|
+allow swat_t nmbd_t:process { signal signull };
|
|
+allow nmbd_t swat_t:process signal;
|
|
+
|
|
+read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
|
|
+stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
|
|
+
|
|
+allow swat_t smbd_port_t:tcp_socket name_bind;
|
|
+
|
|
+allow swat_t nmbd_port_t:udp_socket name_bind;
|
|
|
|
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
|
|
read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
|
|
|
|
manage_dirs_pattern(swat_t, samba_log_t, samba_log_t)
|
|
-append_files_pattern(swat_t, samba_log_t, samba_log_t)
|
|
-create_files_pattern(swat_t, samba_log_t, samba_log_t)
|
|
-setattr_files_pattern(swat_t, samba_log_t, samba_log_t)
|
|
+manage_files_pattern(swat_t, samba_log_t, samba_log_t)
|
|
|
|
manage_files_pattern(swat_t, samba_etc_t, samba_secrets_t)
|
|
|
|
manage_dirs_pattern(swat_t, samba_var_t, samba_var_t)
|
|
manage_files_pattern(swat_t, samba_var_t, samba_var_t)
|
|
-manage_lnk_files_pattern(swat_t, samba_var_t, samba_var_t)
|
|
files_var_filetrans(swat_t, samba_var_t, dir, "samba")
|
|
|
|
allow swat_t smbd_exec_t:file mmap_file_perms ;
|
|
|
|
-allow swat_t { winbind_t smbd_t }:process { signal signull };
|
|
+allow swat_t smbd_t:process signull;
|
|
+
|
|
+allow swat_t smbd_var_run_t:file read_file_perms;
|
|
+allow swat_t smbd_var_run_t:file { lock unlink };
|
|
|
|
manage_dirs_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
|
manage_files_pattern(swat_t, swat_tmp_t, swat_tmp_t)
|
|
@@ -759,17 +777,13 @@ files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
|
|
manage_files_pattern(swat_t, swat_var_run_t, swat_var_run_t)
|
|
files_pid_filetrans(swat_t, swat_var_run_t, file)
|
|
|
|
-read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
|
|
-allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms };
|
|
-allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms };
|
|
-
|
|
-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
|
|
-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
|
|
-
|
|
-samba_domtrans_smbd(swat_t)
|
|
-samba_domtrans_nmbd(swat_t)
|
|
-
|
|
+allow swat_t winbind_exec_t:file mmap_file_perms;
|
|
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
|
|
+allow swat_t winbind_t:process { signal signull };
|
|
+
|
|
+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
|
|
+allow swat_t winbind_var_run_t:dir { write add_name remove_name };
|
|
+allow swat_t winbind_var_run_t:sock_file { create unlink };
|
|
|
|
kernel_read_kernel_sysctls(swat_t)
|
|
kernel_read_system_state(swat_t)
|
|
@@ -777,36 +791,25 @@ kernel_read_network_state(swat_t)
|
|
|
|
corecmd_search_bin(swat_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(swat_t)
|
|
corenet_all_recvfrom_netlabel(swat_t)
|
|
corenet_tcp_sendrecv_generic_if(swat_t)
|
|
corenet_udp_sendrecv_generic_if(swat_t)
|
|
+corenet_raw_sendrecv_generic_if(swat_t)
|
|
corenet_tcp_sendrecv_generic_node(swat_t)
|
|
corenet_udp_sendrecv_generic_node(swat_t)
|
|
-corenet_tcp_bind_generic_node(swat_t)
|
|
-corenet_udp_bind_generic_node(swat_t)
|
|
-
|
|
-corenet_sendrecv_nmbd_server_packets(swat_t)
|
|
-corenet_udp_bind_nmbd_port(swat_t)
|
|
-corenet_udp_sendrecv_nmbd_port(swat_t)
|
|
-
|
|
-corenet_sendrecv_smbd_client_packets(swat_t)
|
|
+corenet_raw_sendrecv_generic_node(swat_t)
|
|
+corenet_tcp_sendrecv_all_ports(swat_t)
|
|
+corenet_udp_sendrecv_all_ports(swat_t)
|
|
corenet_tcp_connect_smbd_port(swat_t)
|
|
-corenet_sendrecv_smbd_server_packets(swat_t)
|
|
-corenet_tcp_bind_smbd_port(swat_t)
|
|
-corenet_tcp_sendrecv_smbd_port(swat_t)
|
|
-
|
|
-corenet_sendrecv_ipp_client_packets(swat_t)
|
|
corenet_tcp_connect_ipp_port(swat_t)
|
|
-corenet_tcp_sendrecv_ipp_port(swat_t)
|
|
+corenet_sendrecv_smbd_client_packets(swat_t)
|
|
+corenet_sendrecv_ipp_client_packets(swat_t)
|
|
|
|
dev_read_urand(swat_t)
|
|
|
|
files_list_var_lib(swat_t)
|
|
files_search_home(swat_t)
|
|
-files_read_usr_files(swat_t)
|
|
fs_getattr_xattr_fs(swat_t)
|
|
-files_list_var_lib(swat_t)
|
|
|
|
auth_domtrans_chk_passwd(swat_t)
|
|
auth_use_nsswitch(swat_t)
|
|
@@ -818,10 +821,11 @@ logging_send_syslog_msg(swat_t)
|
|
logging_send_audit_msgs(swat_t)
|
|
logging_search_logs(swat_t)
|
|
|
|
-miscfiles_read_localization(swat_t)
|
|
-
|
|
sysnet_use_ldap(swat_t)
|
|
|
|
+
|
|
+userdom_dontaudit_search_admin_dir(swat_t)
|
|
+
|
|
optional_policy(`
|
|
cups_read_rw_config(swat_t)
|
|
cups_stream_connect(swat_t)
|
|
@@ -841,16 +845,19 @@ optional_policy(`
|
|
#
|
|
|
|
allow winbind_t self:capability { dac_override ipc_lock setuid sys_nice };
|
|
+allow winbind_t self:capability2 block_suspend;
|
|
dontaudit winbind_t self:capability sys_tty_config;
|
|
allow winbind_t self:process { signal_perms getsched setsched };
|
|
allow winbind_t self:fifo_file rw_fifo_file_perms;
|
|
-allow winbind_t self:unix_stream_socket { accept listen };
|
|
-allow winbind_t self:tcp_socket { accept listen };
|
|
+allow winbind_t self:unix_dgram_socket create_socket_perms;
|
|
+allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow winbind_t self:tcp_socket create_stream_socket_perms;
|
|
+allow winbind_t self:udp_socket create_socket_perms;
|
|
|
|
allow winbind_t nmbd_t:process { signal signull };
|
|
|
|
-allow winbind_t nmbd_var_run_t:file read_file_perms;
|
|
-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
|
|
+read_files_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t)
|
|
+samba_stream_connect_nmbd(winbind_t)
|
|
|
|
allow winbind_t samba_etc_t:dir list_dir_perms;
|
|
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
|
|
@@ -860,9 +867,7 @@ manage_files_pattern(winbind_t, samba_etc_t, samba_secrets_t)
|
|
filetrans_pattern(winbind_t, samba_etc_t, samba_secrets_t, file)
|
|
|
|
manage_dirs_pattern(winbind_t, samba_log_t, samba_log_t)
|
|
-append_files_pattern(winbind_t, samba_log_t, samba_log_t)
|
|
-create_files_pattern(winbind_t, samba_log_t, samba_log_t)
|
|
-setattr_files_pattern(winbind_t, samba_log_t, samba_log_t)
|
|
+manage_files_pattern(winbind_t, samba_log_t, samba_log_t)
|
|
manage_lnk_files_pattern(winbind_t, samba_log_t, samba_log_t)
|
|
|
|
manage_dirs_pattern(winbind_t, samba_var_t, samba_var_t)
|
|
@@ -873,23 +878,21 @@ files_var_filetrans(winbind_t, samba_var_t, dir, "samba")
|
|
|
|
rw_files_pattern(winbind_t, smbd_tmp_t, smbd_tmp_t)
|
|
|
|
-# This needs a file context specification
|
|
-allow winbind_t winbind_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+allow winbind_t winbind_log_t:file manage_file_perms;
|
|
logging_log_filetrans(winbind_t, winbind_log_t, file)
|
|
|
|
-manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
|
-manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
|
-manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
|
-files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
|
|
+userdom_manage_user_tmp_dirs(winbind_t)
|
|
+userdom_manage_user_tmp_files(winbind_t)
|
|
+userdom_tmp_filetrans_user_tmp(winbind_t, { file dir })
|
|
|
|
manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
|
|
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
|
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
|
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
|
|
filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
|
|
-
|
|
-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
|
|
+# /run/samba/krb5cc_samba
|
|
manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
|
|
+manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
|
|
manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
|
|
|
|
kernel_read_network_state(winbind_t)
|
|
@@ -898,13 +901,17 @@ kernel_read_system_state(winbind_t)
|
|
|
|
corecmd_exec_bin(winbind_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(winbind_t)
|
|
corenet_all_recvfrom_netlabel(winbind_t)
|
|
corenet_tcp_sendrecv_generic_if(winbind_t)
|
|
+corenet_udp_sendrecv_generic_if(winbind_t)
|
|
+corenet_raw_sendrecv_generic_if(winbind_t)
|
|
corenet_tcp_sendrecv_generic_node(winbind_t)
|
|
+corenet_udp_sendrecv_generic_node(winbind_t)
|
|
+corenet_raw_sendrecv_generic_node(winbind_t)
|
|
corenet_tcp_sendrecv_all_ports(winbind_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(winbind_t)
|
|
+corenet_udp_sendrecv_all_ports(winbind_t)
|
|
+corenet_tcp_bind_generic_node(winbind_t)
|
|
+corenet_udp_bind_generic_node(winbind_t)
|
|
corenet_tcp_connect_smbd_port(winbind_t)
|
|
corenet_tcp_connect_epmap_port(winbind_t)
|
|
corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
|
@@ -912,10 +919,6 @@ corenet_tcp_connect_all_unreserved_ports(winbind_t)
|
|
dev_read_sysfs(winbind_t)
|
|
dev_read_urand(winbind_t)
|
|
|
|
-domain_use_interactive_fds(winbind_t)
|
|
-
|
|
-files_read_usr_symlinks(winbind_t)
|
|
-files_list_var_lib(winbind_t)
|
|
|
|
fs_getattr_all_fs(winbind_t)
|
|
fs_search_auto_mountpoints(winbind_t)
|
|
@@ -924,26 +927,39 @@ auth_domtrans_chk_passwd(winbind_t)
|
|
auth_use_nsswitch(winbind_t)
|
|
auth_manage_cache(winbind_t)
|
|
|
|
+domain_use_interactive_fds(winbind_t)
|
|
+
|
|
+files_read_usr_symlinks(winbind_t)
|
|
+files_list_var_lib(winbind_t)
|
|
+
|
|
logging_send_syslog_msg(winbind_t)
|
|
|
|
-miscfiles_read_localization(winbind_t)
|
|
miscfiles_read_generic_certs(winbind_t)
|
|
|
|
+sysnet_use_ldap(winbind_t)
|
|
+
|
|
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
|
|
userdom_manage_user_home_content_dirs(winbind_t)
|
|
userdom_manage_user_home_content_files(winbind_t)
|
|
userdom_manage_user_home_content_symlinks(winbind_t)
|
|
userdom_manage_user_home_content_pipes(winbind_t)
|
|
userdom_manage_user_home_content_sockets(winbind_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
|
|
+userdom_filetrans_home_content(winbind_t)
|
|
|
|
optional_policy(`
|
|
ctdbd_stream_connect(winbind_t)
|
|
ctdbd_manage_lib_files(winbind_t)
|
|
+ ctdbd_manage_var_files(winbind_t)
|
|
+')
|
|
+
|
|
+
|
|
+optional_policy(`
|
|
+ dirsrv_stream_connect(winbind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(winbind_t)
|
|
+ kerberos_filetrans_named_content(winbind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -959,31 +975,29 @@ optional_policy(`
|
|
# Winbind helper local policy
|
|
#
|
|
|
|
-allow winbind_helper_t self:unix_stream_socket { accept listen };
|
|
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
|
|
+allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow winbind_helper_t samba_etc_t:dir list_dir_perms;
|
|
read_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
|
|
read_lnk_files_pattern(winbind_helper_t, samba_etc_t, samba_etc_t)
|
|
|
|
allow winbind_helper_t samba_var_t:dir search_dir_perms;
|
|
+files_list_var_lib(winbind_helper_t)
|
|
|
|
allow winbind_t smbcontrol_t:process signal;
|
|
|
|
stream_connect_pattern(winbind_helper_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
|
|
|
|
-domain_use_interactive_fds(winbind_helper_t)
|
|
-
|
|
-files_list_var_lib(winbind_helper_t)
|
|
-
|
|
term_list_ptys(winbind_helper_t)
|
|
|
|
+domain_use_interactive_fds(winbind_helper_t)
|
|
+
|
|
auth_use_nsswitch(winbind_helper_t)
|
|
|
|
logging_send_syslog_msg(winbind_helper_t)
|
|
|
|
-miscfiles_read_localization(winbind_helper_t)
|
|
-
|
|
-userdom_use_user_terminals(winbind_helper_t)
|
|
+userdom_use_inherited_user_terminals(winbind_helper_t)
|
|
|
|
optional_policy(`
|
|
apache_append_log(winbind_helper_t)
|
|
@@ -997,25 +1011,38 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Unconfined script local policy
|
|
+# samba_unconfined_script_t local policy
|
|
#
|
|
|
|
optional_policy(`
|
|
- type samba_unconfined_script_t;
|
|
- type samba_unconfined_script_exec_t;
|
|
- domain_type(samba_unconfined_script_t)
|
|
- domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
|
|
- corecmd_shell_entry_type(samba_unconfined_script_t)
|
|
- role system_r types samba_unconfined_script_t;
|
|
+ type samba_unconfined_net_t;
|
|
+ domain_type(samba_unconfined_net_t)
|
|
+ domain_entry_file(samba_unconfined_net_t, samba_net_exec_t)
|
|
+ role system_r types samba_unconfined_net_t;
|
|
+
|
|
+ unconfined_domain(samba_unconfined_net_t)
|
|
+
|
|
+ manage_files_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t)
|
|
+ filetrans_pattern(samba_unconfined_net_t, samba_etc_t, samba_secrets_t, file)
|
|
+ userdom_use_inherited_user_terminals(samba_unconfined_net_t)
|
|
+')
|
|
+
|
|
+type samba_unconfined_script_t;
|
|
+type samba_unconfined_script_exec_t;
|
|
+domain_type(samba_unconfined_script_t)
|
|
+domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
|
|
+corecmd_shell_entry_type(samba_unconfined_script_t)
|
|
+role system_r types samba_unconfined_script_t;
|
|
|
|
- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
|
- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
|
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
|
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
|
|
|
+optional_policy(`
|
|
unconfined_domain(samba_unconfined_script_t)
|
|
+')
|
|
|
|
- tunable_policy(`samba_run_unconfined',`
|
|
+tunable_policy(`samba_run_unconfined',`
|
|
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
|
|
- ',`
|
|
- can_exec(smbd_t, samba_unconfined_script_exec_t)
|
|
- ')
|
|
+',`
|
|
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
|
|
')
|
|
diff --git a/sambagui.te b/sambagui.te
|
|
index e18b0a2..463e207 100644
|
|
--- a/sambagui.te
|
|
+++ b/sambagui.te
|
|
@@ -28,14 +28,14 @@ corecmd_exec_shell(sambagui_t)
|
|
|
|
dev_dontaudit_read_urand(sambagui_t)
|
|
|
|
-files_read_usr_files(sambagui_t)
|
|
+files_search_var_lib(sambagui_t)
|
|
|
|
auth_use_nsswitch(sambagui_t)
|
|
auth_dontaudit_read_shadow(sambagui_t)
|
|
|
|
-logging_send_syslog_msg(sambagui_t)
|
|
+init_access_check(sambagui_t)
|
|
|
|
-miscfiles_read_localization(sambagui_t)
|
|
+logging_send_syslog_msg(sambagui_t)
|
|
|
|
sysnet_use_ldap(sambagui_t)
|
|
|
|
@@ -61,6 +61,7 @@ optional_policy(`
|
|
samba_manage_var_files(sambagui_t)
|
|
samba_read_secrets(sambagui_t)
|
|
samba_initrc_domtrans(sambagui_t)
|
|
+ samba_systemctl(sambagui_t)
|
|
samba_domtrans_smbd(sambagui_t)
|
|
samba_domtrans_nmbd(sambagui_t)
|
|
')
|
|
diff --git a/samhain.if b/samhain.if
|
|
index f0236d6..78a792a 100644
|
|
--- a/samhain.if
|
|
+++ b/samhain.if
|
|
@@ -23,6 +23,8 @@ template(`samhain_service_template',`
|
|
files_read_all_files($1_t)
|
|
|
|
mls_file_write_all_levels($1_t)
|
|
+
|
|
+ logging_send_sylog_msg($1_t)
|
|
')
|
|
|
|
########################################
|
|
diff --git a/samhain.te b/samhain.te
|
|
index c41ce4b..8837e4c 100644
|
|
--- a/samhain.te
|
|
+++ b/samhain.te
|
|
@@ -88,8 +88,6 @@ auth_read_login_records(samhain_domain)
|
|
|
|
init_read_utmp(samhain_domain)
|
|
|
|
-logging_send_syslog_msg(samhain_domain)
|
|
-
|
|
########################################
|
|
#
|
|
# Client local policy
|
|
@@ -102,7 +100,7 @@ domain_use_interactive_fds(samhain_t)
|
|
|
|
seutil_sigchld_newrole(samhain_t)
|
|
|
|
-userdom_use_user_terminals(samhain_t)
|
|
+userdom_use_inherited_user_terminals(samhain_t)
|
|
|
|
########################################
|
|
#
|
|
diff --git a/sandbox.fc b/sandbox.fc
|
|
new file mode 100644
|
|
index 0000000..b7db254
|
|
--- /dev/null
|
|
+++ b/sandbox.fc
|
|
@@ -0,0 +1 @@
|
|
+# Empty
|
|
diff --git a/sandbox.if b/sandbox.if
|
|
new file mode 100644
|
|
index 0000000..577dfa7
|
|
--- /dev/null
|
|
+++ b/sandbox.if
|
|
@@ -0,0 +1,55 @@
|
|
+
|
|
+## <summary>policy for sandbox</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute sandbox in the sandbox domain, and
|
|
+## allow the specified role the sandbox domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the sandbox domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_transition',`
|
|
+ gen_require(`
|
|
+ attribute sandbox_domain;
|
|
+ ')
|
|
+
|
|
+ allow $1 sandbox_domain:process transition;
|
|
+ dontaudit $1 sandbox_domain:process { noatsecure siginh rlimitinh };
|
|
+ role $2 types sandbox_domain;
|
|
+ allow sandbox_domain $1:process { sigchld signull };
|
|
+ allow sandbox_domain $1:fifo_file rw_inherited_fifo_file_perms;
|
|
+ dontaudit sandbox_domain $1:process signal;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## sandbox process domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`sandbox_domain_template',`
|
|
+
|
|
+ gen_require(`
|
|
+ attribute sandbox_domain;
|
|
+ ')
|
|
+ type $1_t, sandbox_domain;
|
|
+
|
|
+ application_type($1_t)
|
|
+
|
|
+ mls_rangetrans_target($1_t)
|
|
+ mcs_constrained($1_t)
|
|
+')
|
|
diff --git a/sandbox.te b/sandbox.te
|
|
new file mode 100644
|
|
index 0000000..b12aada
|
|
--- /dev/null
|
|
+++ b/sandbox.te
|
|
@@ -0,0 +1,62 @@
|
|
+policy_module(sandbox,1.0.0)
|
|
+
|
|
+attribute sandbox_domain;
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+sandbox_domain_template(sandbox)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# sandbox local policy
|
|
+#
|
|
+allow sandbox_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
|
|
+tunable_policy(`deny_execmem',`',`
|
|
+ allow sandbox_domain self:process execmem;
|
|
+')
|
|
+
|
|
+allow sandbox_domain self:fifo_file manage_file_perms;
|
|
+allow sandbox_domain self:sem create_sem_perms;
|
|
+allow sandbox_domain self:shm create_shm_perms;
|
|
+allow sandbox_domain self:msgq create_msgq_perms;
|
|
+allow sandbox_domain self:unix_stream_socket create_stream_socket_perms;
|
|
+allow sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
|
|
+dontaudit sandbox_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
|
+
|
|
+dev_rw_all_inherited_chr_files(sandbox_domain)
|
|
+dev_rw_all_inherited_blk_files(sandbox_domain)
|
|
+
|
|
+# sandbox_file_t was moved to sandboxX.te
|
|
+optional_policy(`
|
|
+ sandbox_exec_file(sandbox_domain)
|
|
+ sandbox_manage_content(sandbox_domain)
|
|
+ sandbox_dontaudit_mounton(sandbox_domain)
|
|
+ sandbox_manage_tmpfs_files(sandbox_domain)
|
|
+')
|
|
+
|
|
+gen_require(`
|
|
+ type usr_t, lib_t, locale_t, device_t;
|
|
+ type var_t, var_run_t, rpm_log_t, locale_t;
|
|
+ attribute exec_type, configfile;
|
|
+')
|
|
+
|
|
+kernel_dontaudit_read_system_state(sandbox_domain)
|
|
+
|
|
+corecmd_exec_all_executables(sandbox_domain)
|
|
+
|
|
+dev_dontaudit_getattr_all(sandbox_domain)
|
|
+
|
|
+files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
|
|
+files_entrypoint_all_files(sandbox_domain)
|
|
+
|
|
+files_read_config_files(sandbox_domain)
|
|
+files_read_var_files(sandbox_domain)
|
|
+files_dontaudit_search_all_dirs(sandbox_domain)
|
|
+
|
|
+fs_dontaudit_getattr_all_fs(sandbox_domain)
|
|
+
|
|
+userdom_use_inherited_user_terminals(sandbox_domain)
|
|
+
|
|
+mta_dontaudit_read_spool_symlinks(sandbox_domain)
|
|
diff --git a/sandboxX.fc b/sandboxX.fc
|
|
new file mode 100644
|
|
index 0000000..6caef63
|
|
--- /dev/null
|
|
+++ b/sandboxX.fc
|
|
@@ -0,0 +1,2 @@
|
|
+
|
|
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
|
|
diff --git a/sandboxX.if b/sandboxX.if
|
|
new file mode 100644
|
|
index 0000000..5da5bff
|
|
--- /dev/null
|
|
+++ b/sandboxX.if
|
|
@@ -0,0 +1,392 @@
|
|
+
|
|
+## <summary>policy for sandboxX </summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute sandbox in the sandbox domain, and
|
|
+## allow the specified role the sandbox domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the sandbox domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_x_transition',`
|
|
+ gen_require(`
|
|
+ type sandbox_xserver_t;
|
|
+ type sandbox_file_t;
|
|
+ attribute sandbox_x_domain;
|
|
+ attribute sandbox_tmpfs_type;
|
|
+ ')
|
|
+
|
|
+ allow $1 sandbox_x_domain:process { signal_perms transition };
|
|
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
|
|
+ allow sandbox_x_domain $1:process { sigchld signull };
|
|
+ allow { sandbox_x_domain sandbox_xserver_t } $1:fd use;
|
|
+ role $2 types sandbox_x_domain;
|
|
+ role $2 types sandbox_xserver_t;
|
|
+ allow $1 sandbox_xserver_t:process signal_perms;
|
|
+ dontaudit sandbox_xserver_t $1:fifo_file rw_inherited_fifo_file_perms;
|
|
+ dontaudit sandbox_xserver_t $1:tcp_socket rw_socket_perms;
|
|
+ dontaudit sandbox_xserver_t $1:udp_socket rw_socket_perms;
|
|
+ allow sandbox_xserver_t $1:unix_stream_socket { connectto rw_socket_perms };
|
|
+ dontaudit sandbox_xserver_t $1:file read;
|
|
+ allow sandbox_x_domain sandbox_x_domain:process signal;
|
|
+ # Dontaudit leaked file descriptors
|
|
+ dontaudit sandbox_x_domain $1:fifo_file { read write };
|
|
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
|
|
+ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
|
|
+ dontaudit sandbox_x_domain $1:unix_stream_socket { read write };
|
|
+ dontaudit sandbox_x_domain $1:process { signal sigkill };
|
|
+
|
|
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
|
|
+ dontaudit $1 sandbox_tmpfs_type:file manage_file_perms;
|
|
+
|
|
+ can_exec($1, sandbox_file_t)
|
|
+ allow $1 sandbox_file_t:filesystem getattr;
|
|
+ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
+ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
+ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
+ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
+ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
+ relabel_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
+ relabel_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
+ relabel_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
+ relabel_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
+ relabel_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## sandbox process domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`sandbox_x_domain_template',`
|
|
+ gen_require(`
|
|
+ type xserver_exec_t, sandbox_devpts_t;
|
|
+ type sandbox_xserver_t;
|
|
+ type sandbox_exec_t;
|
|
+ attribute sandbox_x_domain;
|
|
+ attribute sandbox_tmpfs_type;
|
|
+ attribute sandbox_type;
|
|
+ ')
|
|
+
|
|
+ type $1_t, sandbox_x_domain, sandbox_type;
|
|
+ application_type($1_t)
|
|
+ mcs_constrained($1_t)
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+ selinux_get_fs_mount($1_t)
|
|
+
|
|
+ auth_use_nsswitch($1_t)
|
|
+
|
|
+ logging_send_syslog_msg($1_t)
|
|
+
|
|
+ # window manager
|
|
+ miscfiles_setattr_fonts_cache_dirs($1_t)
|
|
+ allow $1_t self:capability setuid;
|
|
+
|
|
+ type $1_client_t, sandbox_x_domain;
|
|
+ application_type($1_client_t)
|
|
+ kernel_read_system_state($1_client_t)
|
|
+
|
|
+ mcs_constrained($1_t)
|
|
+
|
|
+ type $1_client_tmpfs_t, sandbox_tmpfs_type;
|
|
+ files_tmpfs_file($1_client_tmpfs_t)
|
|
+
|
|
+ manage_files_pattern($1_client_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
|
|
+ manage_files_pattern($1_t, $1_client_tmpfs_t, $1_client_tmpfs_t)
|
|
+ fs_tmpfs_filetrans($1_client_t, $1_client_tmpfs_t, file )
|
|
+ fs_tmpfs_filetrans($1_t, $1_client_tmpfs_t, file )
|
|
+ # Pulseaudio tmpfs files with different MCS labels
|
|
+ dontaudit $1_client_t $1_client_tmpfs_t:file { read write };
|
|
+ dontaudit $1_t $1_client_tmpfs_t:file { read write };
|
|
+ allow sandbox_xserver_t $1_client_tmpfs_t:file { read write };
|
|
+
|
|
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
|
|
+ allow $1_t sandbox_xserver_t:process signal_perms;
|
|
+
|
|
+ domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
|
|
+ domain_entry_file($1_client_t, sandbox_exec_t)
|
|
+
|
|
+ ps_process_pattern(sandbox_xserver_t, $1_client_t)
|
|
+ ps_process_pattern(sandbox_xserver_t, $1_t)
|
|
+ allow sandbox_xserver_t $1_client_t:shm rw_shm_perms;
|
|
+ allow sandbox_xserver_t $1_t:shm rw_shm_perms;
|
|
+ allow $1_client_t $1_t:unix_stream_socket connectto;
|
|
+ allow $1_t $1_client_t:unix_stream_socket connectto;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## allow domain to read,
|
|
+## write sandbox_xserver tmp files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_rw_xserver_tmpfs_files',`
|
|
+ gen_require(`
|
|
+ type sandbox_xserver_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 sandbox_xserver_tmpfs_t:file rw_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## allow domain to read
|
|
+## sandbox tmpfs files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_read_tmpfs_files',`
|
|
+ gen_require(`
|
|
+ attribute sandbox_tmpfs_type;
|
|
+ ')
|
|
+
|
|
+ allow $1 sandbox_tmpfs_type:file read_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## allow domain to manage
|
|
+## sandbox tmpfs files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_manage_tmpfs_files',`
|
|
+ gen_require(`
|
|
+ attribute sandbox_tmpfs_type;
|
|
+ ')
|
|
+
|
|
+ allow $1 sandbox_tmpfs_type:file manage_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Delete sandbox files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_delete_files',`
|
|
+ gen_require(`
|
|
+ type sandbox_file_t;
|
|
+ ')
|
|
+
|
|
+ delete_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage sandbox content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_manage_content',`
|
|
+ gen_require(`
|
|
+ type sandbox_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 sandbox_file_t:filesystem getattr;
|
|
+ manage_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
+ manage_dirs_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
+ manage_sock_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
+ manage_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
+ manage_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t);
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Delete sandbox symbolic links
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_delete_lnk_files',`
|
|
+ gen_require(`
|
|
+ type sandbox_file_t;
|
|
+ ')
|
|
+
|
|
+ delete_lnk_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Delete sandbox fifo files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_delete_pipes',`
|
|
+ gen_require(`
|
|
+ type sandbox_file_t;
|
|
+ ')
|
|
+
|
|
+ delete_fifo_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Delete sandbox sock files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_delete_sock_files',`
|
|
+ gen_require(`
|
|
+ type sandbox_file_t;
|
|
+ ')
|
|
+
|
|
+ delete_sock_files_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow domain to set the attributes
|
|
+## of the sandbox directory.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_setattr_dirs',`
|
|
+ gen_require(`
|
|
+ type sandbox_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 sandbox_file_t:dir setattr;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Delete sandbox directories
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_delete_dirs',`
|
|
+ gen_require(`
|
|
+ type sandbox_file_t;
|
|
+ ')
|
|
+
|
|
+ delete_dirs_pattern($1, sandbox_file_t, sandbox_file_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## allow domain to list sandbox dirs
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_list',`
|
|
+ gen_require(`
|
|
+ type sandbox_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 sandbox_file_t:dir list_dir_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read and write a sandbox domain pty.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_use_ptys',`
|
|
+ gen_require(`
|
|
+ type sandbox_devpts_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 sandbox_devpts_t:chr_file rw_inherited_term_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow domain to execute sandbox_file_t in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_exec_file',`
|
|
+ gen_require(`
|
|
+ type sandbox_file_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, sandbox_file_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Allow domain to execute sandbox_file_t in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sandbox_dontaudit_mounton',`
|
|
+ gen_require(`
|
|
+ type sandbox_file_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 sandbox_file_t:dir mounton;
|
|
+')
|
|
diff --git a/sandboxX.te b/sandboxX.te
|
|
new file mode 100644
|
|
index 0000000..710df6b
|
|
--- /dev/null
|
|
+++ b/sandboxX.te
|
|
@@ -0,0 +1,483 @@
|
|
+policy_module(sandboxX,1.0.0)
|
|
+
|
|
+dbus_stub()
|
|
+attribute sandbox_x_domain;
|
|
+attribute sandbox_web_type;
|
|
+attribute sandbox_file_type;
|
|
+attribute sandbox_tmpfs_type;
|
|
+attribute sandbox_type;
|
|
+
|
|
+type sandbox_exec_t;
|
|
+files_type(sandbox_exec_t)
|
|
+
|
|
+type sandbox_file_t, sandbox_file_type;
|
|
+userdom_user_home_content(sandbox_file_t)
|
|
+
|
|
+typealias sandbox_file_t alias { sandbox_x_file_t sandbox_web_file_t sandbox_net_file_t sandbox_min_file_t };
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+sandbox_x_domain_template(sandbox_min)
|
|
+sandbox_x_domain_template(sandbox_x)
|
|
+sandbox_x_domain_template(sandbox_web)
|
|
+sandbox_x_domain_template(sandbox_net)
|
|
+
|
|
+type sandbox_xserver_t;
|
|
+domain_type(sandbox_xserver_t)
|
|
+xserver_user_x_domain_template(sandbox_xserver, sandbox_xserver_t, sandbox_xserver_tmpfs_t)
|
|
+
|
|
+type sandbox_xserver_tmpfs_t;
|
|
+files_tmpfs_file(sandbox_xserver_tmpfs_t)
|
|
+
|
|
+type sandbox_devpts_t;
|
|
+term_pty(sandbox_devpts_t)
|
|
+files_type(sandbox_devpts_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# sandbox xserver policy
|
|
+#
|
|
+allow sandbox_xserver_t self:process { signal_perms execstack };
|
|
+
|
|
+tunable_policy(`deny_execmem',`',`
|
|
+ allow sandbox_xserver_t self:process execmem;
|
|
+')
|
|
+
|
|
+allow sandbox_xserver_t self:fifo_file manage_fifo_file_perms;
|
|
+allow sandbox_xserver_t self:shm create_shm_perms;
|
|
+allow sandbox_xserver_t self:tcp_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
|
|
+manage_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
|
|
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_file_t, sandbox_file_t)
|
|
+allow sandbox_xserver_t sandbox_file_t:sock_file create_sock_file_perms;
|
|
+
|
|
+manage_dirs_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
|
|
+manage_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
|
|
+manage_lnk_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
|
|
+manage_fifo_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
|
|
+manage_sock_files_pattern(sandbox_xserver_t, sandbox_xserver_tmpfs_t, sandbox_xserver_tmpfs_t)
|
|
+fs_tmpfs_filetrans(sandbox_xserver_t, sandbox_xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
|
|
+
|
|
+kernel_dontaudit_request_load_module(sandbox_xserver_t)
|
|
+kernel_read_system_state(sandbox_xserver_t)
|
|
+
|
|
+corecmd_exec_bin(sandbox_xserver_t)
|
|
+corecmd_exec_shell(sandbox_xserver_t)
|
|
+
|
|
+corenet_all_recvfrom_netlabel(sandbox_xserver_t)
|
|
+corenet_tcp_sendrecv_generic_if(sandbox_xserver_t)
|
|
+corenet_udp_sendrecv_generic_if(sandbox_xserver_t)
|
|
+corenet_tcp_sendrecv_generic_node(sandbox_xserver_t)
|
|
+corenet_udp_sendrecv_generic_node(sandbox_xserver_t)
|
|
+corenet_tcp_sendrecv_all_ports(sandbox_xserver_t)
|
|
+corenet_udp_sendrecv_all_ports(sandbox_xserver_t)
|
|
+corenet_tcp_bind_generic_node(sandbox_xserver_t)
|
|
+corenet_tcp_bind_xserver_port(sandbox_xserver_t)
|
|
+corenet_sendrecv_xserver_server_packets(sandbox_xserver_t)
|
|
+corenet_sendrecv_all_client_packets(sandbox_xserver_t)
|
|
+
|
|
+dev_read_sysfs(sandbox_xserver_t)
|
|
+dev_rwx_zero(sandbox_xserver_t)
|
|
+dev_read_urand(sandbox_xserver_t)
|
|
+
|
|
+domain_use_interactive_fds(sandbox_xserver_t)
|
|
+
|
|
+files_read_config_files(sandbox_xserver_t)
|
|
+files_search_home(sandbox_xserver_t)
|
|
+fs_dontaudit_rw_tmpfs_files(sandbox_xserver_t)
|
|
+fs_list_inotifyfs(sandbox_xserver_t)
|
|
+fs_search_auto_mountpoints(sandbox_xserver_t)
|
|
+
|
|
+miscfiles_read_fonts(sandbox_xserver_t)
|
|
+
|
|
+selinux_validate_context(sandbox_xserver_t)
|
|
+selinux_compute_access_vector(sandbox_xserver_t)
|
|
+selinux_compute_create_context(sandbox_xserver_t)
|
|
+
|
|
+auth_use_nsswitch(sandbox_xserver_t)
|
|
+
|
|
+logging_send_syslog_msg(sandbox_xserver_t)
|
|
+logging_send_audit_msgs(sandbox_xserver_t)
|
|
+
|
|
+userdom_use_inherited_user_terminals(sandbox_xserver_t)
|
|
+userdom_dontaudit_search_user_home_content(sandbox_xserver_t)
|
|
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_xserver_t)
|
|
+
|
|
+xserver_read_xkb_libs(sandbox_xserver_t)
|
|
+xserver_dontaudit_xkb_libs_access(sandbox_xserver_t)
|
|
+xserver_entry_type(sandbox_xserver_t)
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(sandbox_xserver_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ hal_dbus_chat(sandbox_xserver_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# sandbox_x_domain local policy
|
|
+#
|
|
+allow sandbox_x_domain self:process { getattr signal_perms getsched setsched setpgid execstack };
|
|
+tunable_policy(`deny_execmem',`',`
|
|
+ allow sandbox_x_domain self:process execmem;
|
|
+')
|
|
+
|
|
+allow sandbox_x_domain self:fifo_file manage_file_perms;
|
|
+allow sandbox_x_domain self:sem create_sem_perms;
|
|
+allow sandbox_x_domain self:shm create_shm_perms;
|
|
+allow sandbox_x_domain self:msgq create_msgq_perms;
|
|
+allow sandbox_x_domain self:netlink_selinux_socket create_socket_perms;
|
|
+allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms };
|
|
+allow sandbox_x_domain self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
+
|
|
+dontaudit sandbox_x_domain sandbox_x_domain:process signal;
|
|
+dontaudit sandbox_x_domain sandbox_xserver_t:process signal;
|
|
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
|
+
|
|
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
|
|
+
|
|
+allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr };
|
|
+term_create_pty(sandbox_x_domain,sandbox_devpts_t)
|
|
+
|
|
+can_exec(sandbox_x_domain, sandbox_file_t)
|
|
+allow sandbox_x_domain sandbox_file_t:filesystem getattr;
|
|
+manage_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
|
|
+manage_dirs_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
|
|
+manage_sock_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
|
|
+manage_fifo_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
|
|
+manage_lnk_files_pattern(sandbox_x_domain, sandbox_file_t, sandbox_file_t);
|
|
+dontaudit sandbox_x_domain sandbox_file_t:dir mounton;
|
|
+
|
|
+kernel_getattr_proc(sandbox_x_domain)
|
|
+kernel_read_network_state(sandbox_x_domain)
|
|
+kernel_dontaudit_search_kernel_sysctl(sandbox_x_domain)
|
|
+
|
|
+domain_dontaudit_read_all_domains_state(sandbox_x_domain)
|
|
+
|
|
+corecmd_exec_all_executables(sandbox_x_domain)
|
|
+
|
|
+dev_read_urand(sandbox_x_domain)
|
|
+dev_dontaudit_read_rand(sandbox_x_domain)
|
|
+dev_read_sysfs(sandbox_x_domain)
|
|
+dev_dontaudit_rw_dri(sandbox_x_domain)
|
|
+
|
|
+files_search_home(sandbox_x_domain)
|
|
+files_dontaudit_list_all_mountpoints(sandbox_x_domain)
|
|
+files_entrypoint_all_files(sandbox_x_domain)
|
|
+files_read_config_files(sandbox_x_domain)
|
|
+files_read_usr_symlinks(sandbox_x_domain)
|
|
+
|
|
+fs_getattr_tmpfs(sandbox_x_domain)
|
|
+fs_getattr_xattr_fs(sandbox_x_domain)
|
|
+fs_list_inotifyfs(sandbox_x_domain)
|
|
+fs_dontaudit_getattr_xattr_fs(sandbox_x_domain)
|
|
+# Random tmpfs_t that gets created when you run X.
|
|
+fs_rw_tmpfs_files(sandbox_x_domain)
|
|
+fs_get_xattr_fs_quotas(sandbox_x_domain)
|
|
+
|
|
+auth_dontaudit_read_login_records(sandbox_x_domain)
|
|
+auth_dontaudit_write_login_records(sandbox_x_domain)
|
|
+auth_search_pam_console_data(sandbox_x_domain)
|
|
+
|
|
+init_read_utmp(sandbox_x_domain)
|
|
+init_dontaudit_write_utmp(sandbox_x_domain)
|
|
+
|
|
+libs_dontaudit_setattr_lib_files(sandbox_x_domain)
|
|
+
|
|
+miscfiles_dontaudit_setattr_fonts_cache_dirs(sandbox_x_domain)
|
|
+
|
|
+mta_dontaudit_read_spool_symlinks(sandbox_x_domain)
|
|
+
|
|
+selinux_validate_context(sandbox_x_domain)
|
|
+selinux_compute_access_vector(sandbox_x_domain)
|
|
+selinux_compute_create_context(sandbox_x_domain)
|
|
+selinux_compute_relabel_context(sandbox_x_domain)
|
|
+selinux_compute_user_contexts(sandbox_x_domain)
|
|
+seutil_read_default_contexts(sandbox_x_domain)
|
|
+
|
|
+term_getattr_pty_fs(sandbox_x_domain)
|
|
+term_use_ptmx(sandbox_x_domain)
|
|
+term_search_ptys(sandbox_x_domain)
|
|
+
|
|
+application_dontaudit_signal(sandbox_x_domain)
|
|
+application_dontaudit_sigkill(sandbox_x_domain)
|
|
+
|
|
+logging_dontaudit_search_logs(sandbox_x_domain)
|
|
+
|
|
+miscfiles_read_fonts(sandbox_x_domain)
|
|
+
|
|
+storage_dontaudit_rw_fuse(sandbox_x_domain)
|
|
+
|
|
+optional_policy(`
|
|
+ consolekit_dbus_chat(sandbox_x_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ cups_stream_connect(sandbox_x_domain)
|
|
+ cups_read_rw_config(sandbox_x_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(sandbox_x_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ devicekit_dontaudit_dbus_chat_disk(sandbox_x_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_read_gconf_config(sandbox_x_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nscd_dontaudit_search_pid(sandbox_x_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sssd_dontaudit_search_lib(sandbox_x_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ udev_read_db(sandbox_x_domain)
|
|
+')
|
|
+
|
|
+userdom_use_inherited_user_terminals(sandbox_x_domain)
|
|
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
|
|
+userdom_search_user_home_content(sandbox_x_domain)
|
|
+userdom_dontaudit_rw_user_tmp_pipes(sandbox_x_domain)
|
|
+
|
|
+fs_search_auto_mountpoints(sandbox_x_domain)
|
|
+fs_read_hugetlbfs_files(sandbox_x_domain)
|
|
+
|
|
+tunable_policy(`use_nfs_home_dirs',`
|
|
+ fs_search_auto_mountpoints(sandbox_x_domain)
|
|
+ fs_search_nfs(sandbox_xserver_t)
|
|
+ fs_read_nfs_files(sandbox_xserver_t)
|
|
+ fs_manage_nfs_dirs(sandbox_x_domain)
|
|
+ fs_manage_nfs_files(sandbox_x_domain)
|
|
+ fs_exec_nfs_files(sandbox_x_domain)
|
|
+')
|
|
+
|
|
+tunable_policy(`use_samba_home_dirs',`
|
|
+ fs_search_cifs(sandbox_xserver_t)
|
|
+ fs_read_cifs_files(sandbox_xserver_t)
|
|
+ fs_manage_cifs_dirs(sandbox_x_domain)
|
|
+ fs_manage_cifs_files(sandbox_x_domain)
|
|
+ fs_exec_cifs_files(sandbox_x_domain)
|
|
+')
|
|
+
|
|
+tunable_policy(`use_fusefs_home_dirs',`
|
|
+ fs_search_fusefs(sandbox_xserver_t)
|
|
+ fs_read_fusefs_files(sandbox_xserver_t)
|
|
+ fs_manage_fusefs_dirs(sandbox_x_domain)
|
|
+ fs_manage_fusefs_files(sandbox_x_domain)
|
|
+ fs_exec_fusefs_files(sandbox_x_domain)
|
|
+')
|
|
+
|
|
+files_search_home(sandbox_x_t)
|
|
+userdom_use_user_ptys(sandbox_x_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# sandbox_x_client_t local policy
|
|
+#
|
|
+allow sandbox_x_client_t self:tcp_socket create_stream_socket_perms;
|
|
+allow sandbox_x_client_t self:udp_socket create_socket_perms;
|
|
+allow sandbox_x_client_t self:dbus { acquire_svc send_msg };
|
|
+
|
|
+dev_read_rand(sandbox_x_client_t)
|
|
+
|
|
+corenet_tcp_connect_ipp_port(sandbox_x_client_t)
|
|
+corenet_dontaudit_tcp_connect_xserver_port(sandbox_x_client_t)
|
|
+
|
|
+auth_use_nsswitch(sandbox_x_client_t)
|
|
+
|
|
+logging_send_syslog_msg(sandbox_x_client_t)
|
|
+
|
|
+optional_policy(`
|
|
+ colord_dbus_chat(sandbox_x_client_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ hal_dbus_chat(sandbox_x_client_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nsplugin_read_rw_files(sandbox_x_client_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# sandbox_web_client_t local policy
|
|
+#
|
|
+typeattribute sandbox_web_client_t sandbox_web_type;
|
|
+
|
|
+selinux_get_fs_mount(sandbox_web_client_t)
|
|
+
|
|
+auth_use_nsswitch(sandbox_web_client_t)
|
|
+
|
|
+logging_send_syslog_msg(sandbox_web_client_t)
|
|
+
|
|
+allow sandbox_web_type self:capability { setuid setgid };
|
|
+allow sandbox_web_type self:netlink_audit_socket nlmsg_relay;
|
|
+dontaudit sandbox_web_type self:process setrlimit;
|
|
+
|
|
+allow sandbox_web_type self:tcp_socket create_stream_socket_perms;
|
|
+allow sandbox_web_type self:udp_socket create_socket_perms;
|
|
+allow sandbox_web_type self:dbus { acquire_svc send_msg };
|
|
+
|
|
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
|
|
+kernel_request_load_module(sandbox_web_type)
|
|
+
|
|
+dev_read_rand(sandbox_web_type)
|
|
+dev_write_sound(sandbox_web_type)
|
|
+dev_read_sound(sandbox_web_type)
|
|
+
|
|
+corenet_tcp_sendrecv_generic_if(sandbox_web_type)
|
|
+corenet_raw_sendrecv_generic_if(sandbox_web_type)
|
|
+corenet_tcp_sendrecv_generic_node(sandbox_web_type)
|
|
+corenet_raw_sendrecv_generic_node(sandbox_web_type)
|
|
+corenet_tcp_sendrecv_http_port(sandbox_web_type)
|
|
+corenet_tcp_sendrecv_http_cache_port(sandbox_web_type)
|
|
+corenet_tcp_sendrecv_squid_port(sandbox_web_type)
|
|
+corenet_tcp_sendrecv_ftp_port(sandbox_web_type)
|
|
+corenet_tcp_sendrecv_ipp_port(sandbox_web_type)
|
|
+corenet_tcp_connect_all_ephemeral_ports(sandbox_web_type)
|
|
+corenet_tcp_connect_aol_port(sandbox_web_type)
|
|
+corenet_tcp_connect_asterisk_port(sandbox_web_type)
|
|
+corenet_tcp_connect_commplex_link_port(sandbox_web_type)
|
|
+corenet_tcp_connect_couchdb_port(sandbox_web_type)
|
|
+corenet_tcp_connect_flash_port(sandbox_web_type)
|
|
+corenet_tcp_connect_ftp_port(sandbox_web_type)
|
|
+corenet_tcp_connect_gatekeeper_port(sandbox_web_type)
|
|
+corenet_tcp_connect_generic_port(sandbox_web_type)
|
|
+corenet_tcp_connect_http_cache_port(sandbox_web_type)
|
|
+corenet_tcp_connect_http_port(sandbox_web_type)
|
|
+corenet_tcp_connect_ipp_port(sandbox_web_type)
|
|
+corenet_tcp_connect_ipsecnat_port(sandbox_web_type)
|
|
+corenet_tcp_connect_ircd_port(sandbox_web_type)
|
|
+corenet_tcp_connect_jabber_client_port(sandbox_web_type)
|
|
+corenet_tcp_connect_jboss_management_port(sandbox_web_type)
|
|
+corenet_tcp_connect_mmcc_port(sandbox_web_type)
|
|
+corenet_tcp_connect_monopd_port(sandbox_web_type)
|
|
+corenet_tcp_connect_msnp_port(sandbox_web_type)
|
|
+corenet_tcp_connect_ms_streaming_port(sandbox_web_type)
|
|
+corenet_tcp_connect_pulseaudio_port(sandbox_web_type)
|
|
+corenet_tcp_connect_rtsp_port(sandbox_web_type)
|
|
+corenet_tcp_connect_soundd_port(sandbox_web_type)
|
|
+corenet_tcp_connect_speech_port(sandbox_web_type)
|
|
+corenet_tcp_connect_squid_port(sandbox_web_type)
|
|
+corenet_tcp_connect_tor_port(sandbox_web_type)
|
|
+corenet_tcp_connect_transproxy_port(sandbox_web_type)
|
|
+corenet_tcp_connect_vnc_port(sandbox_web_type)
|
|
+corenet_tcp_connect_whois_port(sandbox_web_type)
|
|
+corenet_sendrecv_http_client_packets(sandbox_web_type)
|
|
+corenet_sendrecv_http_cache_client_packets(sandbox_web_type)
|
|
+corenet_sendrecv_squid_client_packets(sandbox_web_type)
|
|
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
|
|
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
|
|
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
|
|
+corenet_dontaudit_tcp_connect_xserver_port(sandbox_web_type)
|
|
+
|
|
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
|
|
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
|
|
+
|
|
+files_dontaudit_getattr_all_dirs(sandbox_web_type)
|
|
+
|
|
+fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type)
|
|
+fs_dontaudit_getattr_all_fs(sandbox_web_type)
|
|
+
|
|
+storage_dontaudit_getattr_fixed_disk_dev(sandbox_web_type)
|
|
+
|
|
+dbus_system_bus_client(sandbox_web_type)
|
|
+dbus_read_config(sandbox_web_type)
|
|
+selinux_validate_context(sandbox_web_type)
|
|
+selinux_compute_access_vector(sandbox_web_type)
|
|
+selinux_compute_create_context(sandbox_web_type)
|
|
+selinux_compute_relabel_context(sandbox_web_type)
|
|
+selinux_compute_user_contexts(sandbox_web_type)
|
|
+seutil_read_default_contexts(sandbox_web_type)
|
|
+
|
|
+userdom_rw_user_tmpfs_files(sandbox_web_type)
|
|
+userdom_delete_user_tmpfs_files(sandbox_web_type)
|
|
+
|
|
+optional_policy(`
|
|
+ alsa_read_rw_config(sandbox_web_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ bluetooth_dontaudit_dbus_chat(sandbox_web_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ hal_dbus_chat(sandbox_web_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ chrome_domtrans_sandbox(sandbox_web_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nsplugin_manage_rw(sandbox_web_type)
|
|
+ nsplugin_read_rw_files(sandbox_web_type)
|
|
+ nsplugin_rw_exec(sandbox_web_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ pulseaudio_stream_connect(sandbox_web_type)
|
|
+ allow sandbox_web_type self:netlink_kobject_uevent_socket create_socket_perms;
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rtkit_daemon_dontaudit_dbus_chat(sandbox_web_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ # needed by pulseaudio
|
|
+ systemd_read_logind_sessions_files(sandbox_web_type)
|
|
+ systemd_login_read_pid_files(sandbox_web_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ networkmanager_dontaudit_dbus_chat(sandbox_web_type)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ udev_read_state(sandbox_web_type)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# sandbox_net_client_t local policy
|
|
+#
|
|
+typeattribute sandbox_net_client_t sandbox_web_type;
|
|
+
|
|
+corenet_tcp_sendrecv_generic_if(sandbox_net_client_t)
|
|
+corenet_udp_sendrecv_generic_if(sandbox_net_client_t)
|
|
+corenet_tcp_sendrecv_generic_node(sandbox_net_client_t)
|
|
+corenet_udp_sendrecv_generic_node(sandbox_net_client_t)
|
|
+corenet_tcp_sendrecv_all_ports(sandbox_net_client_t)
|
|
+corenet_udp_sendrecv_all_ports(sandbox_net_client_t)
|
|
+corenet_tcp_connect_all_ports(sandbox_net_client_t)
|
|
+corenet_sendrecv_all_client_packets(sandbox_net_client_t)
|
|
+
|
|
+selinux_get_fs_mount(sandbox_net_client_t)
|
|
+
|
|
+auth_use_nsswitch(sandbox_net_client_t)
|
|
+
|
|
+logging_send_syslog_msg(sandbox_net_client_t)
|
|
+
|
|
+optional_policy(`
|
|
+ mozilla_plugin_rw_tmpfs_files(sandbox_x_domain)
|
|
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_t)
|
|
+ mozilla_dontaudit_rw_user_home_files(sandbox_xserver_t)
|
|
+ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain)
|
|
+ mozilla_plugin_dontaudit_rw_sem(sandbox_x_domain)
|
|
+ mozilla_plugin_dontaudit_leaks(sandbox_x_domain)
|
|
+')
|
|
+userdom_dontaudit_open_user_ptys(sandbox_x_domain)
|
|
diff --git a/sanlock.fc b/sanlock.fc
|
|
index 3df2a0f..9059165 100644
|
|
--- a/sanlock.fc
|
|
+++ b/sanlock.fc
|
|
@@ -1,7 +1,10 @@
|
|
+
|
|
/etc/rc\.d/init\.d/sanlock -- gen_context(system_u:object_r:sanlock_initrc_exec_t,s0)
|
|
|
|
-/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
|
|
+/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
|
|
+
|
|
+/var/log/sanlock\.log.* gen_context(system_u:object_r:sanlock_log_t,s0)
|
|
|
|
-/var/run/sanlock(/.*)? gen_context(system_u:object_r:sanlock_var_run_t,s0)
|
|
+/usr/sbin/sanlock -- gen_context(system_u:object_r:sanlock_exec_t,s0)
|
|
|
|
-/var/log/sanlock\.log.* -- gen_context(system_u:object_r:sanlock_log_t,s0)
|
|
+/usr/lib/systemd/system/sanlock\.service -- gen_context(system_u:object_r:sanlock_unit_file_t,s0)
|
|
diff --git a/sanlock.if b/sanlock.if
|
|
index cd6c213..34b861a 100644
|
|
--- a/sanlock.if
|
|
+++ b/sanlock.if
|
|
@@ -1,4 +1,5 @@
|
|
-## <summary>shared storage lock manager.</summary>
|
|
+
|
|
+## <summary>policy for sanlock</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,18 +16,17 @@ interface(`sanlock_domtrans',`
|
|
type sanlock_t, sanlock_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, sanlock_exec_t, sanlock_t)
|
|
')
|
|
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Execute sanlock init scripts in
|
|
-## the initrc domain.
|
|
+## Execute sanlock server in the sanlock domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
@@ -40,8 +40,7 @@ interface(`sanlock_initrc_domtrans',`
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## sanlock pid files.
|
|
+## Create, read, write, and delete sanlock PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -60,28 +59,50 @@ interface(`sanlock_manage_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to sanlock with a unix
|
|
-## domain stream socket.
|
|
+## Connect to sanlock over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sanlock_stream_connect',`
|
|
+ gen_require(`
|
|
+ type sanlock_t, sanlock_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute virt server in the virt domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`sanlock_stream_connect',`
|
|
+interface(`sanlock_systemctl',`
|
|
gen_require(`
|
|
- type sanlock_t, sanlock_var_run_t;
|
|
+ type sanlock_unit_file_t;
|
|
+ type sanlock_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- stream_connect_pattern($1, sanlock_var_run_t, sanlock_var_run_t, sanlock_t)
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 sanlock_unit_file_t:file read_file_perms;
|
|
+ allow $1 sanlock_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, sanlock_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an sanlock environment.
|
|
+## All of the rules required to administrate
|
|
+## an sanlock environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -97,21 +118,23 @@ interface(`sanlock_stream_connect',`
|
|
#
|
|
interface(`sanlock_admin',`
|
|
gen_require(`
|
|
- type sanlock_t, sanlock_initrc_exec_t, sanlock_var_run_t;
|
|
- type sanlock_log_t;
|
|
+ type sanlock_t;
|
|
+ type sanlock_initrc_exec_t;
|
|
+ type sanlock_unit_file_t;
|
|
')
|
|
|
|
- allow $1 sanlock_t:process { ptrace signal_perms };
|
|
+ allow $1 sanlock_t:process signal_perms;
|
|
ps_process_pattern($1, sanlock_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 sanlock_t:process ptrace;
|
|
+ ')
|
|
|
|
sanlock_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 sanlock_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, sanlock_var_run_t)
|
|
-
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, sanlock_log_t)
|
|
+ virt_systemctl($1)
|
|
+ admin_pattern($1, sanlock_unit_file_t)
|
|
+ allow $1 sanlock_unit_file_t:service all_service_perms;
|
|
')
|
|
diff --git a/sanlock.te b/sanlock.te
|
|
index 0045465..7d3129e 100644
|
|
--- a/sanlock.te
|
|
+++ b/sanlock.te
|
|
@@ -6,21 +6,26 @@ policy_module(sanlock, 1.1.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether sanlock can use
|
|
-## nfs file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow sanlock to manage nfs files
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(sanlock_use_nfs, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether sanlock can use
|
|
-## cifs file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow sanlock to manage cifs files
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(sanlock_use_samba, false)
|
|
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow sanlock to read/write fuse files
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(sanlock_use_fusefs, false)
|
|
+
|
|
type sanlock_t;
|
|
type sanlock_exec_t;
|
|
init_daemon_domain(sanlock_t, sanlock_exec_t)
|
|
@@ -34,6 +39,9 @@ logging_log_file(sanlock_log_t)
|
|
type sanlock_initrc_exec_t;
|
|
init_script_file(sanlock_initrc_exec_t)
|
|
|
|
+type sanlock_unit_file_t;
|
|
+systemd_unit_file(sanlock_unit_file_t)
|
|
+
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_daemon_domain(sanlock_t, sanlock_exec_t, s0 - mcs_systemhigh)
|
|
')
|
|
@@ -44,17 +52,15 @@ ifdef(`enable_mls',`
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# sanlock local policy
|
|
#
|
|
-
|
|
allow sanlock_t self:capability { chown dac_override ipc_lock kill setgid setuid sys_nice sys_resource };
|
|
allow sanlock_t self:process { setrlimit setsched signull signal sigkill };
|
|
+
|
|
allow sanlock_t self:fifo_file rw_fifo_file_perms;
|
|
-allow sanlock_t self:unix_stream_socket { accept listen };
|
|
+allow sanlock_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
-append_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
|
-create_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
|
-setattr_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
|
+manage_files_pattern(sanlock_t, sanlock_log_t, sanlock_log_t)
|
|
logging_log_filetrans(sanlock_t, sanlock_log_t, file)
|
|
|
|
manage_dirs_pattern(sanlock_t, sanlock_var_run_t, sanlock_var_run_t)
|
|
@@ -65,13 +71,15 @@ files_pid_filetrans(sanlock_t, sanlock_var_run_t, { file dir sock_file })
|
|
kernel_read_system_state(sanlock_t)
|
|
kernel_read_kernel_sysctls(sanlock_t)
|
|
|
|
-dev_read_rand(sanlock_t)
|
|
-dev_read_urand(sanlock_t)
|
|
-
|
|
domain_use_interactive_fds(sanlock_t)
|
|
|
|
+files_read_mnt_symlinks(sanlock_t)
|
|
+
|
|
storage_raw_rw_fixed_disk(sanlock_t)
|
|
|
|
+dev_read_rand(sanlock_t)
|
|
+dev_read_urand(sanlock_t)
|
|
+
|
|
auth_use_nsswitch(sanlock_t)
|
|
|
|
init_read_utmp(sanlock_t)
|
|
@@ -79,20 +87,29 @@ init_dontaudit_write_utmp(sanlock_t)
|
|
|
|
logging_send_syslog_msg(sanlock_t)
|
|
|
|
-miscfiles_read_localization(sanlock_t)
|
|
+tunable_policy(`sanlock_use_fusefs',`
|
|
+ fs_manage_fusefs_dirs(sanlock_t)
|
|
+ fs_manage_fusefs_files(sanlock_t)
|
|
+ fs_read_fusefs_symlinks(sanlock_t)
|
|
+ fs_getattr_fusefs(sanlock_t)
|
|
+')
|
|
|
|
tunable_policy(`sanlock_use_nfs',`
|
|
- fs_manage_nfs_dirs(sanlock_t)
|
|
- fs_manage_nfs_files(sanlock_t)
|
|
- fs_manage_nfs_named_sockets(sanlock_t)
|
|
- fs_read_nfs_symlinks(sanlock_t)
|
|
+ fs_manage_nfs_dirs(sanlock_t)
|
|
+ fs_manage_nfs_files(sanlock_t)
|
|
+ fs_manage_nfs_named_sockets(sanlock_t)
|
|
+ fs_read_nfs_symlinks(sanlock_t)
|
|
')
|
|
|
|
tunable_policy(`sanlock_use_samba',`
|
|
- fs_manage_cifs_dirs(sanlock_t)
|
|
- fs_manage_cifs_files(sanlock_t)
|
|
- fs_manage_cifs_named_sockets(sanlock_t)
|
|
- fs_read_cifs_symlinks(sanlock_t)
|
|
+ fs_manage_cifs_dirs(sanlock_t)
|
|
+ fs_manage_cifs_files(sanlock_t)
|
|
+ fs_manage_cifs_named_sockets(sanlock_t)
|
|
+ fs_read_cifs_symlinks(sanlock_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rhcs_domtrans_fenced(sanlock_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -100,7 +117,8 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- virt_kill_all_virt_domains(sanlock_t)
|
|
+ virt_kill_svirt(sanlock_t)
|
|
+ virt_kill(sanlock_t)
|
|
virt_manage_lib_files(sanlock_t)
|
|
- virt_signal_all_virt_domains(sanlock_t)
|
|
+ virt_signal_svirt(sanlock_t)
|
|
')
|
|
diff --git a/sasl.fc b/sasl.fc
|
|
index 54f41c2..7e58679 100644
|
|
--- a/sasl.fc
|
|
+++ b/sasl.fc
|
|
@@ -1,7 +1,12 @@
|
|
/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
|
|
|
|
+#
|
|
+# /usr
|
|
+#
|
|
/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
|
|
|
|
-/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
|
|
-
|
|
+#
|
|
+# /var
|
|
+#
|
|
+/var/lib/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
|
|
/var/run/saslauthd(/.*)? gen_context(system_u:object_r:saslauthd_var_run_t,s0)
|
|
diff --git a/sasl.if b/sasl.if
|
|
index 8c3c151..93b7227 100644
|
|
--- a/sasl.if
|
|
+++ b/sasl.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>SASL authentication server.</summary>
|
|
+## <summary>SASL authentication server</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -21,8 +21,8 @@ interface(`sasl_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an sasl environment.
|
|
+## All of the rules required to administrate
|
|
+## an sasl environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -42,9 +42,13 @@ interface(`sasl_admin',`
|
|
type saslauthd_keytab_t;
|
|
')
|
|
|
|
- allow $1 saslauthd_t:process { ptrace signal_perms };
|
|
+ allow $1 saslauthd_t:process signal_perms;
|
|
ps_process_pattern($1, saslauthd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 saslauthd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, saslauthd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 saslauthd_initrc_exec_t system_r;
|
|
diff --git a/sasl.te b/sasl.te
|
|
index 6c3bc20..14e8575 100644
|
|
--- a/sasl.te
|
|
+++ b/sasl.te
|
|
@@ -6,12 +6,11 @@ policy_module(sasl, 1.15.1)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether sasl can
|
|
-## read shadow files.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow sasl to read shadow
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_saslauthd_read_shadow, false)
|
|
+gen_tunable(saslauthd_read_shadow, false)
|
|
|
|
type saslauthd_t;
|
|
type saslauthd_exec_t;
|
|
@@ -35,7 +34,9 @@ allow saslauthd_t self:capability { setgid setuid sys_nice };
|
|
dontaudit saslauthd_t self:capability sys_tty_config;
|
|
allow saslauthd_t self:process { setsched signal_perms };
|
|
allow saslauthd_t self:fifo_file rw_fifo_file_perms;
|
|
-allow saslauthd_t self:unix_stream_socket { accept listen };
|
|
+allow saslauthd_t self:unix_dgram_socket create_socket_perms;
|
|
+allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow saslauthd_t self:tcp_socket create_socket_perms;
|
|
|
|
allow saslauthd_t saslauthd_keytab_t:file read_file_perms;
|
|
|
|
@@ -48,29 +49,20 @@ kernel_read_kernel_sysctls(saslauthd_t)
|
|
kernel_read_system_state(saslauthd_t)
|
|
kernel_rw_afs_state(saslauthd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(saslauthd_t)
|
|
+#577519
|
|
+corecmd_exec_bin(saslauthd_t)
|
|
+
|
|
corenet_all_recvfrom_netlabel(saslauthd_t)
|
|
corenet_tcp_sendrecv_generic_if(saslauthd_t)
|
|
corenet_tcp_sendrecv_generic_node(saslauthd_t)
|
|
-
|
|
-corenet_sendrecv_pop_client_packets(saslauthd_t)
|
|
+corenet_tcp_sendrecv_all_ports(saslauthd_t)
|
|
+corenet_tcp_connect_ldap_port(saslauthd_t)
|
|
corenet_tcp_connect_pop_port(saslauthd_t)
|
|
-corenet_tcp_sendrecv_pop_port(saslauthd_t)
|
|
-
|
|
-corenet_sendrecv_zarafa_client_packets(saslauthd_t)
|
|
corenet_tcp_connect_zarafa_port(saslauthd_t)
|
|
-corenet_tcp_sendrecv_zarafa_port(saslauthd_t)
|
|
-
|
|
-corecmd_exec_bin(saslauthd_t)
|
|
+corenet_sendrecv_pop_client_packets(saslauthd_t)
|
|
|
|
dev_read_urand(saslauthd_t)
|
|
|
|
-domain_use_interactive_fds(saslauthd_t)
|
|
-
|
|
-files_dontaudit_read_etc_runtime_files(saslauthd_t)
|
|
-files_dontaudit_getattr_home_dir(saslauthd_t)
|
|
-files_dontaudit_getattr_tmp_dirs(saslauthd_t)
|
|
-
|
|
fs_getattr_all_fs(saslauthd_t)
|
|
fs_search_auto_mountpoints(saslauthd_t)
|
|
|
|
@@ -78,20 +70,25 @@ selinux_compute_access_vector(saslauthd_t)
|
|
|
|
auth_use_pam(saslauthd_t)
|
|
|
|
+domain_use_interactive_fds(saslauthd_t)
|
|
+
|
|
+files_dontaudit_read_etc_runtime_files(saslauthd_t)
|
|
+files_search_var_lib(saslauthd_t)
|
|
+files_dontaudit_getattr_home_dir(saslauthd_t)
|
|
+files_dontaudit_getattr_tmp_dirs(saslauthd_t)
|
|
+
|
|
init_dontaudit_stream_connect_script(saslauthd_t)
|
|
|
|
logging_send_syslog_msg(saslauthd_t)
|
|
|
|
-miscfiles_read_localization(saslauthd_t)
|
|
miscfiles_read_generic_certs(saslauthd_t)
|
|
|
|
-seutil_dontaudit_read_config(saslauthd_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
|
|
userdom_dontaudit_search_user_home_dirs(saslauthd_t)
|
|
|
|
+# cjp: typeattribute doesnt work in conditionals
|
|
auth_can_read_shadow_passwords(saslauthd_t)
|
|
-tunable_policy(`allow_saslauthd_read_shadow',`
|
|
+tunable_policy(`saslauthd_read_shadow',`
|
|
allow saslauthd_t self:capability dac_override;
|
|
auth_tunable_read_shadow(saslauthd_t)
|
|
')
|
|
@@ -99,13 +96,13 @@ tunable_policy(`allow_saslauthd_read_shadow',`
|
|
optional_policy(`
|
|
kerberos_read_keytab(saslauthd_t)
|
|
kerberos_manage_host_rcache(saslauthd_t)
|
|
- kerberos_tmp_filetrans_host_rcache(saslauthd_t, file, "host_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(saslauthd_t, "host_0")
|
|
kerberos_use(saslauthd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mysql_search_db(saslauthd_t)
|
|
mysql_stream_connect(saslauthd_t)
|
|
- mysql_tcp_connect(saslauthd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/sblim.fc b/sblim.fc
|
|
index 68a550d..e976fc6 100644
|
|
--- a/sblim.fc
|
|
+++ b/sblim.fc
|
|
@@ -1,6 +1,10 @@
|
|
/etc/rc\.d/init\.d/gatherer -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/sblim-sfcbd -- gen_context(system_u:object_r:sblim_initrc_exec_t,s0)
|
|
|
|
/usr/sbin/gatherd -- gen_context(system_u:object_r:sblim_gatherd_exec_t,s0)
|
|
/usr/sbin/reposd -- gen_context(system_u:object_r:sblim_reposd_exec_t,s0)
|
|
+/usr/sbin/sfcbd -- gen_context(system_u:object_r:sblim_sfcbd_exec_t,s0)
|
|
+
|
|
+/var/lib/sfcb(/.*)? gen_context(system_u:object_r:sblim_var_lib_t,s0)
|
|
|
|
/var/run/gather(/.*)? gen_context(system_u:object_r:sblim_var_run_t,s0)
|
|
diff --git a/sblim.if b/sblim.if
|
|
index 98c9e0a..df51942 100644
|
|
--- a/sblim.if
|
|
+++ b/sblim.if
|
|
@@ -1,8 +1,36 @@
|
|
-## <summary>Standards Based Linux Instrumentation for Manageability.</summary>
|
|
+## <summary> Standards Based Linux Instrumentation for Manageability. </summary>
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## sblim daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`sblim_domain_template',`
|
|
+ gen_require(`
|
|
+ attribute sblim_domain;
|
|
+ ')
|
|
+
|
|
+ type sblim_$1_t, sblim_domain;
|
|
+ type sblim_$1_exec_t;
|
|
+ init_daemon_domain(sblim_$1_t, sblim_$1_exec_t)
|
|
+
|
|
+ kernel_read_system_state(sblim_$1_t)
|
|
+
|
|
+ corenet_all_recvfrom_unlabeled(sblim_$1_t)
|
|
+ corenet_all_recvfrom_netlabel(sblim_$1_t)
|
|
+
|
|
+ logging_send_syslog_msg(sblim_$1_t)
|
|
+')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute gatherd in the gatherd domain.
|
|
+## Transition to gatherd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -21,7 +49,7 @@ interface(`sblim_domtrans_gatherd',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read gatherd pid files.
|
|
+## Read gatherd PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -40,34 +68,33 @@ interface(`sblim_read_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an sblim environment.
|
|
+## All of the rules required to administrate
|
|
+## an gatherd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`sblim_admin',`
|
|
gen_require(`
|
|
- attribute sblim_domain;
|
|
- type sblim_initrc_exec_t, sblim_var_run_t;
|
|
+ type sblim_gatherd_t;
|
|
+ type sblim_reposd_t;
|
|
+ type sblim_var_run_t;
|
|
')
|
|
|
|
- allow $1 sblim_domain:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, sblim_domain)
|
|
+ allow $1 sblim_gatherd_t:process signal_perms;
|
|
+ ps_process_pattern($1, sblim_gatherd_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 sblim_gatherd_t:process ptrace;
|
|
+ allow $1 sblim_reposd_t:process ptrace;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, sblim_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 sblim_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ allow $1 sblim_reposd_t:process signal_perms;
|
|
+ ps_process_pattern($1, sblim_reposd_t)
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, sblim_var_run_t)
|
|
diff --git a/sblim.te b/sblim.te
|
|
index 299756b..d252327 100644
|
|
--- a/sblim.te
|
|
+++ b/sblim.te
|
|
@@ -7,13 +7,11 @@ policy_module(sblim, 1.1.0)
|
|
|
|
attribute sblim_domain;
|
|
|
|
-type sblim_gatherd_t, sblim_domain;
|
|
-type sblim_gatherd_exec_t;
|
|
-init_daemon_domain(sblim_gatherd_t, sblim_gatherd_exec_t)
|
|
+sblim_domain_template(gatherd)
|
|
|
|
-type sblim_reposd_t, sblim_domain;
|
|
-type sblim_reposd_exec_t;
|
|
-init_daemon_domain(sblim_reposd_t, sblim_reposd_exec_t)
|
|
+sblim_domain_template(reposd)
|
|
+
|
|
+sblim_domain_template(sfcbd)
|
|
|
|
type sblim_initrc_exec_t;
|
|
init_script_file(sblim_initrc_exec_t)
|
|
@@ -21,6 +19,15 @@ init_script_file(sblim_initrc_exec_t)
|
|
type sblim_var_run_t;
|
|
files_pid_file(sblim_var_run_t)
|
|
|
|
+type sblim_var_lib_t;
|
|
+files_type(sblim_var_lib_t)
|
|
+
|
|
+type sblim_tmp_t;
|
|
+files_tmp_file(sblim_tmp_t)
|
|
+
|
|
+type sblim_sfcb_tmpfs_t;
|
|
+files_tmpfs_file(sblim_sfcb_tmpfs_t)
|
|
+
|
|
######################################
|
|
#
|
|
# Common sblim domain local policy
|
|
@@ -32,11 +39,18 @@ manage_dirs_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
|
manage_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
|
manage_sock_files_pattern(sblim_domain, sblim_var_run_t, sblim_var_run_t)
|
|
|
|
+manage_dirs_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
|
|
+manage_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
|
|
+manage_lnk_files_pattern(sblim_domain, sblim_var_lib_t, sblim_var_lib_t)
|
|
+files_var_lib_filetrans(sblim_domain, sblim_var_lib_t, { dir file lnk_file })
|
|
+
|
|
+manage_dirs_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
|
|
+manage_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
|
|
+manage_sock_files_pattern(sblim_domain, sblim_tmp_t, sblim_tmp_t)
|
|
+files_tmp_filetrans(sblim_domain, sblim_tmp_t, { dir file sock_file})
|
|
+
|
|
kernel_read_network_state(sblim_domain)
|
|
-kernel_read_system_state(sblim_domain)
|
|
|
|
-corenet_all_recvfrom_unlabeled(sblim_domain)
|
|
-corenet_all_recvfrom_netlabel(sblim_domain)
|
|
corenet_tcp_sendrecv_generic_if(sblim_domain)
|
|
corenet_tcp_sendrecv_generic_node(sblim_domain)
|
|
|
|
@@ -44,19 +58,15 @@ corenet_tcp_sendrecv_repository_port(sblim_domain)
|
|
|
|
dev_read_sysfs(sblim_domain)
|
|
|
|
-logging_send_syslog_msg(sblim_domain)
|
|
-
|
|
-files_read_etc_files(sblim_domain)
|
|
-
|
|
-miscfiles_read_localization(sblim_domain)
|
|
+auth_read_passwd(sblim_domain)
|
|
|
|
########################################
|
|
#
|
|
# Gatherd local policy
|
|
#
|
|
|
|
-allow sblim_gatherd_t self:capability dac_override;
|
|
-allow sblim_gatherd_t self:process signal;
|
|
+allow sblim_gatherd_t self:capability { dac_override sys_nice };
|
|
+allow sblim_gatherd_t self:process { setsched signal };
|
|
allow sblim_gatherd_t self:fifo_file rw_fifo_file_perms;
|
|
allow sblim_gatherd_t self:unix_stream_socket { accept listen };
|
|
|
|
@@ -84,6 +94,8 @@ storage_raw_read_removable_device(sblim_gatherd_t)
|
|
|
|
init_read_utmp(sblim_gatherd_t)
|
|
|
|
+logging_send_syslog_msg(sblim_gatherd_t)
|
|
+
|
|
sysnet_dns_name_resolve(sblim_gatherd_t)
|
|
|
|
term_getattr_pty_fs(sblim_gatherd_t)
|
|
@@ -103,8 +115,9 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- virt_getattr_virtd_exec_files(sblim_gatherd_t)
|
|
+ virt_read_config(sblim_gatherd_t)
|
|
virt_stream_connect(sblim_gatherd_t)
|
|
+ virt_getattr_exec(sblim_gatherd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -117,6 +130,29 @@ optional_policy(`
|
|
# Reposd local policy
|
|
#
|
|
|
|
+corenet_tcp_bind_generic_node(sblim_reposd_t)
|
|
+
|
|
corenet_sendrecv_repository_server_packets(sblim_reposd_t)
|
|
corenet_tcp_bind_repository_port(sblim_reposd_t)
|
|
-corenet_tcp_bind_generic_node(sblim_domain)
|
|
+
|
|
+logging_send_syslog_msg(sblim_reposd_t)
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# Sfcbd local policy
|
|
+#
|
|
+
|
|
+allow sblim_sfcbd_t self:capability { sys_ptrace setgid };
|
|
+allow sblim_sfcbd_t self:process signal;
|
|
+allow sblim_sfcbd_t self:unix_stream_socket connectto;
|
|
+
|
|
+manage_dirs_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t)
|
|
+manage_files_pattern(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, sblim_sfcb_tmpfs_t)
|
|
+fs_tmpfs_filetrans(sblim_sfcbd_t, sblim_sfcb_tmpfs_t, { dir file })
|
|
+
|
|
+auth_use_nsswitch(sblim_sfcbd_t)
|
|
+
|
|
+corenet_tcp_bind_pegasus_https_port(sblim_sfcbd_t)
|
|
+
|
|
+domain_read_all_domains_state(sblim_sfcbd_t)
|
|
+domain_use_interactive_fds(sblim_sfcbd_t)
|
|
diff --git a/screen.fc b/screen.fc
|
|
index e7c2cf7..435aaa6 100644
|
|
--- a/screen.fc
|
|
+++ b/screen.fc
|
|
@@ -2,8 +2,10 @@ HOME_DIR/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
|
|
HOME_DIR/\.screenrc -- gen_context(system_u:object_r:screen_home_t,s0)
|
|
HOME_DIR/\.tmux\.conf -- gen_context(system_u:object_r:screen_home_t,s0)
|
|
|
|
-/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
|
|
-/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
|
|
+/root/\.screen(/.*)? gen_context(system_u:object_r:screen_home_t,s0)
|
|
|
|
-/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
|
|
-/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
|
|
+/usr/bin/screen -- gen_context(system_u:object_r:screen_exec_t,s0)
|
|
+/usr/bin/tmux -- gen_context(system_u:object_r:screen_exec_t,s0)
|
|
+
|
|
+/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
|
|
+/var/run/tmux(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0)
|
|
diff --git a/screen.if b/screen.if
|
|
index be5cce2..a7a8a67 100644
|
|
--- a/screen.if
|
|
+++ b/screen.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>GNU terminal multiplexer.</summary>
|
|
+## <summary>GNU terminal multiplexer</summary>
|
|
|
|
#######################################
|
|
## <summary>
|
|
@@ -23,10 +23,9 @@
|
|
#
|
|
template(`screen_role_template',`
|
|
gen_require(`
|
|
- attribute screen_domain;
|
|
- attribute_role screen_roles;
|
|
type screen_exec_t, screen_tmp_t;
|
|
type screen_home_t, screen_var_run_t;
|
|
+ attribute screen_domain;
|
|
')
|
|
|
|
########################################
|
|
@@ -35,50 +34,52 @@ template(`screen_role_template',`
|
|
#
|
|
|
|
type $1_screen_t, screen_domain;
|
|
- userdom_user_application_domain($1_screen_t, screen_exec_t)
|
|
+ application_domain($1_screen_t, screen_exec_t)
|
|
domain_interactive_fd($1_screen_t)
|
|
- role screen_roles types $1_screen_t;
|
|
+ ubac_constrained($1_screen_t)
|
|
+ role $2 types $1_screen_t;
|
|
|
|
- roleattribute $2 screen_roles;
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $3 $1_screen_t:process ptrace;
|
|
+ ')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Local policy
|
|
- #
|
|
+ userdom_home_reader($1_screen_t)
|
|
|
|
domtrans_pattern($3, screen_exec_t, $1_screen_t)
|
|
-
|
|
- ps_process_pattern($3, $1_screen_t)
|
|
- allow $3 $1_screen_t:process { ptrace signal_perms };
|
|
-
|
|
+ allow $3 $1_screen_t:process { signal sigchld };
|
|
dontaudit $3 $1_screen_t:unix_stream_socket { read write };
|
|
+ allow $1_screen_t $3:unix_stream_socket { connectto };
|
|
allow $1_screen_t $3:process signal;
|
|
+ ps_process_pattern($1_screen_t, $3)
|
|
|
|
- allow $3 screen_tmp_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $3 screen_tmp_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $3 screen_tmp_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
|
-
|
|
- allow $3 screen_home_t:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $3 screen_home_t:file { manage_file_perms relabel_file_perms };
|
|
- allow $3 screen_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
|
|
- allow $3 screen_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
+ manage_fifo_files_pattern($3, screen_home_t, screen_home_t)
|
|
+ manage_dirs_pattern($3, screen_home_t, screen_home_t)
|
|
+ manage_files_pattern($3, screen_home_t, screen_home_t)
|
|
+ manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
|
|
+ relabel_dirs_pattern($3, screen_home_t, screen_home_t)
|
|
+ relabel_files_pattern($3, screen_home_t, screen_home_t)
|
|
+ relabel_lnk_files_pattern($3, screen_home_t, screen_home_t)
|
|
|
|
userdom_user_home_dir_filetrans($3, screen_home_t, dir, ".screen")
|
|
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".screenrc")
|
|
userdom_user_home_dir_filetrans($3, screen_home_t, file, ".tmux.conf")
|
|
|
|
manage_dirs_pattern($3, screen_var_run_t, screen_var_run_t)
|
|
- manage_files_pattern($3, screen_var_run_t, screen_var_run_t)
|
|
- manage_lnk_files_pattern($3, screen_var_run_t, screen_var_run_t)
|
|
manage_fifo_files_pattern($3, screen_var_run_t, screen_var_run_t)
|
|
|
|
- corecmd_bin_domtrans($1_screen_t, $3)
|
|
+ kernel_read_system_state($1_screen_t)
|
|
+
|
|
+ # Revert to the user domain when a shell is executed.
|
|
corecmd_shell_domtrans($1_screen_t, $3)
|
|
+ corecmd_bin_domtrans($1_screen_t, $3)
|
|
|
|
auth_domtrans_chk_passwd($1_screen_t)
|
|
auth_use_nsswitch($1_screen_t)
|
|
|
|
+ logging_send_syslog_msg($1_screen_t)
|
|
+
|
|
userdom_user_home_domtrans($1_screen_t, $3)
|
|
+ userdom_manage_tmp_role($2, $1_screen_t)
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_cifs_domtrans($1_screen_t, $3)
|
|
@@ -88,3 +89,41 @@ template(`screen_role_template',`
|
|
fs_nfs_domtrans($1_screen_t, $3)
|
|
')
|
|
')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute the rssh program
|
|
+## in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`screen_exec',`
|
|
+ gen_require(`
|
|
+ type screen_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, screen_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send a SIGCHLD signal to the screen domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`screen_sigchld',`
|
|
+ gen_require(`
|
|
+ attribute screen_domain;
|
|
+ ')
|
|
+
|
|
+ allow $1 screen_domain:process sigchld;
|
|
+')
|
|
+
|
|
diff --git a/screen.te b/screen.te
|
|
index 5466a73..ba26a6a 100644
|
|
--- a/screen.te
|
|
+++ b/screen.te
|
|
@@ -5,9 +5,7 @@ policy_module(screen, 2.6.0)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute screen_domain;
|
|
-
|
|
-attribute_role screen_roles;
|
|
+attribute screen_domain;
|
|
|
|
type screen_exec_t;
|
|
application_executable_file(screen_exec_t)
|
|
@@ -17,11 +15,6 @@ typealias screen_home_t alias { user_screen_home_t staff_screen_home_t sysadm_sc
|
|
typealias screen_home_t alias { auditadm_screen_home_t secadm_screen_home_t };
|
|
userdom_user_home_content(screen_home_t)
|
|
|
|
-type screen_tmp_t;
|
|
-typealias screen_tmp_t alias { user_screen_tmp_t staff_screen_tmp_t sysadm_screen_tmp_t };
|
|
-typealias screen_tmp_t alias { auditadm_screen_tmp_t secadm_screen_tmp_t };
|
|
-userdom_user_tmp_file(screen_tmp_t)
|
|
-
|
|
type screen_var_run_t;
|
|
typealias screen_var_run_t alias { user_screen_var_run_t staff_screen_var_run_t sysadm_screen_var_run_t };
|
|
typealias screen_var_run_t alias { auditadm_screen_var_run_t secadm_screen_var_run_t screen_dir_t };
|
|
@@ -30,34 +23,35 @@ ubac_constrained(screen_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
-# Common screen domain local policy
|
|
+# Local policy
|
|
#
|
|
|
|
-allow screen_domain self:capability { setuid setgid fsetid };
|
|
+allow screen_domain self:capability { fsetid setgid setuid sys_tty_config };
|
|
+dontaudit screen_domain self:capability dac_override;
|
|
allow screen_domain self:process signal_perms;
|
|
-allow screen_domain self:fd use;
|
|
allow screen_domain self:fifo_file rw_fifo_file_perms;
|
|
-allow screen_domain self:tcp_socket { accept listen };
|
|
-allow screen_domain self:unix_stream_socket { accept connectto listen };
|
|
-
|
|
-manage_dirs_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
|
|
-manage_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
|
|
-manage_fifo_files_pattern(screen_domain, screen_tmp_t, screen_tmp_t)
|
|
-files_tmp_filetrans(screen_domain, screen_tmp_t, { file dir })
|
|
-filetrans_pattern(screen_domain, screen_tmp_t, screen_var_run_t, sock_file)
|
|
+allow screen_domain self:tcp_socket create_stream_socket_perms;
|
|
+allow screen_domain self:udp_socket create_socket_perms;
|
|
+# Internal screen networking
|
|
+allow screen_domain self:fd use;
|
|
+allow screen_domain self:unix_stream_socket { create_socket_perms connectto };
|
|
+allow screen_domain self:unix_dgram_socket create_socket_perms;
|
|
|
|
+# Create fifo
|
|
manage_fifo_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
|
|
manage_dirs_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
|
|
manage_sock_files_pattern(screen_domain, screen_var_run_t, screen_var_run_t)
|
|
files_pid_filetrans(screen_domain, screen_var_run_t, dir)
|
|
|
|
+allow screen_domain screen_home_t:dir list_dir_perms;
|
|
manage_dirs_pattern(screen_domain, screen_home_t, screen_home_t)
|
|
-read_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
|
manage_fifo_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
|
+manage_sock_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
|
+userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir)
|
|
+userdom_admin_home_dir_filetrans(screen_domain, screen_home_t, dir)
|
|
+read_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
|
read_lnk_files_pattern(screen_domain, screen_home_t, screen_home_t)
|
|
-userdom_user_home_dir_filetrans(screen_domain, screen_home_t, dir, ".screen")
|
|
|
|
-kernel_read_system_state(screen_domain)
|
|
kernel_read_kernel_sysctls(screen_domain)
|
|
|
|
corecmd_list_bin(screen_domain)
|
|
@@ -66,55 +60,39 @@ corecmd_read_bin_symlinks(screen_domain)
|
|
corecmd_read_bin_pipes(screen_domain)
|
|
corecmd_read_bin_sockets(screen_domain)
|
|
|
|
-corenet_all_recvfrom_unlabeled(screen_domain)
|
|
-corenet_all_recvfrom_netlabel(screen_domain)
|
|
corenet_tcp_sendrecv_generic_if(screen_domain)
|
|
+corenet_udp_sendrecv_generic_if(screen_domain)
|
|
corenet_tcp_sendrecv_generic_node(screen_domain)
|
|
+corenet_udp_sendrecv_generic_node(screen_domain)
|
|
corenet_tcp_sendrecv_all_ports(screen_domain)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(screen_domain)
|
|
+corenet_udp_sendrecv_all_ports(screen_domain)
|
|
corenet_tcp_connect_all_ports(screen_domain)
|
|
|
|
dev_dontaudit_getattr_all_chr_files(screen_domain)
|
|
dev_dontaudit_getattr_all_blk_files(screen_domain)
|
|
+# for SSP
|
|
dev_read_urand(screen_domain)
|
|
|
|
-domain_use_interactive_fds(screen_domain)
|
|
domain_sigchld_interactive_fds(screen_domain)
|
|
+domain_use_interactive_fds(screen_domain)
|
|
domain_read_all_domains_state(screen_domain)
|
|
|
|
+files_search_tmp(screen_domain)
|
|
+files_search_home(screen_domain)
|
|
files_list_home(screen_domain)
|
|
-files_read_usr_files(screen_domain)
|
|
|
|
fs_search_auto_mountpoints(screen_domain)
|
|
-fs_getattr_all_fs(screen_domain)
|
|
+fs_getattr_xattr_fs(screen_domain)
|
|
|
|
auth_dontaudit_read_shadow(screen_domain)
|
|
auth_dontaudit_exec_utempter(screen_domain)
|
|
|
|
+# Write to utmp.
|
|
init_rw_utmp(screen_domain)
|
|
|
|
-logging_send_syslog_msg(screen_domain)
|
|
-
|
|
-miscfiles_read_localization(screen_domain)
|
|
-
|
|
seutil_read_config(screen_domain)
|
|
|
|
userdom_use_user_terminals(screen_domain)
|
|
userdom_create_user_pty(screen_domain)
|
|
userdom_setattr_user_ptys(screen_domain)
|
|
userdom_setattr_user_ttys(screen_domain)
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(screen_domain)
|
|
- fs_read_cifs_files(screen_domain)
|
|
- fs_manage_cifs_named_pipes(screen_domain)
|
|
- fs_read_cifs_symlinks(screen_domain)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(screen_domain)
|
|
- fs_read_nfs_files(screen_domain)
|
|
- fs_manage_nfs_named_pipes(screen_domain)
|
|
- fs_read_nfs_symlinks(screen_domain)
|
|
-')
|
|
diff --git a/sectoolm.fc b/sectoolm.fc
|
|
index 64a2394..3f1dac5 100644
|
|
--- a/sectoolm.fc
|
|
+++ b/sectoolm.fc
|
|
@@ -1,5 +1,4 @@
|
|
/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
|
|
|
|
-/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
|
|
-
|
|
-/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0)
|
|
+/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
|
|
+/var/log/sectool\.log.* -- gen_context(system_u:object_r:sectool_var_log_t,s0)
|
|
diff --git a/sectoolm.if b/sectoolm.if
|
|
index c78a569..9007451 100644
|
|
--- a/sectoolm.if
|
|
+++ b/sectoolm.if
|
|
@@ -1,24 +1,2 @@
|
|
-## <summary>Sectool security audit tool.</summary>
|
|
+## <summary>Sectool security audit tool</summary>
|
|
|
|
-########################################
|
|
-## <summary>
|
|
-## Role access for sectoolm.
|
|
-## </summary>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## User domain for the role.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`sectoolm_role',`
|
|
- gen_require(`
|
|
- type sectoolm_t;
|
|
- ')
|
|
-
|
|
- allow sectoolm_t $2:unix_dgram_socket sendto;
|
|
-')
|
|
diff --git a/sectoolm.te b/sectoolm.te
|
|
index 4bc8c13..726ef2c 100644
|
|
--- a/sectoolm.te
|
|
+++ b/sectoolm.te
|
|
@@ -7,7 +7,7 @@ policy_module(sectoolm, 1.1.0)
|
|
|
|
type sectoolm_t;
|
|
type sectoolm_exec_t;
|
|
-init_system_domain(sectoolm_t, sectoolm_exec_t)
|
|
+init_daemon_domain(sectoolm_t, sectoolm_exec_t)
|
|
|
|
type sectool_var_lib_t;
|
|
files_type(sectool_var_lib_t)
|
|
@@ -20,14 +20,14 @@ files_tmp_file(sectool_tmp_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# sectool local policy
|
|
#
|
|
|
|
-allow sectoolm_t self:capability { dac_override net_admin sys_nice };
|
|
+allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
|
|
allow sectoolm_t self:process { getcap getsched signull setsched };
|
|
dontaudit sectoolm_t self:process { execstack execmem };
|
|
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
|
|
-allow sectoolm_t self:unix_dgram_socket sendto;
|
|
+allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
|
|
manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
|
|
manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
|
|
@@ -37,7 +37,7 @@ manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
|
|
manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
|
|
files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir })
|
|
|
|
-allow sectoolm_t sectool_var_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t)
|
|
logging_log_filetrans(sectoolm_t, sectool_var_log_t, file)
|
|
|
|
kernel_read_net_sysctls(sectoolm_t)
|
|
@@ -65,6 +65,7 @@ fs_list_noxattr_fs(sectoolm_t)
|
|
|
|
selinux_validate_context(sectoolm_t)
|
|
|
|
+# tcp_wrappers test
|
|
application_exec_all(sectoolm_t)
|
|
|
|
auth_use_nsswitch(sectoolm_t)
|
|
@@ -73,30 +74,36 @@ libs_exec_ld_so(sectoolm_t)
|
|
|
|
logging_send_syslog_msg(sectoolm_t)
|
|
|
|
+# tests related to network
|
|
sysnet_domtrans_ifconfig(sectoolm_t)
|
|
|
|
-userdom_write_user_tmp_sockets(sectoolm_t)
|
|
+userdom_manage_user_tmp_sockets(sectoolm_t)
|
|
+userdom_dgram_send(sectoolm_t)
|
|
|
|
optional_policy(`
|
|
- mount_exec(sectoolm_t)
|
|
+ dbus_system_domain(sectoolm_t, sectoolm_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- dbus_system_domain(sectoolm_t, sectoolm_exec_t)
|
|
+ # tests related to network
|
|
+ hostname_exec(sectoolm_t)
|
|
+')
|
|
|
|
- optional_policy(`
|
|
- policykit_dbus_chat(sectoolm_t)
|
|
- ')
|
|
+optional_policy(`
|
|
+ # tests related to network
|
|
+ iptables_domtrans(sectoolm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- hostname_exec(sectoolm_t)
|
|
+ mount_exec(sectoolm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- iptables_domtrans(sectoolm_t)
|
|
+ policykit_dbus_chat(sectoolm_t)
|
|
')
|
|
|
|
+# suid test using
|
|
+# rpm -Vf option
|
|
optional_policy(`
|
|
prelink_domtrans(sectoolm_t)
|
|
')
|
|
diff --git a/sendmail.fc b/sendmail.fc
|
|
index d14b6bf..da5d41d 100644
|
|
--- a/sendmail.fc
|
|
+++ b/sendmail.fc
|
|
@@ -1,7 +1,8 @@
|
|
-/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
|
|
|
|
-/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0)
|
|
-/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
|
|
+/etc/rc\.d/init\.d/sendmail -- gen_context(system_u:object_r:sendmail_initrc_exec_t,s0)
|
|
|
|
-/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
|
|
-/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
|
|
+/var/log/sendmail\.st.* -- gen_context(system_u:object_r:sendmail_log_t,s0)
|
|
+/var/log/mail(/.*)? gen_context(system_u:object_r:sendmail_log_t,s0)
|
|
+
|
|
+/var/run/sendmail\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
|
|
+/var/run/sm-client\.pid -- gen_context(system_u:object_r:sendmail_var_run_t,s0)
|
|
diff --git a/sendmail.if b/sendmail.if
|
|
index 35ad2a7..6f947f6 100644
|
|
--- a/sendmail.if
|
|
+++ b/sendmail.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Internetwork email routing facility.</summary>
|
|
+## <summary>Policy for sendmail.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -18,7 +18,8 @@ interface(`sendmail_stub',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write sendmail unnamed pipes.
|
|
+## Allow attempts to read and write to
|
|
+## sendmail unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -36,7 +37,7 @@ interface(`sendmail_rw_pipes',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to run sendmail.
|
|
+## Domain transition to sendmail.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -49,19 +50,30 @@ interface(`sendmail_domtrans',`
|
|
type sendmail_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
mta_sendmail_domtrans($1, sendmail_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute sendmail in the sendmail domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sendmail_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type sendmail_initrc_exec_t;
|
|
+ ')
|
|
|
|
- allow sendmail_t $1:fd use;
|
|
- allow sendmail_t $1:fifo_file rw_fifo_file_perms;
|
|
- allow sendmail_t $1:process sigchld;
|
|
+ init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute the sendmail program in the
|
|
-## sendmail domain, and allow the
|
|
-## specified role the sendmail domain.
|
|
+## Execute the sendmail program in the sendmail domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -70,7 +82,7 @@ interface(`sendmail_domtrans',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to allow the sendmail domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -81,7 +93,7 @@ interface(`sendmail_run',`
|
|
')
|
|
|
|
sendmail_domtrans($1)
|
|
- roleattribute $2 sendmail_roles;
|
|
+ roleattribute $2 sendmail_roles;
|
|
')
|
|
|
|
########################################
|
|
@@ -102,6 +114,34 @@ interface(`sendmail_signal',`
|
|
allow $1 sendmail_t:process signal;
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute sendmail in the unconfined
|
|
+## sendmail domain, and allow the
|
|
+## specified role the unconfined
|
|
+## sendmail domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`sendmail_run_unconfined',`
|
|
+ gen_require(`
|
|
+ attribute_role sendmail_unconfined_roles;
|
|
+ ')
|
|
+
|
|
+ sendmail_domtrans_unconfined($1)
|
|
+ roleattribute $2 sendmail_unconfined_roles;
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Read and write sendmail TCP sockets.
|
|
@@ -141,8 +181,7 @@ interface(`sendmail_dontaudit_rw_tcp_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write sendmail unix
|
|
-## domain stream sockets.
|
|
+## Read and write sendmail unix_stream_sockets.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -179,7 +218,7 @@ interface(`sendmail_dontaudit_rw_unix_stream_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read sendmail log files.
|
|
+## Read sendmail logs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -199,8 +238,7 @@ interface(`sendmail_read_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## sendmail log files.
|
|
+## Create, read, write, and delete sendmail logs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -220,8 +258,7 @@ interface(`sendmail_manage_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified objects in generic
|
|
-## log directories sendmail log file type.
|
|
+## Create sendmail logs with the correct type.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -265,8 +302,7 @@ interface(`sendmail_log_filetrans_sendmail_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## sendmail tmp files.
|
|
+## Manage sendmail tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -285,58 +321,27 @@ interface(`sendmail_manage_tmp_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute sendmail in the unconfined sendmail domain.
|
|
+## Set the attributes of sendmail pid files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`sendmail_domtrans_unconfined',`
|
|
- gen_require(`
|
|
- type unconfined_sendmail_t;
|
|
- ')
|
|
-
|
|
- mta_sendmail_domtrans($1, unconfined_sendmail_t)
|
|
-
|
|
- allow unconfined_sendmail_t $1:fd use;
|
|
- allow unconfined_sendmail_t $1:fifo_file rw_fifo_file_perms;
|
|
- allow unconfined_sendmail_t $1:process sigchld;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Execute sendmail in the unconfined
|
|
-## sendmail domain, and allow the
|
|
-## specified role the unconfined
|
|
-## sendmail domain.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`sendmail_run_unconfined',`
|
|
+interface(`sendmail_setattr_pid_files',`
|
|
gen_require(`
|
|
- attribute_role sendmail_unconfined_roles;
|
|
+ type sendmail_var_run_t;
|
|
')
|
|
|
|
- sendmail_domtrans_unconfined($1)
|
|
- roleattribute $2 sendmail_unconfined_roles;
|
|
+ allow $1 sendmail_var_run_t:file setattr_file_perms;
|
|
+ files_search_pids($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an sendmail environment.
|
|
+## All of the rules required to administrate
|
|
+## an sendmail environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -355,12 +360,17 @@ interface(`sendmail_admin',`
|
|
type sendmail_t, sendmail_initrc_exec_t, sendmail_log_t;
|
|
type sendmail_tmp_t, sendmail_var_run_t, unconfined_sendmail_t;
|
|
type sendmail_keytab_t;
|
|
+ type mail_spool_t;
|
|
')
|
|
|
|
- allow $1 { unconfined_sendmail_t sendmail_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { unconfined_sendmail_t sendmail_t })
|
|
+ allow $1 sendmail_t:process signal_perms;
|
|
+ ps_process_pattern($1, sendmail_t)
|
|
|
|
- init_labeled_script_domtrans($1, sendmail_initrc_exec_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 sendmail_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ sendmail_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 sendmail_initrc_exec_t system_r;
|
|
|
|
@@ -376,6 +386,6 @@ interface(`sendmail_admin',`
|
|
files_list_pids($1)
|
|
admin_pattern($1, sendmail_var_run_t)
|
|
|
|
- sendmail_run($1, $2)
|
|
- sendmail_run_unconfined($1, $2)
|
|
+ files_list_spool($1)
|
|
+ admin_pattern($1, mail_spool_t)
|
|
')
|
|
diff --git a/sendmail.te b/sendmail.te
|
|
index 12700b4..fde3c8d 100644
|
|
--- a/sendmail.te
|
|
+++ b/sendmail.te
|
|
@@ -37,21 +37,23 @@ role sendmail_unconfined_roles types unconfined_sendmail_t;
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# Sendmail local policy
|
|
#
|
|
|
|
-allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
|
|
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
|
|
+dontaudit sendmail_t self:capability net_admin;
|
|
+dontaudit sendmail_t self:capability2 block_suspend;
|
|
allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
|
|
allow sendmail_t self:fifo_file rw_fifo_file_perms;
|
|
-allow sendmail_t self:unix_stream_socket { accept listen };
|
|
-allow sendmail_t self:tcp_socket { accept listen };
|
|
+allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow sendmail_t self:unix_dgram_socket create_socket_perms;
|
|
+allow sendmail_t self:tcp_socket create_stream_socket_perms;
|
|
+allow sendmail_t self:udp_socket create_socket_perms;
|
|
|
|
+allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
|
|
+manage_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
|
|
allow sendmail_t sendmail_keytab_t:file read_file_perms;
|
|
|
|
-allow sendmail_t sendmail_log_t:dir setattr_dir_perms;
|
|
-append_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
|
|
-create_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
|
|
-setattr_files_pattern(sendmail_t, sendmail_log_t, sendmail_log_t)
|
|
logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
|
|
@@ -63,33 +65,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
|
|
|
|
kernel_read_network_state(sendmail_t)
|
|
kernel_read_kernel_sysctls(sendmail_t)
|
|
+# for piping mail to a command
|
|
kernel_read_system_state(sendmail_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(sendmail_t)
|
|
corenet_all_recvfrom_netlabel(sendmail_t)
|
|
corenet_tcp_sendrecv_generic_if(sendmail_t)
|
|
corenet_tcp_sendrecv_generic_node(sendmail_t)
|
|
corenet_tcp_sendrecv_all_ports(sendmail_t)
|
|
corenet_tcp_bind_generic_node(sendmail_t)
|
|
-
|
|
-corenet_sendrecv_smtp_server_packets(sendmail_t)
|
|
corenet_tcp_bind_smtp_port(sendmail_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(sendmail_t)
|
|
corenet_tcp_connect_all_ports(sendmail_t)
|
|
+corenet_sendrecv_smtp_server_packets(sendmail_t)
|
|
+corenet_sendrecv_smtp_client_packets(sendmail_t)
|
|
|
|
-corecmd_exec_bin(sendmail_t)
|
|
-corecmd_exec_shell(sendmail_t)
|
|
-
|
|
-dev_read_sysfs(sendmail_t)
|
|
dev_read_urand(sendmail_t)
|
|
-
|
|
-domain_use_interactive_fds(sendmail_t)
|
|
-
|
|
-files_read_all_tmp_files(sendmail_t)
|
|
-files_read_etc_runtime_files(sendmail_t)
|
|
-files_read_usr_files(sendmail_t)
|
|
-files_search_spool(sendmail_t)
|
|
+dev_read_sysfs(sendmail_t)
|
|
|
|
fs_getattr_all_fs(sendmail_t)
|
|
fs_search_auto_mountpoints(sendmail_t)
|
|
@@ -98,35 +88,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
|
|
term_dontaudit_use_console(sendmail_t)
|
|
term_dontaudit_use_generic_ptys(sendmail_t)
|
|
|
|
+# for piping mail to a command
|
|
+corecmd_exec_shell(sendmail_t)
|
|
+corecmd_exec_bin(sendmail_t)
|
|
+
|
|
+domain_use_interactive_fds(sendmail_t)
|
|
+
|
|
+files_search_spool(sendmail_t)
|
|
+# for piping mail to a command
|
|
+files_read_etc_runtime_files(sendmail_t)
|
|
+files_read_all_tmp_files(sendmail_t)
|
|
+
|
|
init_use_fds(sendmail_t)
|
|
init_use_script_ptys(sendmail_t)
|
|
+# sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
|
|
init_read_utmp(sendmail_t)
|
|
init_dontaudit_write_utmp(sendmail_t)
|
|
init_rw_script_tmp_files(sendmail_t)
|
|
|
|
auth_use_nsswitch(sendmail_t)
|
|
|
|
+# Read /usr/lib/sasl2/.*
|
|
libs_read_lib_files(sendmail_t)
|
|
|
|
logging_send_syslog_msg(sendmail_t)
|
|
logging_dontaudit_write_generic_logs(sendmail_t)
|
|
|
|
miscfiles_read_generic_certs(sendmail_t)
|
|
-miscfiles_read_localization(sendmail_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
|
|
+userdom_read_user_home_content_files(sendmail_t)
|
|
+userdom_dontaudit_list_user_home_dirs(sendmail_t)
|
|
|
|
-mta_etc_filetrans_aliases(sendmail_t, file, "aliases")
|
|
-mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db")
|
|
-mta_etc_filetrans_aliases(sendmail_t, file, "aliasesdb-stamp")
|
|
+mta_read_config(sendmail_t)
|
|
+mta_etc_filetrans_aliases(sendmail_t)
|
|
+# Write to /etc/aliases and /etc/mail.
|
|
mta_manage_aliases(sendmail_t)
|
|
+# Write to /var/spool/mail and /var/spool/mqueue.
|
|
mta_manage_queue(sendmail_t)
|
|
mta_manage_spool(sendmail_t)
|
|
-mta_read_config(sendmail_t)
|
|
mta_sendmail_exec(sendmail_t)
|
|
|
|
optional_policy(`
|
|
- cfengine_dontaudit_write_log_files(sendmail_t)
|
|
+ cfengine_dontaudit_write_log(sendmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -134,8 +138,8 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- clamav_search_lib(sendmail_t)
|
|
- clamav_stream_connect(sendmail_t)
|
|
+ antivirus_search_db(sendmail_t)
|
|
+ antivirus_stream_connect(sendmail_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -164,6 +168,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ inn_write_inherited_news_lib(sendmail_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
milter_stream_connect_all(sendmail_t)
|
|
')
|
|
|
|
@@ -172,6 +180,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ openshift_dontaudit_rw_inherited_fifo_files(sendmail_t)
|
|
+ openshift_rw_inherited_content(sendmail_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
postfix_domtrans_postdrop(sendmail_t)
|
|
postfix_domtrans_master(sendmail_t)
|
|
postfix_domtrans_postqueue(sendmail_t)
|
|
@@ -193,6 +206,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ spamd_stream_connect(sendmail_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
udev_read_db(sendmail_t)
|
|
')
|
|
|
|
@@ -206,8 +223,8 @@ optional_policy(`
|
|
#
|
|
|
|
optional_policy(`
|
|
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases")
|
|
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliases.db")
|
|
- mta_etc_filetrans_aliases(unconfined_sendmail_t, file, "aliasesdb-stamp")
|
|
- unconfined_domain(unconfined_sendmail_t)
|
|
+ mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliases")
|
|
+ mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliases.db")
|
|
+ mta_etc_filetrans_aliases(unconfined_sendmail_t, "aliasesdb-stamp")
|
|
+ unconfined_domain(unconfined_sendmail_t)
|
|
')
|
|
diff --git a/sensord.fc b/sensord.fc
|
|
index 8185d5a..719ac47 100644
|
|
--- a/sensord.fc
|
|
+++ b/sensord.fc
|
|
@@ -1,3 +1,5 @@
|
|
+/lib/systemd/system/sensord.service -- gen_context(system_u:object_r:sensord_unit_file_t,s0)
|
|
+
|
|
/etc/rc\.d/init\.d/sensord -- gen_context(system_u:object_r:sensord_initrc_exec_t,s0)
|
|
|
|
/usr/sbin/sensord -- gen_context(system_u:object_r:sensord_exec_t,s0)
|
|
diff --git a/sensord.if b/sensord.if
|
|
index d204752..5eba5fd 100644
|
|
--- a/sensord.if
|
|
+++ b/sensord.if
|
|
@@ -1,35 +1,75 @@
|
|
-## <summary>Sensor information logging daemon.</summary>
|
|
+
|
|
+## <summary>Sensor information logging daemon</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an sensord environment.
|
|
+## Execute sensord in the sensord domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sensord_domtrans',`
|
|
+ gen_require(`
|
|
+ type sensord_t, sensord_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, sensord_exec_t, sensord_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute sensord server in the sensord domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`sensord_systemctl',`
|
|
+ gen_require(`
|
|
+ type sensord_t;
|
|
+ type sensord_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 sensord_unit_file_t:file read_file_perms;
|
|
+ allow $1 sensord_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, sensord_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an sensord environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`sensord_admin',`
|
|
gen_require(`
|
|
- type sensord_t, sensord_initrc_exec_t, sensord_var_run_t;
|
|
+ type sensord_t;
|
|
+ type sensord_unit_file_t;
|
|
')
|
|
|
|
allow $1 sensord_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, sensord_t)
|
|
|
|
- init_labeled_script_domtrans($1, sensord_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 sensord_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
+ sensord_systemctl($1)
|
|
+ admin_pattern($1, sensord_unit_file_t)
|
|
+ allow $1 sensord_unit_file_t:service all_service_perms;
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, sensord_var_run_t)
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/sensord.te b/sensord.te
|
|
index 5e82fd6..fa352d8 100644
|
|
--- a/sensord.te
|
|
+++ b/sensord.te
|
|
@@ -9,6 +9,9 @@ type sensord_t;
|
|
type sensord_exec_t;
|
|
init_daemon_domain(sensord_t, sensord_exec_t)
|
|
|
|
+type sensord_unit_file_t;
|
|
+systemd_unit_file(sensord_unit_file_t)
|
|
+
|
|
type sensord_initrc_exec_t;
|
|
init_script_file(sensord_initrc_exec_t)
|
|
|
|
@@ -28,8 +31,5 @@ files_pid_filetrans(sensord_t, sensord_var_run_t, file)
|
|
|
|
dev_read_sysfs(sensord_t)
|
|
|
|
-files_read_etc_files(sensord_t)
|
|
-
|
|
logging_send_syslog_msg(sensord_t)
|
|
|
|
-miscfiles_read_localization(sensord_t)
|
|
diff --git a/setroubleshoot.fc b/setroubleshoot.fc
|
|
index 0b3a971..397a522 100644
|
|
--- a/setroubleshoot.fc
|
|
+++ b/setroubleshoot.fc
|
|
@@ -1,9 +1,9 @@
|
|
/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
|
|
|
|
-/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
|
|
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
|
|
|
|
-/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
|
|
+/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
|
|
|
|
-/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
|
|
+/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
|
|
|
|
-/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
|
|
+/var/lib/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_lib_t,s0)
|
|
diff --git a/setroubleshoot.if b/setroubleshoot.if
|
|
index 3a9a70b..039b0c8 100644
|
|
--- a/setroubleshoot.if
|
|
+++ b/setroubleshoot.if
|
|
@@ -1,9 +1,8 @@
|
|
-## <summary>SELinux troubleshooting service.</summary>
|
|
+## <summary>SELinux troubleshooting service</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to setroubleshootd with a
|
|
-## unix domain stream socket.
|
|
+## Connect to setroubleshootd over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -23,9 +22,8 @@ interface(`setroubleshoot_stream_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to connect to
|
|
-## setroubleshootd with a unix
|
|
-## domain stream socket.
|
|
+## Dontaudit attempts to connect to setroubleshootd
|
|
+## over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -107,8 +105,27 @@ interface(`setroubleshoot_dbus_chat_fixit',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an setroubleshoot environment.
|
|
+## Dontaudit read/write to a setroubleshoot leaked sockets.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`setroubleshoot_fixit_dontaudit_leaks',`
|
|
+ gen_require(`
|
|
+ type setroubleshoot_fixit_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
|
|
+ dontaudit $1 setroubleshoot_fixit_t:unix_stream_socket { read write };
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an setroubleshoot environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -119,12 +136,15 @@ interface(`setroubleshoot_dbus_chat_fixit',`
|
|
#
|
|
interface(`setroubleshoot_admin',`
|
|
gen_require(`
|
|
- type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_fixit_t;
|
|
- type setroubleshoot_var_lib_t, setroubleshoot_var_run_t;
|
|
+ type setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_run_t;
|
|
+ type setroubleshoot_var_lib_t;
|
|
')
|
|
|
|
- allow $1 { setroubleshoot_fixit_t setroubleshootd_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { setroubleshootd_t setroubleshoot_fixit_t })
|
|
+ allow $1 setroubleshootd_t:process signal_perms;
|
|
+ ps_process_pattern($1, setroubleshootd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 setroubleshootd_t:process ptrace;
|
|
+ ')
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, setroubleshoot_var_log_t)
|
|
diff --git a/setroubleshoot.te b/setroubleshoot.te
|
|
index ce67935..b58792f 100644
|
|
--- a/setroubleshoot.te
|
|
+++ b/setroubleshoot.te
|
|
@@ -7,43 +7,50 @@ policy_module(setroubleshoot, 1.12.1)
|
|
|
|
type setroubleshootd_t alias setroubleshoot_t;
|
|
type setroubleshootd_exec_t;
|
|
-init_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
|
|
+domain_type(setroubleshootd_t)
|
|
+init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
|
|
|
|
type setroubleshoot_fixit_t;
|
|
type setroubleshoot_fixit_exec_t;
|
|
-init_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
|
|
+init_daemon_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
|
|
|
|
type setroubleshoot_var_lib_t;
|
|
files_type(setroubleshoot_var_lib_t)
|
|
|
|
+# log files
|
|
type setroubleshoot_var_log_t;
|
|
logging_log_file(setroubleshoot_var_log_t)
|
|
|
|
+# pid files
|
|
type setroubleshoot_var_run_t;
|
|
files_pid_file(setroubleshoot_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# setroubleshootd local policy
|
|
#
|
|
|
|
allow setroubleshootd_t self:capability { dac_override sys_nice sys_ptrace sys_tty_config };
|
|
-allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal execmem execstack };
|
|
+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
|
|
+# if bad library causes setroubleshoot to require these, we want to give it so setroubleshoot can continue to run
|
|
+allow setroubleshootd_t self:process { execmem execstack };
|
|
allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
|
|
-allow setroubleshootd_t self:tcp_socket { accept listen };
|
|
-allow setroubleshootd_t self:unix_stream_socket { accept connectto listen };
|
|
+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
|
|
+allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+allow setroubleshootd_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
-allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr_dir_perms;
|
|
+# database files
|
|
+allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
|
|
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_lib_t, setroubleshoot_var_lib_t)
|
|
files_var_lib_filetrans(setroubleshootd_t, setroubleshoot_var_lib_t, { file dir })
|
|
|
|
-allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr_dir_perms;
|
|
-append_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
|
|
-create_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
|
|
-setattr_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
|
|
+# log files
|
|
+allow setroubleshootd_t setroubleshoot_var_log_t:dir setattr;
|
|
+manage_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
|
|
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_log_t, setroubleshoot_var_log_t)
|
|
logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir })
|
|
|
|
+# pid file
|
|
manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
|
|
manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
|
|
manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t)
|
|
@@ -61,14 +68,13 @@ corecmd_exec_bin(setroubleshootd_t)
|
|
corecmd_exec_shell(setroubleshootd_t)
|
|
corecmd_read_all_executables(setroubleshootd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(setroubleshootd_t)
|
|
corenet_all_recvfrom_netlabel(setroubleshootd_t)
|
|
corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
|
|
corenet_tcp_sendrecv_generic_node(setroubleshootd_t)
|
|
-
|
|
-corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
|
|
+corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
|
|
+corenet_tcp_bind_generic_node(setroubleshootd_t)
|
|
corenet_tcp_connect_smtp_port(setroubleshootd_t)
|
|
-corenet_tcp_sendrecv_smtp_port(setroubleshootd_t)
|
|
+corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
|
|
|
|
dev_read_urand(setroubleshootd_t)
|
|
dev_read_sysfs(setroubleshootd_t)
|
|
@@ -76,10 +82,9 @@ dev_getattr_all_blk_files(setroubleshootd_t)
|
|
dev_getattr_all_chr_files(setroubleshootd_t)
|
|
dev_getattr_mtrr_dev(setroubleshootd_t)
|
|
|
|
-domain_dontaudit_search_all_domains_state(setroubleshootd_t)
|
|
+domain_read_all_domains_state(setroubleshootd_t)
|
|
domain_signull_all_domains(setroubleshootd_t)
|
|
|
|
-files_read_usr_files(setroubleshootd_t)
|
|
files_list_all(setroubleshootd_t)
|
|
files_getattr_all_files(setroubleshootd_t)
|
|
files_getattr_all_pipes(setroubleshootd_t)
|
|
@@ -109,27 +114,24 @@ init_read_utmp(setroubleshootd_t)
|
|
init_dontaudit_write_utmp(setroubleshootd_t)
|
|
|
|
libs_exec_ld_so(setroubleshootd_t)
|
|
+libs_exec_ldconfig(setroubleshootd_t)
|
|
|
|
locallogin_dontaudit_use_fds(setroubleshootd_t)
|
|
|
|
logging_send_audit_msgs(setroubleshootd_t)
|
|
logging_send_syslog_msg(setroubleshootd_t)
|
|
logging_stream_connect_dispatcher(setroubleshootd_t)
|
|
+logging_stream_connect_syslog(setroubleshootd_t)
|
|
|
|
-miscfiles_read_localization(setroubleshootd_t)
|
|
-
|
|
+seutil_read_bin_policy(setroubleshootd_t)
|
|
seutil_read_config(setroubleshootd_t)
|
|
+seutil_read_default_contexts(setroubleshootd_t)
|
|
seutil_read_file_contexts(setroubleshootd_t)
|
|
-seutil_read_bin_policy(setroubleshootd_t)
|
|
|
|
userdom_dontaudit_read_user_home_content_files(setroubleshootd_t)
|
|
|
|
optional_policy(`
|
|
- dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
|
|
-
|
|
- optional_policy(`
|
|
- abrt_dbus_chat(setroubleshootd_t)
|
|
- ')
|
|
+ abrt_dbus_chat(setroubleshootd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -137,10 +139,18 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mock_getattr_lib(setroubleshootd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
modutils_read_module_config(setroubleshootd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
rpm_exec(setroubleshootd_t)
|
|
rpm_signull(setroubleshootd_t)
|
|
rpm_read_db(setroubleshootd_t)
|
|
@@ -150,26 +160,36 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Fixit local policy
|
|
+# setroubleshoot_fixit local policy
|
|
#
|
|
|
|
allow setroubleshoot_fixit_t self:capability sys_nice;
|
|
allow setroubleshoot_fixit_t self:process { setsched getsched };
|
|
+dontaudit setroubleshoot_fixit_t self:process execmem;
|
|
allow setroubleshoot_fixit_t self:fifo_file rw_fifo_file_perms;
|
|
+allow setroubleshoot_fixit_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
allow setroubleshoot_fixit_t setroubleshootd_t:process signull;
|
|
|
|
+setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
|
|
setroubleshoot_stream_connect(setroubleshoot_fixit_t)
|
|
|
|
kernel_read_system_state(setroubleshoot_fixit_t)
|
|
+kernel_read_network_state(setroubleshoot_fixit_t)
|
|
|
|
corecmd_exec_bin(setroubleshoot_fixit_t)
|
|
corecmd_exec_shell(setroubleshoot_fixit_t)
|
|
corecmd_getattr_all_executables(setroubleshoot_fixit_t)
|
|
|
|
+dev_read_sysfs(setroubleshoot_fixit_t)
|
|
+dev_read_urand(setroubleshoot_fixit_t)
|
|
+
|
|
+selinux_read_policy(setroubleshoot_fixit_t)
|
|
+
|
|
seutil_domtrans_setfiles(setroubleshoot_fixit_t)
|
|
+seutil_domtrans_setsebool(setroubleshoot_fixit_t)
|
|
+seutil_read_module_store(setroubleshoot_fixit_t)
|
|
|
|
-files_read_usr_files(setroubleshoot_fixit_t)
|
|
files_list_tmp(setroubleshoot_fixit_t)
|
|
|
|
auth_use_nsswitch(setroubleshoot_fixit_t)
|
|
@@ -177,23 +197,26 @@ auth_use_nsswitch(setroubleshoot_fixit_t)
|
|
logging_send_audit_msgs(setroubleshoot_fixit_t)
|
|
logging_send_syslog_msg(setroubleshoot_fixit_t)
|
|
|
|
-miscfiles_read_localization(setroubleshoot_fixit_t)
|
|
-
|
|
-userdom_read_all_users_state(setroubleshoot_fixit_t)
|
|
+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
|
|
userdom_signull_unpriv_users(setroubleshoot_fixit_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t)
|
|
- setroubleshoot_dbus_chat(setroubleshoot_fixit_t)
|
|
+')
|
|
|
|
- optional_policy(`
|
|
- policykit_dbus_chat(setroubleshoot_fixit_t)
|
|
- ')
|
|
+optional_policy(`
|
|
+ gnome_dontaudit_search_config(setroubleshoot_fixit_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ rpm_exec(setroubleshoot_fixit_t)
|
|
rpm_signull(setroubleshoot_fixit_t)
|
|
rpm_read_db(setroubleshoot_fixit_t)
|
|
rpm_dontaudit_manage_db(setroubleshoot_fixit_t)
|
|
rpm_use_script_fds(setroubleshoot_fixit_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ policykit_dbus_chat(setroubleshoot_fixit_t)
|
|
+ userdom_read_all_users_state(setroubleshoot_fixit_t)
|
|
+')
|
|
diff --git a/sge.fc b/sge.fc
|
|
new file mode 100644
|
|
index 0000000..160ddc2
|
|
--- /dev/null
|
|
+++ b/sge.fc
|
|
@@ -0,0 +1,6 @@
|
|
+
|
|
+/usr/bin/sge_execd -- gen_context(system_u:object_r:sge_execd_exec_t,s0)
|
|
+/usr/bin/sge_shepherd -- gen_context(system_u:object_r:sge_shepherd_exec_t,s0)
|
|
+
|
|
+/var/spool/gridengine(/.*)? gen_context(system_u:object_r:sge_spool_t,s0)
|
|
+
|
|
diff --git a/sge.if b/sge.if
|
|
new file mode 100644
|
|
index 0000000..c9d2d9c
|
|
--- /dev/null
|
|
+++ b/sge.if
|
|
@@ -0,0 +1,24 @@
|
|
+## <summary>Policy for gridengine MPI jobs</summary>
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## sge domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`sge_basic_types_template',`
|
|
+ gen_require(`
|
|
+ attribute sge_domain;
|
|
+ ')
|
|
+
|
|
+ type $1_t, sge_domain;
|
|
+ type $1_exec_t;
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+')
|
|
+
|
|
diff --git a/sge.te b/sge.te
|
|
new file mode 100644
|
|
index 0000000..af30acf
|
|
--- /dev/null
|
|
+++ b/sge.te
|
|
@@ -0,0 +1,195 @@
|
|
+policy_module(sge, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow sge to access nfs file systems.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(sge_use_nfs, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow sge to connect to the network using any TCP port
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(sge_domain_can_network_connect, false)
|
|
+
|
|
+attribute sge_domain;
|
|
+
|
|
+sge_basic_types_template(sge_execd)
|
|
+init_daemon_domain(sge_execd_t, sge_execd_exec_t)
|
|
+
|
|
+type sge_spool_t;
|
|
+files_type(sge_spool_t)
|
|
+
|
|
+type sge_tmp_t;
|
|
+files_tmp_file(sge_tmp_t)
|
|
+
|
|
+sge_basic_types_template(sge_shepherd)
|
|
+application_domain(sge_shepherd_t, sge_shepherd_exec_t)
|
|
+role system_r types sge_shepherd_t;
|
|
+
|
|
+sge_basic_types_template(sge_job)
|
|
+application_domain(sge_job_t, sge_job_exec_t)
|
|
+corecmd_shell_entry_type(sge_job_t)
|
|
+role system_r types sge_job_t;
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# sge_execd local policy
|
|
+#
|
|
+
|
|
+allow sge_execd_t self:capability { dac_override kill setuid chown setgid };
|
|
+allow sge_execd_t self:process { setsched signal setpgid };
|
|
+
|
|
+allow sge_execd_t sge_shepherd_t:process signal;
|
|
+
|
|
+kernel_read_kernel_sysctls(sge_execd_t)
|
|
+
|
|
+corenet_tcp_bind_sge_port(sge_execd_t)
|
|
+corenet_tcp_connect_sge_port(sge_execd_t)
|
|
+
|
|
+dev_read_sysfs(sge_execd_t)
|
|
+
|
|
+files_exec_usr_files(sge_execd_t)
|
|
+files_search_spool(sge_execd_t)
|
|
+
|
|
+fs_getattr_xattr_fs(sge_execd_t)
|
|
+fs_read_cgroup_files(sge_execd_t)
|
|
+
|
|
+auth_use_nsswitch(sge_execd_t)
|
|
+
|
|
+logging_send_syslog_msg(sge_execd_t)
|
|
+
|
|
+init_read_utmp(sge_execd_t)
|
|
+
|
|
+optional_policy(`
|
|
+ sendmail_domtrans(sge_execd_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+#
|
|
+# sge_shepherd local policy
|
|
+#
|
|
+
|
|
+allow sge_shepherd_t self:capability { setuid sys_nice chown kill setgid dac_override };
|
|
+allow sge_shepherd_t self:process { setsched setrlimit setpgid };
|
|
+allow sge_shepherd_t self:process signal_perms;
|
|
+
|
|
+domtrans_pattern(sge_execd_t, sge_shepherd_exec_t, sge_shepherd_t)
|
|
+
|
|
+kernel_read_sysctl(sge_shepherd_t)
|
|
+kernel_read_kernel_sysctls(sge_shepherd_t)
|
|
+
|
|
+dev_read_sysfs(sge_shepherd_t)
|
|
+
|
|
+fs_getattr_all_fs(sge_shepherd_t)
|
|
+
|
|
+logging_send_syslog_msg(sge_shepherd_t)
|
|
+
|
|
+optional_policy(`
|
|
+ mta_send_mail(sge_shepherd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_domtrans(sge_shepherd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(sge_shepherd_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+#
|
|
+# sge_job local policy
|
|
+#
|
|
+
|
|
+allow sge_shepherd_t sge_job_t:process signal_perms;
|
|
+
|
|
+corecmd_shell_domtrans(sge_shepherd_t, sge_job_t)
|
|
+
|
|
+kernel_read_kernel_sysctls(sge_job_t)
|
|
+
|
|
+term_use_all_terms(sge_job_t)
|
|
+
|
|
+logging_send_syslog_msg(sge_job_t)
|
|
+
|
|
+optional_policy(`
|
|
+ ssh_basic_client_template(sge_job, sge_job_t, system_r)
|
|
+ ssh_domtrans(sge_job_t)
|
|
+
|
|
+ allow sge_job_t sge_job_ssh_t:process sigkill;
|
|
+ allow sge_shepherd_t sge_job_ssh_t:process sigkill;
|
|
+
|
|
+ xserver_exec_xauth(sge_job_ssh_t)
|
|
+
|
|
+ tunable_policy(`sge_use_nfs',`
|
|
+ fs_list_auto_mountpoints(sge_job_ssh_t)
|
|
+ fs_manage_nfs_dirs(sge_job_ssh_t)
|
|
+ fs_manage_nfs_files(sge_job_ssh_t)
|
|
+ fs_read_nfs_symlinks(sge_job_ssh_t)
|
|
+ ')
|
|
+ ')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_domtrans_xauth(sge_job_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(sge_job_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+#
|
|
+# sge_domain local policy
|
|
+#
|
|
+
|
|
+allow sge_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow sge_domain self:tcp_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(sge_domain, sge_spool_t, sge_spool_t)
|
|
+manage_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
|
|
+manage_lnk_files_pattern(sge_domain, sge_spool_t, sge_spool_t)
|
|
+
|
|
+manage_files_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
|
|
+manage_dirs_pattern(sge_domain, sge_tmp_t, sge_tmp_t)
|
|
+files_tmp_filetrans(sge_domain, sge_tmp_t, { file dir })
|
|
+
|
|
+kernel_read_network_state(sge_domain)
|
|
+
|
|
+corecmd_exec_bin(sge_domain)
|
|
+corecmd_exec_shell(sge_domain)
|
|
+
|
|
+domain_read_all_domains_state(sge_domain)
|
|
+
|
|
+
|
|
+dev_read_urand(sge_domain)
|
|
+
|
|
+tunable_policy(`sge_domain_can_network_connect',`
|
|
+ corenet_tcp_connect_all_ports(sge_domain)
|
|
+')
|
|
+
|
|
+tunable_policy(`sge_use_nfs',`
|
|
+ fs_list_auto_mountpoints(sge_domain)
|
|
+ fs_manage_nfs_dirs(sge_domain)
|
|
+ fs_manage_nfs_files(sge_domain)
|
|
+ fs_read_nfs_symlinks(sge_domain)
|
|
+ fs_exec_nfs_files(sge_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_dns_name_resolve(sge_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ hostname_exec(sge_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nslcd_stream_connect(sge_domain)
|
|
+')
|
|
diff --git a/shorewall.if b/shorewall.if
|
|
index 1aeef8a..d5ce40a 100644
|
|
--- a/shorewall.if
|
|
+++ b/shorewall.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Shoreline Firewall high-level tool for configuring netfilter.</summary>
|
|
+## <summary>Shoreline Firewall high-level tool for configuring netfilter</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,7 +15,6 @@ interface(`shorewall_domtrans',`
|
|
type shorewall_t, shorewall_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, shorewall_exec_t, shorewall_t)
|
|
')
|
|
|
|
@@ -34,13 +33,12 @@ interface(`shorewall_lib_domtrans',`
|
|
type shorewall_t, shorewall_var_lib_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read shorewall configuration files.
|
|
+## Read shorewall etc configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -57,47 +55,9 @@ interface(`shorewall_read_config',`
|
|
read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
|
|
')
|
|
|
|
-#######################################
|
|
-## <summary>
|
|
-## Read shorewall pid files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`shorewall_read_pid_files',`
|
|
- gen_require(`
|
|
- type shorewall_var_run_t;
|
|
- ')
|
|
-
|
|
- files_search_pids($1)
|
|
- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
|
|
-')
|
|
-
|
|
-#######################################
|
|
-## <summary>
|
|
-## Read and write shorewall pid files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`shorewall_rw_pid_files',`
|
|
- gen_require(`
|
|
- type shorewall_var_run_t;
|
|
- ')
|
|
-
|
|
- files_search_pids($1)
|
|
- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
|
|
-')
|
|
-
|
|
######################################
|
|
## <summary>
|
|
-## Read shorewall lib files.
|
|
+## Read shorewall /var/lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -106,36 +66,38 @@ interface(`shorewall_rw_pid_files',`
|
|
## </param>
|
|
#
|
|
interface(`shorewall_read_lib_files',`
|
|
- gen_require(`
|
|
+ gen_require(`
|
|
type shorewall_var_lib_t;
|
|
- ')
|
|
+ ')
|
|
|
|
- files_search_var_lib($1)
|
|
- read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
|
|
+ files_search_var_lib($1)
|
|
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
|
|
+ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read and write shorewall lib files.
|
|
+## Read and write shorewall /var/lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`shorewall_rw_lib_files',`
|
|
- gen_require(`
|
|
- type shorewall_var_lib_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type shorewall_var_lib_t;
|
|
+ ')
|
|
|
|
- files_search_var_lib($1)
|
|
- rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
|
|
+ files_search_var_lib($1)
|
|
+ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
|
|
+ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Read shorewall temporary files.
|
|
+## Read shorewall tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -154,8 +116,8 @@ interface(`shorewall_read_tmp_files',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an shorewall environment.
|
|
+## All of the rules required to administrate
|
|
+## an shorewall environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -164,28 +126,30 @@ interface(`shorewall_read_tmp_files',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the syslog domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`shorewall_admin',`
|
|
gen_require(`
|
|
- type shorewall_t, shorewall_lock_t, shorewall_log_t;
|
|
- type shorewall_exec_t, shorewall_initrc_exec_t, shorewall_var_lib_t;
|
|
+ type shorewall_t, shorewall_lock_t;
|
|
+ type shorewall_log_t;
|
|
+ type shorewall_initrc_exec_t, shorewall_var_lib_t;
|
|
type shorewall_tmp_t, shorewall_etc_t;
|
|
')
|
|
|
|
- allow $1 shorewall_t:process { ptrace signal_perms };
|
|
+ allow $1 shorewall_t:process signal_perms;
|
|
ps_process_pattern($1, shorewall_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 shorewall_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 shorewall_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- can_exec($1, shorewall_exec_t)
|
|
-
|
|
files_list_etc($1)
|
|
admin_pattern($1, shorewall_etc_t)
|
|
|
|
diff --git a/shorewall.te b/shorewall.te
|
|
index 7710b9f..76a2c97 100644
|
|
--- a/shorewall.te
|
|
+++ b/shorewall.te
|
|
@@ -44,9 +44,7 @@ manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
|
|
files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
|
|
|
|
manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
|
|
-append_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
|
|
-create_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
|
|
-setattr_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
|
|
+manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
|
|
logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
|
|
@@ -57,6 +55,9 @@ exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
|
|
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
|
|
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
|
|
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
|
|
+allow shorewall_t shorewall_var_lib_t:file entrypoint;
|
|
+
|
|
+allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
|
|
|
|
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
|
|
|
|
@@ -74,7 +75,6 @@ dev_read_urand(shorewall_t)
|
|
domain_read_all_domains_state(shorewall_t)
|
|
|
|
files_getattr_kernel_modules(shorewall_t)
|
|
-files_read_usr_files(shorewall_t)
|
|
files_search_kernel_modules(shorewall_t)
|
|
|
|
fs_getattr_all_fs(shorewall_t)
|
|
@@ -86,12 +86,11 @@ init_rw_utmp(shorewall_t)
|
|
logging_read_generic_logs(shorewall_t)
|
|
logging_send_syslog_msg(shorewall_t)
|
|
|
|
-miscfiles_read_localization(shorewall_t)
|
|
-
|
|
sysnet_domtrans_ifconfig(shorewall_t)
|
|
|
|
-userdom_dontaudit_list_user_home_dirs(shorewall_t)
|
|
-userdom_use_user_terminals(shorewall_t)
|
|
+userdom_dontaudit_list_admin_dir(shorewall_t)
|
|
+userdom_use_inherited_user_ttys(shorewall_t)
|
|
+userdom_use_inherited_user_ptys(shorewall_t)
|
|
|
|
optional_policy(`
|
|
brctl_domtrans(shorewall_t)
|
|
diff --git a/shutdown.fc b/shutdown.fc
|
|
index a91f33b..631dbc1 100644
|
|
--- a/shutdown.fc
|
|
+++ b/shutdown.fc
|
|
@@ -8,4 +8,4 @@
|
|
|
|
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
|
|
|
|
-/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
|
|
+/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
|
|
diff --git a/shutdown.if b/shutdown.if
|
|
index d1706bf..87ab4a7 100644
|
|
--- a/shutdown.if
|
|
+++ b/shutdown.if
|
|
@@ -1,30 +1,4 @@
|
|
-## <summary>System shutdown command.</summary>
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Role access for shutdown.
|
|
-## </summary>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## User domain for the role.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`shutdown_role',`
|
|
- gen_require(`
|
|
- type shutdown_t;
|
|
- ')
|
|
-
|
|
- shutdown_run($2, $1)
|
|
-
|
|
- allow $2 shutdown_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($2, shutdown_t)
|
|
-')
|
|
+## <summary>System shutdown command</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -43,13 +17,26 @@ interface(`shutdown_domtrans',`
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
|
|
+
|
|
+ init_reboot($1)
|
|
+ init_halt($1)
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_exec_systemctl($1)
|
|
+ init_stream_connect($1)
|
|
+ systemd_login_reboot($1)
|
|
+ systemd_login_halt($1)
|
|
+ ')
|
|
+
|
|
+ ifdef(`hide_broken_symptoms', `
|
|
+ dontaudit shutdown_t $1:fifo_file rw_inherited_fifo_file_perms;
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute shutdown in the shutdown
|
|
-## domain, and allow the specified role
|
|
-## the shutdown domain.
|
|
+## Execute shutdown in the shutdown domain, and
|
|
+## allow the specified role the shutdown domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -64,16 +51,62 @@ interface(`shutdown_domtrans',`
|
|
#
|
|
interface(`shutdown_run',`
|
|
gen_require(`
|
|
+ type shutdown_t;
|
|
attribute_role shutdown_roles;
|
|
')
|
|
|
|
- shutdown_domtrans($1)
|
|
- roleattribute $2 shutdown_roles;
|
|
+ shutdown_domtrans($1)
|
|
+ roleattribute $2 shutdown_roles;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to shutdown.
|
|
+## Role access for shutdown
|
|
+## </summary>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## User domain for the role
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`shutdown_role',`
|
|
+ gen_require(`
|
|
+ type shutdown_t;
|
|
+ ')
|
|
+
|
|
+ shutdown_run($2, $1)
|
|
+
|
|
+ allow $2 shutdown_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($2, shutdown_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Recieve sigchld from shutdown
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`shutdown_send_sigchld',`
|
|
+ gen_require(`
|
|
+ type shutdown_t;
|
|
+ ')
|
|
+
|
|
+ allow shutdown_t $1:process signal;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send and receive messages from
|
|
+## shutdown over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -81,17 +114,19 @@ interface(`shutdown_run',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`shutdown_signal',`
|
|
+interface(`shutdown_dbus_chat',`
|
|
gen_require(`
|
|
type shutdown_t;
|
|
+ class dbus send_msg;
|
|
')
|
|
|
|
- allow shutdown_t $1:process signal;
|
|
+ allow $1 shutdown_t:dbus send_msg;
|
|
+ allow shutdown_t $1:dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Get attributes of shutdown executable files.
|
|
+## Get attributes of shutdown executable.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
diff --git a/shutdown.te b/shutdown.te
|
|
index e2544e1..d3fbd78 100644
|
|
--- a/shutdown.te
|
|
+++ b/shutdown.te
|
|
@@ -44,7 +44,7 @@ files_read_generic_pids(shutdown_t)
|
|
|
|
mls_file_write_to_clearance(shutdown_t)
|
|
|
|
-term_use_all_terms(shutdown_t)
|
|
+term_use_all_inherited_terms(shutdown_t)
|
|
|
|
auth_use_nsswitch(shutdown_t)
|
|
auth_write_login_records(shutdown_t)
|
|
@@ -56,8 +56,6 @@ init_telinit(shutdown_t)
|
|
logging_search_logs(shutdown_t)
|
|
logging_send_audit_msgs(shutdown_t)
|
|
|
|
-miscfiles_read_localization(shutdown_t)
|
|
-
|
|
optional_policy(`
|
|
cron_system_entry(shutdown_t, shutdown_exec_t)
|
|
')
|
|
@@ -68,10 +66,15 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- oddjob_dontaudit_rw_fifo_files(shutdown_t)
|
|
- oddjob_sigchld(shutdown_t)
|
|
+ oddjob_dontaudit_rw_fifo_file(shutdown_t)
|
|
+ oddjob_sigchld(shutdown_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rhev_sigchld_agentd(shutdown_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_dontaudit_write_log(shutdown_t)
|
|
+ xserver_xdm_append_log(shutdown_t)
|
|
')
|
|
diff --git a/slocate.te b/slocate.te
|
|
index 7292dc0..41c780f 100644
|
|
--- a/slocate.te
|
|
+++ b/slocate.te
|
|
@@ -62,7 +62,6 @@ fs_read_noxattr_fs_symlinks(locate_t)
|
|
|
|
auth_use_nsswitch(locate_t)
|
|
|
|
-miscfiles_read_localization(locate_t)
|
|
|
|
ifdef(`enable_mls',`
|
|
files_dontaudit_getattr_all_dirs(locate_t)
|
|
diff --git a/slpd.if b/slpd.if
|
|
index ca32e89..98278dd 100644
|
|
--- a/slpd.if
|
|
+++ b/slpd.if
|
|
@@ -2,6 +2,43 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Transition to slpd.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`slpd_domtrans',`
|
|
+ gen_require(`
|
|
+ type slpd_t, slpd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, slpd_exec_t, slpd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute slpd server in the slpd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`slpd_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type slpd_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, slpd_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## All of the rules required to
|
|
## administrate an slpd environment.
|
|
## </summary>
|
|
@@ -26,7 +63,7 @@ interface(`slpd_admin',`
|
|
allow $1 slpd_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, slpd_t)
|
|
|
|
- init_labeled_script_domtrans($1, slpd_initrc_exec_t)
|
|
+ slpd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 slpd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
@@ -36,4 +73,10 @@ interface(`slpd_admin',`
|
|
|
|
files_search_pids($1)
|
|
admin_pattern($1, slpd_var_run_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+
|
|
')
|
|
diff --git a/slpd.te b/slpd.te
|
|
index 731512a..645dad6 100644
|
|
--- a/slpd.te
|
|
+++ b/slpd.te
|
|
@@ -50,6 +50,10 @@ corenet_sendrecv_svrloc_server_packets(slpd_t)
|
|
corenet_tcp_bind_svrloc_port(slpd_t)
|
|
corenet_udp_bind_svrloc_port(slpd_t)
|
|
|
|
+corenet_udp_bind_dhcpc_port(slpd_t)
|
|
+
|
|
+dev_read_urand(slpd_t)
|
|
+
|
|
auth_use_nsswitch(slpd_t)
|
|
|
|
-miscfiles_read_localization(slpd_t)
|
|
+sysnet_dns_name_resolve(slpd_t)
|
|
diff --git a/slrnpull.te b/slrnpull.te
|
|
index 59eb07f..4626942 100644
|
|
--- a/slrnpull.te
|
|
+++ b/slrnpull.te
|
|
@@ -13,7 +13,7 @@ type slrnpull_var_run_t;
|
|
files_pid_file(slrnpull_var_run_t)
|
|
|
|
type slrnpull_spool_t;
|
|
-files_type(slrnpull_spool_t)
|
|
+files_spool_file(slrnpull_spool_t)
|
|
|
|
type slrnpull_log_t;
|
|
logging_log_file(slrnpull_log_t)
|
|
@@ -44,7 +44,6 @@ dev_read_sysfs(slrnpull_t)
|
|
|
|
domain_use_interactive_fds(slrnpull_t)
|
|
|
|
-files_read_etc_files(slrnpull_t)
|
|
files_search_spool(slrnpull_t)
|
|
|
|
fs_getattr_all_fs(slrnpull_t)
|
|
@@ -52,8 +51,6 @@ fs_search_auto_mountpoints(slrnpull_t)
|
|
|
|
logging_send_syslog_msg(slrnpull_t)
|
|
|
|
-miscfiles_read_localization(slrnpull_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(slrnpull_t)
|
|
userdom_dontaudit_search_user_home_dirs(slrnpull_t)
|
|
|
|
diff --git a/smartmon.if b/smartmon.if
|
|
index e0644b5..ea347cc 100644
|
|
--- a/smartmon.if
|
|
+++ b/smartmon.if
|
|
@@ -42,9 +42,13 @@ interface(`smartmon_admin',`
|
|
type fsdaemon_var_lib_t, fsdaemon_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 fsdaemon_t:process { ptrace signal_perms };
|
|
+ allow $1 fsdaemon_t:process signal_perms;
|
|
ps_process_pattern($1, fsdaemon_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 fsdaemon_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, fsdaemon_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 fsdaemon_initrc_exec_t system_r;
|
|
diff --git a/smartmon.te b/smartmon.te
|
|
index 9cf6582..bc33dd7 100644
|
|
--- a/smartmon.te
|
|
+++ b/smartmon.te
|
|
@@ -60,21 +60,27 @@ kernel_read_system_state(fsdaemon_t)
|
|
|
|
corecmd_exec_all_executables(fsdaemon_t)
|
|
|
|
+corenet_all_recvfrom_netlabel(fsdaemon_t)
|
|
+corenet_udp_sendrecv_generic_if(fsdaemon_t)
|
|
+corenet_udp_sendrecv_generic_node(fsdaemon_t)
|
|
+corenet_udp_sendrecv_all_ports(fsdaemon_t)
|
|
+
|
|
dev_read_sysfs(fsdaemon_t)
|
|
dev_read_urand(fsdaemon_t)
|
|
|
|
domain_use_interactive_fds(fsdaemon_t)
|
|
|
|
files_exec_etc_files(fsdaemon_t)
|
|
-files_read_etc_files(fsdaemon_t)
|
|
files_read_etc_runtime_files(fsdaemon_t)
|
|
-files_read_usr_files(fsdaemon_t)
|
|
|
|
fs_getattr_all_fs(fsdaemon_t)
|
|
fs_search_auto_mountpoints(fsdaemon_t)
|
|
+fs_read_removable_files(fsdaemon_t)
|
|
|
|
mls_file_read_all_levels(fsdaemon_t)
|
|
|
|
+storage_create_fixed_disk_dev(fsdaemon_t)
|
|
+storage_dev_filetrans_named_fixed_disk(fsdaemon_t)
|
|
storage_raw_read_fixed_disk(fsdaemon_t)
|
|
storage_raw_write_fixed_disk(fsdaemon_t)
|
|
storage_raw_read_removable_device(fsdaemon_t)
|
|
@@ -83,7 +89,9 @@ storage_write_scsi_generic(fsdaemon_t)
|
|
|
|
term_dontaudit_search_ptys(fsdaemon_t)
|
|
|
|
-application_signull(fsdaemon_t)
|
|
+domain_signull_all_domains(fsdaemon_t)
|
|
+
|
|
+auth_read_passwd(fsdaemon_t)
|
|
|
|
init_read_utmp(fsdaemon_t)
|
|
|
|
@@ -92,12 +100,13 @@ libs_exec_lib_files(fsdaemon_t)
|
|
|
|
logging_send_syslog_msg(fsdaemon_t)
|
|
|
|
-miscfiles_read_localization(fsdaemon_t)
|
|
+seutil_sigchld_newrole(fsdaemon_t)
|
|
|
|
sysnet_dns_name_resolve(fsdaemon_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(fsdaemon_t)
|
|
userdom_dontaudit_search_user_home_dirs(fsdaemon_t)
|
|
+userdom_use_user_ptys(fsdaemon_t)
|
|
|
|
tunable_policy(`smartmon_3ware',`
|
|
allow fsdaemon_t self:process setfscreate;
|
|
@@ -116,9 +125,9 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- seutil_sigchld_newrole(fsdaemon_t)
|
|
+ udev_read_db(fsdaemon_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- udev_read_db(fsdaemon_t)
|
|
+ virt_read_images(fsdaemon_t)
|
|
')
|
|
diff --git a/smokeping.if b/smokeping.if
|
|
index 1fa51c1..82e111c 100644
|
|
--- a/smokeping.if
|
|
+++ b/smokeping.if
|
|
@@ -158,8 +158,11 @@ interface(`smokeping_admin',`
|
|
type smokeping_var_run_t;
|
|
')
|
|
|
|
- allow $1 smokeping_t:process { ptrace signal_perms };
|
|
+ allow $1 smokeping_t:process signal_perms;
|
|
ps_process_pattern($1, smokeping_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 smokeping_t:process ptrace;
|
|
+ ')
|
|
|
|
smokeping_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/smokeping.te b/smokeping.te
|
|
index ec031a0..ebf575f 100644
|
|
--- a/smokeping.te
|
|
+++ b/smokeping.te
|
|
@@ -24,6 +24,7 @@ files_type(smokeping_var_lib_t)
|
|
#
|
|
|
|
dontaudit smokeping_t self:capability { dac_read_search dac_override };
|
|
+allow smokeping_t self:process signal_perms;
|
|
allow smokeping_t self:fifo_file rw_fifo_file_perms;
|
|
allow smokeping_t self:unix_stream_socket { accept listen };
|
|
|
|
@@ -39,7 +40,6 @@ corecmd_exec_bin(smokeping_t)
|
|
|
|
dev_read_urand(smokeping_t)
|
|
|
|
-files_read_usr_files(smokeping_t)
|
|
files_search_tmp(smokeping_t)
|
|
|
|
auth_use_nsswitch(smokeping_t)
|
|
@@ -47,8 +47,6 @@ auth_dontaudit_read_shadow(smokeping_t)
|
|
|
|
logging_send_syslog_msg(smokeping_t)
|
|
|
|
-miscfiles_read_localization(smokeping_t)
|
|
-
|
|
mta_send_mail(smokeping_t)
|
|
|
|
netutils_domtrans_ping(smokeping_t)
|
|
@@ -70,6 +68,8 @@ optional_policy(`
|
|
files_search_tmp(httpd_smokeping_cgi_script_t)
|
|
files_search_var_lib(httpd_smokeping_cgi_script_t)
|
|
|
|
+ auth_read_passwd(httpd_smokeping_cgi_script_t)
|
|
+
|
|
sysnet_dns_name_resolve(httpd_smokeping_cgi_script_t)
|
|
|
|
netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
|
|
diff --git a/smoltclient.te b/smoltclient.te
|
|
index b3f2c6f..68f17c1 100644
|
|
--- a/smoltclient.te
|
|
+++ b/smoltclient.te
|
|
@@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
|
|
|
|
files_getattr_generic_locks(smoltclient_t)
|
|
files_read_etc_runtime_files(smoltclient_t)
|
|
-files_read_usr_files(smoltclient_t)
|
|
|
|
auth_use_nsswitch(smoltclient_t)
|
|
|
|
logging_send_syslog_msg(smoltclient_t)
|
|
|
|
miscfiles_read_hwdata(smoltclient_t)
|
|
-miscfiles_read_localization(smoltclient_t)
|
|
|
|
optional_policy(`
|
|
abrt_stream_connect(smoltclient_t)
|
|
diff --git a/smsd.fc b/smsd.fc
|
|
new file mode 100644
|
|
index 0000000..4c3fcec
|
|
--- /dev/null
|
|
+++ b/smsd.fc
|
|
@@ -0,0 +1,11 @@
|
|
+/etc/rc\.d/init\.d/smsd -- gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
|
|
+
|
|
+/usr/sbin/smsd -- gen_context(system_u:object_r:smsd_exec_t,s0)
|
|
+
|
|
+/var/lib/smstools(/.*)? gen_context(system_u:object_r:smsd_var_lib_t,s0)
|
|
+
|
|
+/var/log/smsd(/.*)? gen_context(system_u:object_r:smsd_log_t,s0)
|
|
+
|
|
+/var/run/smsd(/.*)? gen_context(system_u:object_r:smsd_var_run_t,s0)
|
|
+
|
|
+/var/spool/sms(/.*)? gen_context(system_u:object_r:smsd_spool_t,s0)
|
|
diff --git a/smsd.if b/smsd.if
|
|
new file mode 100644
|
|
index 0000000..52450c7
|
|
--- /dev/null
|
|
+++ b/smsd.if
|
|
@@ -0,0 +1,240 @@
|
|
+## <summary>The SMS Server Tools are made to send and receive short messages through GSM modems. It supports easy file interfaces and it can run external programs for automatic actions.</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute smsd in the smsd domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_domtrans',`
|
|
+ gen_require(`
|
|
+ type smsd_t, smsd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, smsd_exec_t, smsd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute smsd server in the smsd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type smsd_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, smsd_initrc_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read smsd's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_read_log',`
|
|
+ gen_require(`
|
|
+ type smsd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, smsd_log_t, smsd_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to smsd log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_append_log',`
|
|
+ gen_require(`
|
|
+ type smsd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, smsd_log_t, smsd_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage smsd log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_manage_log',`
|
|
+ gen_require(`
|
|
+ type smsd_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, smsd_log_t, smsd_log_t)
|
|
+ manage_files_pattern($1, smsd_log_t, smsd_log_t)
|
|
+ manage_lnk_files_pattern($1, smsd_log_t, smsd_log_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Read smsd PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type smsd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, smsd_var_run_t, smsd_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search smsd spool directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_search_spool',`
|
|
+ gen_require(`
|
|
+ type smsd_spool_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 smsd_spool_t:dir search_dir_perms;
|
|
+ files_search_spool($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read smsd spool files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_read_spool_files',`
|
|
+ gen_require(`
|
|
+ type smsd_spool_t;
|
|
+ ')
|
|
+
|
|
+ files_search_spool($1)
|
|
+ read_files_pattern($1, smsd_spool_t, smsd_spool_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage smsd spool files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_manage_spool_files',`
|
|
+ gen_require(`
|
|
+ type smsd_spool_t;
|
|
+ ')
|
|
+
|
|
+ files_search_spool($1)
|
|
+ manage_files_pattern($1, smsd_spool_t, smsd_spool_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage smsd spool dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_manage_spool_dirs',`
|
|
+ gen_require(`
|
|
+ type smsd_spool_t;
|
|
+ ')
|
|
+
|
|
+ files_search_spool($1)
|
|
+ manage_dirs_pattern($1, smsd_spool_t, smsd_spool_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an smsd environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`smsd_admin',`
|
|
+ gen_require(`
|
|
+ type smsd_t;
|
|
+ type smsd_initrc_exec_t;
|
|
+ type smsd_log_t;
|
|
+ type smsd_var_run_t;
|
|
+ type smsd_spool_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 smsd_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, smsd_t)
|
|
+
|
|
+ smsd_initrc_domtrans($1)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 smsd_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, smsd_log_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, smsd_var_run_t)
|
|
+
|
|
+ files_search_spool($1)
|
|
+ admin_pattern($1, smsd_spool_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/smsd.te b/smsd.te
|
|
new file mode 100644
|
|
index 0000000..1fad7b8
|
|
--- /dev/null
|
|
+++ b/smsd.te
|
|
@@ -0,0 +1,73 @@
|
|
+policy_module(smsd, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type smsd_t;
|
|
+type smsd_exec_t;
|
|
+init_daemon_domain(smsd_t, smsd_exec_t)
|
|
+
|
|
+type smsd_initrc_exec_t;
|
|
+init_script_file(smsd_initrc_exec_t)
|
|
+
|
|
+type smsd_log_t;
|
|
+logging_log_file(smsd_log_t)
|
|
+
|
|
+type smsd_var_lib_t;
|
|
+files_type(smsd_var_lib_t)
|
|
+
|
|
+type smsd_var_run_t;
|
|
+files_pid_file(smsd_var_run_t)
|
|
+
|
|
+type smsd_spool_t;
|
|
+files_type(smsd_spool_t)
|
|
+
|
|
+type smsd_tmp_t;
|
|
+files_tmp_file(smsd_tmp_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# smsd local policy
|
|
+#
|
|
+
|
|
+allow smsd_t self:capability { kill setgid setuid };
|
|
+allow smsd_t self:process { fork signal };
|
|
+allow smsd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow smsd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(smsd_t, smsd_log_t, smsd_log_t)
|
|
+manage_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
|
|
+manage_lnk_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
|
|
+logging_log_filetrans(smsd_t, smsd_log_t, { dir })
|
|
+
|
|
+manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
|
|
+manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
|
|
+manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
|
|
+
|
|
+manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
|
|
+manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
|
|
+manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
|
|
+files_pid_filetrans(smsd_t, smsd_var_run_t, { dir })
|
|
+
|
|
+manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
|
|
+manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
|
|
+manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
|
|
+files_spool_filetrans(smsd_t, smsd_spool_t, { dir })
|
|
+can_exec(smsd_t, smsd_spool_t)
|
|
+
|
|
+manage_dirs_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
|
|
+manage_files_pattern(smsd_t, smsd_tmp_t, smsd_tmp_t)
|
|
+files_tmp_filetrans(smsd_t, smsd_tmp_t, { file dir })
|
|
+
|
|
+kernel_read_system_state(smsd_t)
|
|
+kernel_read_kernel_sysctls(smsd_t)
|
|
+
|
|
+corecmd_exec_shell(smsd_t)
|
|
+
|
|
+auth_use_nsswitch(smsd_t)
|
|
+
|
|
+logging_send_syslog_msg(smsd_t)
|
|
+
|
|
+sysnet_dns_name_resolve(smsd_t)
|
|
diff --git a/smstools.if b/smstools.if
|
|
index cbfe369..6594af3 100644
|
|
--- a/smstools.if
|
|
+++ b/smstools.if
|
|
@@ -1,5 +1,81 @@
|
|
## <summary> Tools to send and receive short messages through GSM modems or mobile phones.</summary>
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Search smsd lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_search_lib',`
|
|
+ gen_require(`
|
|
+ type smsd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 smsd_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read smsd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type smsd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Manage smsd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type smsd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Manage smsd lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`smsd_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type smsd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, smsd_var_lib_t, smsd_var_lib_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
@@ -32,7 +108,7 @@ interface(`smstools_admin',`
|
|
role_transition $2 smsd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_config($1)
|
|
+ files_search_etc($1)
|
|
admin_pattern($1, smsd_conf_t)
|
|
|
|
files_search_var_lib($1)
|
|
diff --git a/snapper.fc b/snapper.fc
|
|
new file mode 100644
|
|
index 0000000..3f412d5
|
|
--- /dev/null
|
|
+++ b/snapper.fc
|
|
@@ -0,0 +1 @@
|
|
+/usr/sbin/snapperd -- gen_context(system_u:object_r:snapperd_exec_t,s0)
|
|
diff --git a/snapper.if b/snapper.if
|
|
new file mode 100644
|
|
index 0000000..94105ee
|
|
--- /dev/null
|
|
+++ b/snapper.if
|
|
@@ -0,0 +1,42 @@
|
|
+
|
|
+## <summary>policy for snapperd</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the snapperd domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`snapper_domtrans',`
|
|
+ gen_require(`
|
|
+ type snapperd_t, snapperd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, snapperd_exec_t, snapperd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send and receive messages from
|
|
+## snapperd over dbus.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`snapper_dbus_chat',`
|
|
+ gen_require(`
|
|
+ type snapperd_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ allow $1 snapperd_t:dbus send_msg;
|
|
+ allow snapperd_t $1:dbus send_msg;
|
|
+')
|
|
diff --git a/snapper.te b/snapper.te
|
|
new file mode 100644
|
|
index 0000000..ad232be
|
|
--- /dev/null
|
|
+++ b/snapper.te
|
|
@@ -0,0 +1,33 @@
|
|
+policy_module(snapper, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type snapperd_t;
|
|
+type snapperd_exec_t;
|
|
+init_daemon_domain(snapperd_t, snapperd_exec_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# snapperd local policy
|
|
+#
|
|
+
|
|
+allow snapperd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow snapperd_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+storage_raw_read_fixed_disk(snapperd_t)
|
|
+
|
|
+auth_use_nsswitch(snapperd_t)
|
|
+
|
|
+miscfiles_read_localization(snapperd_t)
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(snapperd_t)
|
|
+ dbus_connect_system_bus(snapperd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mount_domtrans(snapperd_t)
|
|
+')
|
|
diff --git a/snmp.fc b/snmp.fc
|
|
index 2f0a2f2..77bdf95 100644
|
|
--- a/snmp.fc
|
|
+++ b/snmp.fc
|
|
@@ -1,6 +1,6 @@
|
|
/etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0)
|
|
|
|
-/usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0)
|
|
+/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
|
|
/usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0)
|
|
|
|
/usr/share/snmp/mibs/\.index -- gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
|
@@ -10,9 +10,12 @@
|
|
|
|
/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
|
/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
|
+/var/spool/snmptt(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
|
|
|
/var/log/snmpd\.log.* -- gen_context(system_u:object_r:snmpd_log_t,s0)
|
|
|
|
+/var/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
|
|
+
|
|
/var/run/net-snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
|
|
-/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
|
|
+/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
|
|
/var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
|
|
diff --git a/snmp.if b/snmp.if
|
|
index 7a9cc9d..86cbca9 100644
|
|
--- a/snmp.if
|
|
+++ b/snmp.if
|
|
@@ -57,8 +57,7 @@ interface(`snmp_udp_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## snmp lib directories.
|
|
+## Read snmpd lib content.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -66,19 +65,39 @@ interface(`snmp_udp_chat',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`snmp_manage_var_lib_dirs',`
|
|
+interface(`snmp_read_snmp_var_lib_files',`
|
|
gen_require(`
|
|
type snmpd_var_lib_t;
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
- allow $1 snmpd_var_lib_t:dir manage_dir_perms;
|
|
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
|
|
+ read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
+ read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read snmpd libraries directories
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`snmp_read_snmp_var_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type snmpd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ allow $1 snmpd_var_lib_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## snmp lib files.
|
|
+## Manage snmpd libraries directories
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -86,19 +105,18 @@ interface(`snmp_manage_var_lib_dirs',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`snmp_manage_var_lib_files',`
|
|
+interface(`snmp_manage_var_lib_dirs',`
|
|
gen_require(`
|
|
type snmpd_var_lib_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
- allow $1 snmpd_var_lib_t:dir list_dir_perms;
|
|
- manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
+ allow $1 snmpd_var_lib_t:dir manage_dir_perms;
|
|
+ files_var_lib_filetrans($1, snmpd_var_lib_t, dir)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read snmpd lib content.
|
|
+## Manage snmpd libraries.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -106,14 +124,14 @@ interface(`snmp_manage_var_lib_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`snmp_read_snmp_var_lib_files',`
|
|
+interface(`snmp_manage_var_lib_files',`
|
|
gen_require(`
|
|
type snmpd_var_lib_t;
|
|
')
|
|
|
|
+ files_search_var_lib($1)
|
|
allow $1 snmpd_var_lib_t:dir list_dir_perms;
|
|
- read_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
- read_lnk_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
+ manage_files_pattern($1, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -179,8 +197,12 @@ interface(`snmp_admin',`
|
|
type snmpd_var_lib_t, snmpd_var_run_t;
|
|
')
|
|
|
|
- allow $1 snmpd_t:process { ptrace signal_perms };
|
|
+ allow $1 snmpd_t:process signal_perms;
|
|
+
|
|
ps_process_pattern($1, snmpd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 snmpd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, snmpd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/snmp.te b/snmp.te
|
|
index 9dcaeb8..4b11846 100644
|
|
--- a/snmp.te
|
|
+++ b/snmp.te
|
|
@@ -27,14 +27,16 @@ files_type(snmpd_var_lib_t)
|
|
#
|
|
|
|
allow snmpd_t self:capability { chown dac_override kill ipc_lock setgid setuid net_admin sys_nice sys_tty_config sys_ptrace };
|
|
+
|
|
dontaudit snmpd_t self:capability { sys_module sys_tty_config };
|
|
allow snmpd_t self:process { signal_perms getsched setsched };
|
|
allow snmpd_t self:fifo_file rw_fifo_file_perms;
|
|
-allow snmpd_t self:unix_stream_socket { accept connectto listen };
|
|
-allow snmpd_t self:tcp_socket { accept listen };
|
|
+allow snmpd_t self:unix_dgram_socket create_socket_perms;
|
|
+allow snmpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+allow snmpd_t self:tcp_socket create_stream_socket_perms;
|
|
allow snmpd_t self:udp_socket connected_stream_socket_perms;
|
|
|
|
-allow snmpd_t snmpd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+manage_files_pattern(snmpd_t, snmpd_log_t, snmpd_log_t)
|
|
logging_log_filetrans(snmpd_t, snmpd_log_t, file)
|
|
|
|
manage_dirs_pattern(snmpd_t, snmpd_var_lib_t, snmpd_var_lib_t)
|
|
@@ -53,12 +55,13 @@ kernel_read_kernel_sysctls(snmpd_t)
|
|
kernel_read_fs_sysctls(snmpd_t)
|
|
kernel_read_net_sysctls(snmpd_t)
|
|
kernel_read_network_state(snmpd_t)
|
|
+kernel_read_proc_symlinks(snmpd_t)
|
|
+kernel_read_all_proc(snmpd_t)
|
|
kernel_read_system_state(snmpd_t)
|
|
|
|
corecmd_exec_bin(snmpd_t)
|
|
corecmd_exec_shell(snmpd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(snmpd_t)
|
|
corenet_all_recvfrom_netlabel(snmpd_t)
|
|
corenet_tcp_sendrecv_generic_if(snmpd_t)
|
|
corenet_udp_sendrecv_generic_if(snmpd_t)
|
|
@@ -75,9 +78,7 @@ corenet_udp_bind_snmp_port(snmpd_t)
|
|
corenet_tcp_sendrecv_snmp_port(snmpd_t)
|
|
corenet_udp_sendrecv_snmp_port(snmpd_t)
|
|
|
|
-corenet_sendrecv_snmp_client_packets(snmpd_t)
|
|
corenet_tcp_connect_agentx_port(snmpd_t)
|
|
-corenet_sendrecv_snmp_server_packets(snmpd_t)
|
|
corenet_tcp_bind_agentx_port(snmpd_t)
|
|
corenet_udp_bind_agentx_port(snmpd_t)
|
|
corenet_tcp_sendrecv_agentx_port(snmpd_t)
|
|
@@ -94,7 +95,6 @@ domain_signull_all_domains(snmpd_t)
|
|
domain_read_all_domains_state(snmpd_t)
|
|
domain_exec_all_entry_files(snmpd_t)
|
|
|
|
-files_read_usr_files(snmpd_t)
|
|
files_read_etc_runtime_files(snmpd_t)
|
|
files_search_home(snmpd_t)
|
|
|
|
@@ -112,10 +112,12 @@ auth_use_nsswitch(snmpd_t)
|
|
|
|
init_read_utmp(snmpd_t)
|
|
init_dontaudit_write_utmp(snmpd_t)
|
|
+# need write to /var/run/systemd/notify
|
|
+init_write_pid_socket(snmpd_t)
|
|
|
|
logging_send_syslog_msg(snmpd_t)
|
|
|
|
-miscfiles_read_localization(snmpd_t)
|
|
+sysnet_read_config(snmpd_t)
|
|
|
|
seutil_dontaudit_search_config(snmpd_t)
|
|
|
|
@@ -131,7 +133,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- corosync_stream_connect(snmpd_t)
|
|
+ fstools_domtrans(snmpd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rhcs_stream_connect_cluster(snmpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/snort.if b/snort.if
|
|
index 7d86b34..5f58180 100644
|
|
--- a/snort.if
|
|
+++ b/snort.if
|
|
@@ -42,8 +42,11 @@ interface(`snort_admin',`
|
|
type snort_etc_t, snort_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 snort_t:process { ptrace signal_perms };
|
|
+ allow $1 snort_t:process signal_perms;
|
|
ps_process_pattern($1, snort_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 snort_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, snort_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -51,11 +54,11 @@ interface(`snort_admin',`
|
|
allow $2 system_r;
|
|
|
|
admin_pattern($1, snort_etc_t)
|
|
- files_search_etc($1)
|
|
+ files_list_etc($1)
|
|
|
|
admin_pattern($1, snort_log_t)
|
|
- logging_search_logs($1)
|
|
+ logging_list_logs($1)
|
|
|
|
admin_pattern($1, snort_var_run_t)
|
|
- files_search_pids($1)
|
|
+ files_list_pids($1)
|
|
')
|
|
diff --git a/snort.te b/snort.te
|
|
index 1af72df..f63015b 100644
|
|
--- a/snort.te
|
|
+++ b/snort.te
|
|
@@ -32,10 +32,13 @@ files_pid_file(snort_var_run_t)
|
|
allow snort_t self:capability { setgid setuid net_admin net_raw dac_override };
|
|
dontaudit snort_t self:capability sys_tty_config;
|
|
allow snort_t self:process signal_perms;
|
|
+allow snort_t self:netlink_route_socket create_netlink_socket_perms;
|
|
allow snort_t self:netlink_socket create_socket_perms;
|
|
-allow snort_t self:tcp_socket { accept listen };
|
|
+allow snort_t self:tcp_socket create_stream_socket_perms;
|
|
+allow snort_t self:udp_socket create_socket_perms;
|
|
allow snort_t self:packet_socket create_socket_perms;
|
|
allow snort_t self:socket create_socket_perms;
|
|
+# Snort IPS node. unverified.
|
|
allow snort_t self:netlink_firewall_socket create_socket_perms;
|
|
|
|
allow snort_t snort_etc_t:dir list_dir_perms;
|
|
@@ -63,7 +66,6 @@ kernel_request_load_module(snort_t)
|
|
kernel_dontaudit_read_system_state(snort_t)
|
|
kernel_read_network_state(snort_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(snort_t)
|
|
corenet_all_recvfrom_netlabel(snort_t)
|
|
corenet_tcp_sendrecv_generic_if(snort_t)
|
|
corenet_udp_sendrecv_generic_if(snort_t)
|
|
@@ -86,18 +88,17 @@ dev_rw_generic_usb_dev(snort_t)
|
|
|
|
domain_use_interactive_fds(snort_t)
|
|
|
|
-files_read_etc_files(snort_t)
|
|
files_dontaudit_read_etc_runtime_files(snort_t)
|
|
|
|
fs_getattr_all_fs(snort_t)
|
|
fs_search_auto_mountpoints(snort_t)
|
|
|
|
+auth_read_passwd(snort_t)
|
|
+
|
|
init_read_utmp(snort_t)
|
|
|
|
logging_send_syslog_msg(snort_t)
|
|
|
|
-miscfiles_read_localization(snort_t)
|
|
-
|
|
sysnet_dns_name_resolve(snort_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(snort_t)
|
|
diff --git a/sosreport.if b/sosreport.if
|
|
index 634c6b4..e1edfd9 100644
|
|
--- a/sosreport.if
|
|
+++ b/sosreport.if
|
|
@@ -42,7 +42,7 @@ interface(`sosreport_run',`
|
|
')
|
|
|
|
sosreport_domtrans($1)
|
|
- roleattribute $2 sospreport_roles;
|
|
+ roleattribute $2 sosreport_roles;
|
|
')
|
|
|
|
########################################
|
|
diff --git a/sosreport.te b/sosreport.te
|
|
index f2f507d..3669dac 100644
|
|
--- a/sosreport.te
|
|
+++ b/sosreport.te
|
|
@@ -13,15 +13,15 @@ type sosreport_exec_t;
|
|
application_domain(sosreport_t, sosreport_exec_t)
|
|
role sosreport_roles types sosreport_t;
|
|
|
|
-type sosreport_var_run_t;
|
|
-files_pid_file(sosreport_var_run_t)
|
|
-
|
|
type sosreport_tmp_t;
|
|
files_tmp_file(sosreport_tmp_t)
|
|
|
|
type sosreport_tmpfs_t;
|
|
files_tmpfs_file(sosreport_tmpfs_t)
|
|
|
|
+type sosreport_var_run_t;
|
|
+files_pid_file(sosreport_var_run_t)
|
|
+
|
|
optional_policy(`
|
|
pulseaudio_tmpfs_content(sosreport_tmpfs_t)
|
|
')
|
|
@@ -37,6 +37,8 @@ allow sosreport_t self:process { setsched signull };
|
|
allow sosreport_t self:fifo_file rw_fifo_file_perms;
|
|
allow sosreport_t self:tcp_socket { accept listen };
|
|
allow sosreport_t self:unix_stream_socket { accept listen };
|
|
+allow sosreport_t self:rawip_socket create_socket_perms;
|
|
+allow sosreport_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
|
|
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
|
|
@@ -44,6 +46,12 @@ manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
|
|
files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
|
|
files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
|
|
|
|
+manage_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
|
|
+manage_dirs_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
|
|
+manage_sock_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
|
|
+manage_lnk_files_pattern(sosreport_t, sosreport_var_run_t, sosreport_var_run_t)
|
|
+files_pid_filetrans(sosreport_t, sosreport_var_run_t, { file dir sock_file })
|
|
+
|
|
manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
|
|
fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
|
|
|
|
@@ -69,6 +77,8 @@ dev_read_urand(sosreport_t)
|
|
dev_read_raw_memory(sosreport_t)
|
|
dev_read_sysfs(sosreport_t)
|
|
dev_rw_generic_usb_dev(sosreport_t)
|
|
+dev_getattr_all_chr_files(sosreport_t)
|
|
+dev_getattr_all_blk_files(sosreport_t)
|
|
|
|
domain_getattr_all_domains(sosreport_t)
|
|
domain_read_all_domains_state(sosreport_t)
|
|
@@ -83,7 +93,6 @@ files_list_all(sosreport_t)
|
|
files_read_config_files(sosreport_t)
|
|
files_read_generic_tmp_files(sosreport_t)
|
|
files_read_non_auth_files(sosreport_t)
|
|
-files_read_usr_files(sosreport_t)
|
|
files_read_var_lib_files(sosreport_t)
|
|
files_read_var_symlinks(sosreport_t)
|
|
files_read_kernel_modules(sosreport_t)
|
|
@@ -92,25 +101,32 @@ files_manage_etc_runtime_files(sosreport_t)
|
|
files_etc_filetrans_etc_runtime(sosreport_t, file)
|
|
|
|
fs_getattr_all_fs(sosreport_t)
|
|
+fs_getattr_all_dirs(sosreport_t)
|
|
fs_list_inotifyfs(sosreport_t)
|
|
|
|
storage_dontaudit_read_fixed_disk(sosreport_t)
|
|
storage_dontaudit_read_removable_device(sosreport_t)
|
|
|
|
+term_getattr_pty_fs(sosreport_t)
|
|
+term_getattr_all_ptys(sosreport_t)
|
|
term_use_generic_ptys(sosreport_t)
|
|
|
|
+# some config files do not have configfile attribute
|
|
+# sosreport needs to read various files on system
|
|
+files_read_non_security_files(sosreport_t)
|
|
+
|
|
auth_use_nsswitch(sosreport_t)
|
|
+auth_dontaudit_read_shadow(sosreport_t)
|
|
|
|
init_domtrans_script(sosreport_t)
|
|
+init_getattr_initctl(sosreport_t)
|
|
|
|
libs_domtrans_ldconfig(sosreport_t)
|
|
|
|
logging_read_all_logs(sosreport_t)
|
|
logging_send_syslog_msg(sosreport_t)
|
|
|
|
-miscfiles_read_localization(sosreport_t)
|
|
-
|
|
-modutils_read_module_deps(sosreport_t)
|
|
+sysnet_read_config(sosreport_t)
|
|
|
|
optional_policy(`
|
|
abrt_manage_pid_files(sosreport_t)
|
|
@@ -119,6 +135,10 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ brctl_domtrans(sosreport_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
cups_stream_connect(sosreport_t)
|
|
')
|
|
|
|
@@ -127,6 +147,11 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # needed by modinfo
|
|
+ modutils_read_module_deps(sosreport_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
fstools_domtrans(sosreport_t)
|
|
')
|
|
|
|
diff --git a/soundserver.if b/soundserver.if
|
|
index a5abc5a..b9eff74 100644
|
|
--- a/soundserver.if
|
|
+++ b/soundserver.if
|
|
@@ -38,9 +38,13 @@ interface(`soundserver_admin',`
|
|
type soundd_state_t;
|
|
')
|
|
|
|
- allow $1 soundd_t:process { ptrace signal_perms };
|
|
+ allow $1 soundd_t:process signal_perms;
|
|
ps_process_pattern($1, soundd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 soundd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, soundd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 soundd_initrc_exec_t system_r;
|
|
diff --git a/soundserver.te b/soundserver.te
|
|
index 0919e0c..56a984b 100644
|
|
--- a/soundserver.te
|
|
+++ b/soundserver.te
|
|
@@ -65,7 +65,6 @@ kernel_read_kernel_sysctls(soundd_t)
|
|
kernel_list_proc(soundd_t)
|
|
kernel_read_proc_symlinks(soundd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(soundd_t)
|
|
corenet_all_recvfrom_netlabel(soundd_t)
|
|
corenet_tcp_sendrecv_generic_if(soundd_t)
|
|
corenet_tcp_sendrecv_generic_node(soundd_t)
|
|
@@ -81,7 +80,6 @@ dev_write_sound(soundd_t)
|
|
|
|
domain_use_interactive_fds(soundd_t)
|
|
|
|
-files_read_etc_files(soundd_t)
|
|
files_read_etc_runtime_files(soundd_t)
|
|
|
|
fs_getattr_all_fs(soundd_t)
|
|
@@ -89,8 +87,6 @@ fs_search_auto_mountpoints(soundd_t)
|
|
|
|
logging_send_syslog_msg(soundd_t)
|
|
|
|
-miscfiles_read_localization(soundd_t)
|
|
-
|
|
sysnet_read_config(soundd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(soundd_t)
|
|
diff --git a/spamassassin.fc b/spamassassin.fc
|
|
index e9bd097..e059e27 100644
|
|
--- a/spamassassin.fc
|
|
+++ b/spamassassin.fc
|
|
@@ -1,20 +1,26 @@
|
|
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
|
|
-HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
|
|
+HOME_DIR/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
|
+HOME_DIR/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
|
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
|
+HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
|
+/root/\.pyzor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
|
+/root/\.razor(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
|
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
|
+/root/\.spamd(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
|
|
|
|
/etc/rc\.d/init\.d/spamd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/spampd -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
|
|
/etc/rc\.d/init\.d/mimedefang.* -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
|
|
|
|
/usr/bin/sa-learn -- gen_context(system_u:object_r:spamc_exec_t,s0)
|
|
/usr/bin/spamassassin -- gen_context(system_u:object_r:spamc_exec_t,s0)
|
|
-/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
|
|
-/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
|
+/usr/bin/spamc -- gen_context(system_u:object_r:spamc_exec_t,s0)
|
|
+/usr/bin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
|
/usr/bin/sa-update -- gen_context(system_u:object_r:spamd_update_exec_t,s0)
|
|
|
|
-/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
|
-/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
|
+/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
|
+/usr/sbin/spampd -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
|
/usr/bin/mimedefang -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
|
-/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
|
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
|
|
|
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
|
|
/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
|
|
@@ -25,7 +31,22 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0)
|
|
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
|
|
|
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
|
-/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
|
-/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
|
+/var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
|
+/var/spool/spampd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
|
|
/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
|
/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
|
|
+
|
|
+/etc/pyzor(/.*)? gen_context(system_u:object_r:spamd_etc_t, s0)
|
|
+/etc/razor(/.*)? gen_context(system_u:object_r:spamd_etc_t,s0)
|
|
+/etc/rc\.d/init\.d/pyzord -- gen_context(system_u:object_r:spamd_initrc_exec_t,s0)
|
|
+
|
|
+/usr/bin/razor.* -- gen_context(system_u:object_r:spamc_exec_t,s0)
|
|
+
|
|
+/var/lib/pyzord(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
|
|
+/var/lib/razor(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
|
|
+
|
|
+/var/log/pyzord\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
|
|
+/var/log/razor-agent\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0)
|
|
+
|
|
+/usr/bin/pyzor -- gen_context(system_u:object_r:spamc_exec_t,s0)
|
|
+/usr/bin/pyzord -- gen_context(system_u:object_r:spamd_exec_t,s0)
|
|
diff --git a/spamassassin.if b/spamassassin.if
|
|
index 1499b0b..6950cab 100644
|
|
--- a/spamassassin.if
|
|
+++ b/spamassassin.if
|
|
@@ -2,39 +2,45 @@
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Role access for spamassassin.
|
|
+## Role access for spamassassin
|
|
## </summary>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Role allowed access
|
|
## </summary>
|
|
## </param>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## User domain for the role
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
interface(`spamassassin_role',`
|
|
gen_require(`
|
|
type spamc_t, spamc_exec_t, spamc_tmp_t;
|
|
- type spamassassin_t, spamassassin_exec_t, spamd_home_t;
|
|
+ type spamassassin_t, spamassassin_exec_t;
|
|
type spamassassin_home_t, spamassassin_tmp_t;
|
|
')
|
|
|
|
role $1 types { spamc_t spamassassin_t };
|
|
|
|
domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
|
|
+
|
|
+ allow $2 spamassassin_t:process signal_perms;
|
|
+ ps_process_pattern($2, spamassassin_t)
|
|
+
|
|
domtrans_pattern($2, spamc_exec_t, spamc_t)
|
|
|
|
- allow $2 { spamc_t spamassassin_t}:process { ptrace signal_perms };
|
|
- ps_process_pattern($2, { spamc_t spamassassin_t })
|
|
+ allow $2 spamc_t:process signal_perms;
|
|
+ ps_process_pattern($2, spamc_t)
|
|
|
|
- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 { spamc_tmp_t spamd_home_t spamassassin_home_t spamassassin_tmp_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
- userdom_user_home_dir_filetrans($2, spamassassin_home_t, dir, ".spamassassin")
|
|
- userdom_user_home_dir_filetrans($2, spamd_home_t, dir, ".spamd")
|
|
+ manage_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
|
|
+ manage_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
|
|
+ manage_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
|
|
+ relabel_dirs_pattern($2, spamassassin_home_t, spamassassin_home_t)
|
|
+ relabel_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
|
|
+ relabel_lnk_files_pattern($2, spamassassin_home_t, spamassassin_home_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -53,13 +59,12 @@ interface(`spamassassin_exec',`
|
|
type spamassassin_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, spamassassin_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to spamd.
|
|
+## Singnal the spam assassin daemon
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -77,7 +82,8 @@ interface(`spamassassin_signal_spamd',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute spamd in the caller domain.
|
|
+## Execute the spamassassin daemon
|
|
+## program in the caller directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -90,13 +96,12 @@ interface(`spamassassin_exec_spamd',`
|
|
type spamd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, spamd_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute spamc in the spamc domain.
|
|
+## Execute spamassassin client in the spamassassin client domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -109,32 +114,13 @@ interface(`spamassassin_domtrans_client',`
|
|
type spamc_t, spamc_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, spamc_exec_t, spamc_t)
|
|
+ allow $1 spamc_exec_t:file ioctl;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute spamc in the caller domain.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`spamassassin_exec_client',`
|
|
- gen_require(`
|
|
- type spamc_exec_t;
|
|
- ')
|
|
-
|
|
- corecmd_search_bin($1)
|
|
- can_exec($1, spamc_exec_t)
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Send kill signals to spamc.
|
|
+## Send kill signal to spamassassin client
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -152,28 +138,28 @@ interface(`spamassassin_kill_client',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute spamassassin standalone client
|
|
-## in the user spamassassin domain.
|
|
+## Manage spamc home files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`spamassassin_domtrans_local_client',`
|
|
+interface(`spamassassin_manage_home_client',`
|
|
gen_require(`
|
|
- type spamassassin_t, spamassassin_exec_t;
|
|
+ type spamc_home_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ manage_dirs_pattern($1, spamc_home_t, spamc_home_t)
|
|
+ manage_files_pattern($1, spamc_home_t, spamc_home_t)
|
|
+ manage_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## spamd home content.
|
|
+## Read spamc home files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -181,20 +167,21 @@ interface(`spamassassin_domtrans_local_client',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`spamassassin_manage_spamd_home_content',`
|
|
+interface(`spamassassin_read_home_client',`
|
|
gen_require(`
|
|
- type spamd_home_t;
|
|
+ type spamc_home_t;
|
|
')
|
|
|
|
userdom_search_user_home_dirs($1)
|
|
- allow $1 spamd_home_t:dir manage_dir_perms;
|
|
- allow $1 spamd_home_t:file manage_file_perms;
|
|
- allow $1 spamd_home_t:lnk_file manage_lnk_file_perms;
|
|
+ list_dirs_pattern($1, spamc_home_t, spamc_home_t)
|
|
+ read_files_pattern($1, spamc_home_t, spamc_home_t)
|
|
+ read_lnk_files_pattern($1, spamc_home_t, spamc_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Relabel spamd home content.
|
|
+## Execute the spamassassin client
|
|
+## program in the caller directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -202,49 +189,35 @@ interface(`spamassassin_manage_spamd_home_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`spamassassin_relabel_spamd_home_content',`
|
|
+interface(`spamassassin_exec_client',`
|
|
gen_require(`
|
|
- type spamd_home_t;
|
|
+ type spamc_exec_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 spamd_home_t:dir relabel_dir_perms;
|
|
- allow $1 spamd_home_t:file relabel_file_perms;
|
|
- allow $1 spamd_home_t:lnk_file relabel_lnk_file_perms;
|
|
+ can_exec($1, spamc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create objects in user home
|
|
-## directories with the spamd home type.
|
|
+## Execute spamassassin standalone client in the user spamassassin domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`spamassassin_home_filetrans_spamd_home',`
|
|
+interface(`spamassassin_domtrans_local_client',`
|
|
gen_require(`
|
|
- type spamd_home_t;
|
|
+ type spamassassin_t, spamassassin_exec_t;
|
|
')
|
|
|
|
- userdom_user_home_dir_filetrans($1, spamd_home_t, $2, $3)
|
|
+ domtrans_pattern($1, spamassassin_exec_t, spamassassin_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read spamd lib files.
|
|
+## read spamd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -258,7 +231,9 @@ interface(`spamassassin_read_lib_files',`
|
|
')
|
|
|
|
files_search_var_lib($1)
|
|
+ list_dirs_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
|
|
read_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
|
|
+ read_lnk_files_pattern($1, spamd_var_lib_t, spamd_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -283,7 +258,7 @@ interface(`spamassassin_manage_lib_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read spamd pid files.
|
|
+## Read temporary spamd file.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -291,56 +266,56 @@ interface(`spamassassin_manage_lib_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`spamassassin_read_spamd_pid_files',`
|
|
+interface(`spamassassin_read_spamd_tmp_files',`
|
|
gen_require(`
|
|
- type spamd_var_run_t;
|
|
+ type spamd_tmp_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
|
|
+ files_search_tmp($1)
|
|
+ allow $1 spamd_tmp_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read temporary spamd files.
|
|
+## Do not audit attempts to get attributes of temporary
|
|
+## spamd sockets/
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`spamassassin_read_spamd_tmp_files',`
|
|
+interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
|
|
gen_require(`
|
|
type spamd_tmp_t;
|
|
')
|
|
|
|
- allow $1 spamd_tmp_t:file read_file_perms;
|
|
+ dontaudit $1 spamd_tmp_t:sock_file getattr_sock_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to get
|
|
-## attributes of temporary spamd sockets.
|
|
+## Connect to run spamd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain to not audit.
|
|
+## Domain allowed to connect.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
|
|
+interface(`spamd_stream_connect',`
|
|
gen_require(`
|
|
- type spamd_tmp_t;
|
|
+ type spamd_t, spamd_var_run_t;
|
|
')
|
|
|
|
- dontaudit $1 spamd_tmp_t:sock_file getattr;
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to spamd with a unix
|
|
-## domain stream socket.
|
|
+## Read spamd pid files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -348,19 +323,62 @@ interface(`spamassassin_dontaudit_getattr_spamd_tmp_sockets',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`spamassassin_stream_connect_spamd',`
|
|
+interface(`spamassassin_read_pid_files',`
|
|
gen_require(`
|
|
- type spamd_t, spamd_var_run_t;
|
|
+ type spamd_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- stream_connect_pattern($1, spamd_var_run_t, spamd_var_run_t, spamd_t)
|
|
+ read_files_pattern($1, spamd_var_run_t, spamd_var_run_t)
|
|
')
|
|
|
|
+######################################
|
|
+## <summary>
|
|
+## Transition to spamassassin named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`spamassassin_filetrans_home_content',`
|
|
+ gen_require(`
|
|
+ type spamc_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
|
|
+ userdom_user_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin")
|
|
+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
|
|
+ userdom_user_home_dir_filetrans($1, spamc_home_t, dir, ".razor")
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Transition to spamassassin named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`spamassassin_filetrans_admin_home_content',`
|
|
+ gen_require(`
|
|
+ type spamc_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".pyzor")
|
|
+ userdom_admin_home_dir_filetrans($1, spamc_home_t, file, ".spamassassin")
|
|
+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".spamd")
|
|
+ userdom_admin_home_dir_filetrans($1, spamc_home_t, dir, ".razor")
|
|
+')
|
|
+
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an spamassassin environment.
|
|
+## All of the rules required to administrate
|
|
+## an spamassassin environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -369,20 +387,22 @@ interface(`spamassassin_stream_connect_spamd',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the spamassassin domain.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`spamassassin_admin',`
|
|
+interface(`spamassassin_spamd_admin',`
|
|
gen_require(`
|
|
type spamd_t, spamd_tmp_t, spamd_log_t;
|
|
type spamd_spool_t, spamd_var_lib_t, spamd_var_run_t;
|
|
type spamd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 spamd_t:process { ptrace signal_perms };
|
|
+ allow $1 spamd_t:process signal_perms;
|
|
ps_process_pattern($1, spamd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 spamd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, spamd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -403,6 +423,4 @@ interface(`spamassassin_admin',`
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, spamd_var_run_t)
|
|
-
|
|
- spamassassin_role($2, $1)
|
|
')
|
|
diff --git a/spamassassin.te b/spamassassin.te
|
|
index cc58e35..ecd30f3 100644
|
|
--- a/spamassassin.te
|
|
+++ b/spamassassin.te
|
|
@@ -7,50 +7,23 @@ policy_module(spamassassin, 2.6.1)
|
|
|
|
## <desc>
|
|
## <p>
|
|
-## Determine whether spamassassin
|
|
-## clients can use the network.
|
|
+## Allow user spamassassin clients to use the network.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(spamassassin_can_network, false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
-## Determine whether spamd can manage
|
|
-## generic user home content.
|
|
+## Allow spamd to read/write user home directories.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(spamd_enable_home_dirs, false)
|
|
+gen_tunable(spamd_enable_home_dirs, true)
|
|
+
|
|
|
|
type spamd_update_t;
|
|
type spamd_update_exec_t;
|
|
-init_system_domain(spamd_update_t, spamd_update_exec_t)
|
|
-
|
|
-type spamassassin_t;
|
|
-type spamassassin_exec_t;
|
|
-typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
|
|
-typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
|
|
-userdom_user_application_domain(spamassassin_t, spamassassin_exec_t)
|
|
-
|
|
-type spamassassin_home_t;
|
|
-typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
|
-typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
|
-userdom_user_home_content(spamassassin_home_t)
|
|
-
|
|
-type spamassassin_tmp_t;
|
|
-typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
|
-typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
|
-userdom_user_tmp_file(spamassassin_tmp_t)
|
|
-
|
|
-type spamc_t;
|
|
-type spamc_exec_t;
|
|
-typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
|
|
-typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
|
|
-userdom_user_application_domain(spamc_t, spamc_exec_t)
|
|
-
|
|
-type spamc_tmp_t;
|
|
-typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
|
-typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
|
-userdom_user_tmp_file(spamc_tmp_t)
|
|
+application_domain(spamd_update_t, spamd_update_exec_t)
|
|
+role system_r types spamd_update_t;
|
|
|
|
type spamd_t;
|
|
type spamd_exec_t;
|
|
@@ -59,12 +32,6 @@ init_daemon_domain(spamd_t, spamd_exec_t)
|
|
type spamd_compiled_t;
|
|
files_type(spamd_compiled_t)
|
|
|
|
-type spamd_etc_t;
|
|
-files_config_file(spamd_etc_t)
|
|
-
|
|
-type spamd_home_t;
|
|
-userdom_user_home_content(spamd_home_t)
|
|
-
|
|
type spamd_initrc_exec_t;
|
|
init_script_file(spamd_initrc_exec_t)
|
|
|
|
@@ -72,87 +39,196 @@ type spamd_log_t;
|
|
logging_log_file(spamd_log_t)
|
|
|
|
type spamd_spool_t;
|
|
-files_type(spamd_spool_t)
|
|
+files_spool_file(spamd_spool_t)
|
|
|
|
type spamd_tmp_t;
|
|
files_tmp_file(spamd_tmp_t)
|
|
|
|
+# var/lib files
|
|
type spamd_var_lib_t;
|
|
files_type(spamd_var_lib_t)
|
|
|
|
type spamd_var_run_t;
|
|
files_pid_file(spamd_var_run_t)
|
|
|
|
-########################################
|
|
+ifdef(`distro_redhat',`
|
|
+ # spamassassin client executable
|
|
+ type spamc_t;
|
|
+ type spamc_exec_t;
|
|
+ application_domain(spamc_t, spamc_exec_t)
|
|
+ role system_r types spamc_t;
|
|
+
|
|
+ type spamd_etc_t;
|
|
+ files_config_file(spamd_etc_t)
|
|
+
|
|
+ typealias spamc_exec_t alias spamassassin_exec_t;
|
|
+ typealias spamc_t alias spamassassin_t;
|
|
+
|
|
+ type spamc_home_t;
|
|
+ userdom_user_home_content(spamc_home_t)
|
|
+ typealias spamc_home_t alias { spamassassin_home_t user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
|
+ typealias spamc_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
|
+ typealias spamc_home_t alias { user_spamc_home_t staff_spamc_home_t sysadm_spamc_home_t };
|
|
+ typealias spamc_home_t alias { auditadm_spamc_home_t secadm_spamc_home_t };
|
|
+
|
|
+ type spamc_tmp_t;
|
|
+ files_tmp_file(spamc_tmp_t)
|
|
+ typealias spamc_tmp_t alias spamassassin_tmp_t;
|
|
+ typealias spamc_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
|
+ typealias spamc_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
|
+
|
|
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
|
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
|
+ typealias spamc_t alias pyzor_t;
|
|
+ typealias spamc_exec_t alias pyzor_exec_t;
|
|
+ typealias spamd_t alias pyzord_t;
|
|
+ typealias spamd_initrc_exec_t alias pyzord_initrc_exec_t;
|
|
+ typealias spamd_exec_t alias pyzord_exec_t;
|
|
+ typealias spamc_tmp_t alias pyzor_tmp_t;
|
|
+ typealias spamd_log_t alias pyzor_log_t;
|
|
+ typealias spamd_log_t alias pyzord_log_t;
|
|
+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
|
|
+ typealias spamd_etc_t alias pyzor_etc_t;
|
|
+ typealias spamc_home_t alias pyzor_home_t;
|
|
+ typealias spamc_home_t alias user_pyzor_home_t;
|
|
+ typealias spamc_t alias razor_t;
|
|
+ typealias spamc_exec_t alias razor_exec_t;
|
|
+ typealias spamd_log_t alias razor_log_t;
|
|
+ typealias spamd_var_lib_t alias razor_var_lib_t;
|
|
+ typealias spamd_etc_t alias razor_etc_t;
|
|
+ typealias spamc_home_t alias razor_home_t;
|
|
+ typealias spamc_home_t alias { user_razor_home_t staff_razor_home_t sysadm_razor_home_t };
|
|
+ typealias spamc_home_t alias { auditadm_razor_home_t secadm_razor_home_t };
|
|
+ typealias spamc_tmp_t alias { user_razor_tmp_t staff_razor_tmp_t sysadm_razor_tmp_t };
|
|
+ typealias spamc_tmp_t alias { auditadm_razor_tmp_t secadm_razor_tmp_t };
|
|
+',`
|
|
+ type spamassassin_t;
|
|
+ type spamassassin_exec_t;
|
|
+ typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
|
|
+ typealias spamassassin_t alias { auditadm_spamassassin_t secadm_spamassassin_t };
|
|
+ application_domain(spamassassin_t, spamassassin_exec_t)
|
|
+ ubac_constrained(spamassassin_t)
|
|
+
|
|
+ type spamassassin_home_t;
|
|
+ typealias spamassassin_home_t alias { user_spamassassin_home_t staff_spamassassin_home_t sysadm_spamassassin_home_t };
|
|
+ typealias spamassassin_home_t alias { auditadm_spamassassin_home_t secadm_spamassassin_home_t };
|
|
+ userdom_user_home_content(spamassassin_home_t)
|
|
+
|
|
+ type spamassassin_tmp_t;
|
|
+ typealias spamassassin_tmp_t alias { user_spamassassin_tmp_t staff_spamassassin_tmp_t sysadm_spamassassin_tmp_t };
|
|
+ typealias spamassassin_tmp_t alias { auditadm_spamassassin_tmp_t secadm_spamassassin_tmp_t };
|
|
+ files_tmp_file(spamassassin_tmp_t)
|
|
+ ubac_constrained(spamassassin_tmp_t)
|
|
+
|
|
+ type spamc_t;
|
|
+ type spamc_exec_t;
|
|
+ typealias spamc_t alias { user_spamc_t staff_spamc_t sysadm_spamc_t };
|
|
+ typealias spamc_t alias { auditadm_spamc_t secadm_spamc_t };
|
|
+ application_domain(spamc_t, spamc_exec_t)
|
|
+ ubac_constrained(spamc_t)
|
|
+
|
|
+ type spamc_tmp_t;
|
|
+ typealias spamc_tmp_t alias { user_spamc_tmp_t staff_spamc_tmp_t sysadm_spamc_tmp_t };
|
|
+ typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
|
|
+ files_tmp_file(spamc_tmp_t)
|
|
+ ubac_constrained(spamc_tmp_t)
|
|
+')
|
|
+
|
|
+##############################
|
|
#
|
|
-# Standalone local policy
|
|
+# Standalone program local policy
|
|
#
|
|
|
|
allow spamassassin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow spamassassin_t self:fd use;
|
|
allow spamassassin_t self:fifo_file rw_fifo_file_perms;
|
|
+allow spamassassin_t self:sock_file read_sock_file_perms;
|
|
+allow spamassassin_t self:unix_dgram_socket create_socket_perms;
|
|
+allow spamassassin_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow spamassassin_t self:unix_dgram_socket sendto;
|
|
-allow spamassassin_t self:unix_stream_socket { accept connectto listen };
|
|
+allow spamassassin_t self:unix_stream_socket connectto;
|
|
+allow spamassassin_t self:shm create_shm_perms;
|
|
+allow spamassassin_t self:sem create_sem_perms;
|
|
+allow spamassassin_t self:msgq create_msgq_perms;
|
|
+allow spamassassin_t self:msg { send receive };
|
|
|
|
manage_dirs_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
|
|
manage_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
|
|
manage_lnk_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
|
|
manage_fifo_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
|
|
manage_sock_files_pattern(spamassassin_t, spamassassin_home_t, spamassassin_home_t)
|
|
-userdom_user_home_dir_filetrans(spamassassin_t, spamassassin_home_t, dir, ".spamassassin")
|
|
|
|
manage_dirs_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
|
|
manage_files_pattern(spamassassin_t, spamassassin_tmp_t, spamassassin_tmp_t)
|
|
files_tmp_filetrans(spamassassin_t, spamassassin_tmp_t, { file dir })
|
|
|
|
+manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
+manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
+manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
+manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
+manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
+userdom_home_manager(spamassassin_t)
|
|
+
|
|
kernel_read_kernel_sysctls(spamassassin_t)
|
|
|
|
dev_read_urand(spamassassin_t)
|
|
|
|
-fs_getattr_all_fs(spamassassin_t)
|
|
fs_search_auto_mountpoints(spamassassin_t)
|
|
+fs_getattr_all_fs(spamassassin_t)
|
|
+
|
|
+# this should probably be removed
|
|
+corecmd_list_bin(spamassassin_t)
|
|
+corecmd_read_bin_symlinks(spamassassin_t)
|
|
+corecmd_read_bin_files(spamassassin_t)
|
|
+corecmd_read_bin_pipes(spamassassin_t)
|
|
+corecmd_read_bin_sockets(spamassassin_t)
|
|
|
|
domain_use_interactive_fds(spamassassin_t)
|
|
|
|
-files_read_etc_files(spamassassin_t)
|
|
files_read_etc_runtime_files(spamassassin_t)
|
|
files_list_home(spamassassin_t)
|
|
-files_read_usr_files(spamassassin_t)
|
|
files_dontaudit_search_var(spamassassin_t)
|
|
|
|
logging_send_syslog_msg(spamassassin_t)
|
|
|
|
-miscfiles_read_localization(spamassassin_t)
|
|
+# cjp: this could probably be removed
|
|
+seutil_read_config(spamassassin_t)
|
|
|
|
sysnet_dns_name_resolve(spamassassin_t)
|
|
|
|
+# set tunable if you have spamassassin do DNS lookups
|
|
tunable_policy(`spamassassin_can_network',`
|
|
- allow spamassassin_t self:tcp_socket { accept listen };
|
|
+ allow spamassassin_t self:tcp_socket create_stream_socket_perms;
|
|
+ allow spamassassin_t self:udp_socket create_socket_perms;
|
|
|
|
- corenet_all_recvfrom_unlabeled(spamassassin_t)
|
|
- corenet_all_recvfrom_netlabel(spamassassin_t)
|
|
corenet_tcp_sendrecv_generic_if(spamassassin_t)
|
|
+ corenet_udp_sendrecv_generic_if(spamassassin_t)
|
|
corenet_tcp_sendrecv_generic_node(spamassassin_t)
|
|
+ corenet_udp_sendrecv_generic_node(spamassassin_t)
|
|
corenet_tcp_sendrecv_all_ports(spamassassin_t)
|
|
-
|
|
+ corenet_udp_sendrecv_all_ports(spamassassin_t)
|
|
corenet_tcp_connect_all_ports(spamassassin_t)
|
|
corenet_sendrecv_all_client_packets(spamassassin_t)
|
|
+ corenet_udp_bind_generic_node(spamassassin_t)
|
|
+ corenet_udp_bind_generic_port(spamassassin_t)
|
|
+ corenet_dontaudit_udp_bind_all_ports(spamassassin_t)
|
|
+
|
|
+ sysnet_read_config(spamassassin_t)
|
|
')
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(spamassassin_t)
|
|
- fs_manage_nfs_files(spamassassin_t)
|
|
- fs_manage_nfs_symlinks(spamassassin_t)
|
|
+tunable_policy(`spamd_enable_home_dirs',`
|
|
+ userdom_manage_user_home_content_dirs(spamd_t)
|
|
+ userdom_manage_user_home_content_files(spamd_t)
|
|
+ userdom_manage_user_home_content_symlinks(spamd_t)
|
|
')
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(spamassassin_t)
|
|
- fs_manage_cifs_files(spamassassin_t)
|
|
- fs_manage_cifs_symlinks(spamassassin_t)
|
|
+optional_policy(`
|
|
+ # Write pid file and socket in ~/.evolution/cache/tmp
|
|
+ evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
|
|
')
|
|
|
|
optional_policy(`
|
|
- tunable_policy(`spamassassin_can_network && allow_ypbind',`
|
|
+ tunable_policy(`spamassassin_can_network && nis_enabled',`
|
|
nis_use_ypbind_uncond(spamassassin_t)
|
|
')
|
|
')
|
|
@@ -160,6 +236,8 @@ optional_policy(`
|
|
optional_policy(`
|
|
mta_read_config(spamassassin_t)
|
|
sendmail_stub(spamassassin_t)
|
|
+ sendmail_dontaudit_rw_unix_stream_sockets(spamassassin_t)
|
|
+ sendmail_dontaudit_rw_tcp_sockets(spamassassin_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -167,72 +245,85 @@ optional_policy(`
|
|
# Client local policy
|
|
#
|
|
|
|
-allow spamc_t self:capability dac_override;
|
|
allow spamc_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow spamc_t self:fd use;
|
|
allow spamc_t self:fifo_file rw_fifo_file_perms;
|
|
+allow spamc_t self:sock_file read_sock_file_perms;
|
|
+allow spamc_t self:shm create_shm_perms;
|
|
+allow spamc_t self:sem create_sem_perms;
|
|
+allow spamc_t self:msgq create_msgq_perms;
|
|
+allow spamc_t self:msg { send receive };
|
|
+allow spamc_t self:unix_dgram_socket create_socket_perms;
|
|
+allow spamc_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow spamc_t self:unix_dgram_socket sendto;
|
|
-allow spamc_t self:unix_stream_socket { accept connectto listen };
|
|
-allow spamc_t self:tcp_socket { accept listen };
|
|
+allow spamc_t self:unix_stream_socket connectto;
|
|
+allow spamc_t self:tcp_socket create_stream_socket_perms;
|
|
+allow spamc_t self:udp_socket create_socket_perms;
|
|
+
|
|
+can_exec(spamc_t, spamc_exec_t)
|
|
|
|
manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
|
|
manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
|
|
files_tmp_filetrans(spamc_t, spamc_tmp_t, { file dir })
|
|
|
|
-manage_dirs_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
|
|
-manage_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
|
|
-manage_lnk_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
|
|
-manage_fifo_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
|
|
-manage_sock_files_pattern(spamc_t, spamassassin_home_t, spamassassin_home_t)
|
|
-userdom_user_home_dir_filetrans(spamc_t, spamassassin_home_t, dir, ".spamassassin")
|
|
+manage_dirs_pattern(spamc_t, spamc_home_t, spamc_home_t)
|
|
+manage_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
|
|
+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
|
|
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
|
|
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
|
|
+userdom_append_user_home_content_files(spamc_t)
|
|
+# for /root/.pyzor
|
|
+allow spamc_t self:capability dac_override;
|
|
|
|
list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
|
-stream_connect_pattern(spamc_t, { spamd_var_run_t spamd_tmp_t }, { spamd_var_run_t spamd_tmp_t }, spamd_t)
|
|
+# Allow connecting to a local spamd
|
|
+allow spamc_t spamd_t:unix_stream_socket connectto;
|
|
+allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
|
|
+spamd_stream_connect(spamc_t)
|
|
+allow spamc_t spamd_tmp_t:file read_inherited_file_perms;
|
|
|
|
kernel_read_kernel_sysctls(spamc_t)
|
|
kernel_read_system_state(spamc_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(spamc_t)
|
|
+corecmd_exec_bin(spamc_t)
|
|
+
|
|
corenet_all_recvfrom_netlabel(spamc_t)
|
|
corenet_tcp_sendrecv_generic_if(spamc_t)
|
|
+corenet_udp_sendrecv_generic_if(spamc_t)
|
|
corenet_tcp_sendrecv_generic_node(spamc_t)
|
|
+corenet_udp_sendrecv_generic_node(spamc_t)
|
|
corenet_tcp_sendrecv_all_ports(spamc_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(spamc_t)
|
|
+corenet_udp_sendrecv_all_ports(spamc_t)
|
|
corenet_tcp_connect_all_ports(spamc_t)
|
|
+corenet_sendrecv_all_client_packets(spamc_t)
|
|
+corenet_tcp_connect_spamd_port(spamc_t)
|
|
|
|
-corecmd_exec_bin(spamc_t)
|
|
+fs_search_auto_mountpoints(spamc_t)
|
|
|
|
-domain_use_interactive_fds(spamc_t)
|
|
+# cjp: these should probably be removed:
|
|
+corecmd_list_bin(spamc_t)
|
|
+corecmd_read_bin_symlinks(spamc_t)
|
|
+corecmd_read_bin_files(spamc_t)
|
|
+corecmd_read_bin_pipes(spamc_t)
|
|
+corecmd_read_bin_sockets(spamc_t)
|
|
|
|
-fs_getattr_all_fs(spamc_t)
|
|
-fs_search_auto_mountpoints(spamc_t)
|
|
+domain_use_interactive_fds(spamc_t)
|
|
|
|
files_read_etc_runtime_files(spamc_t)
|
|
-files_read_usr_files(spamc_t)
|
|
files_dontaudit_search_var(spamc_t)
|
|
+# cjp: this may be removable:
|
|
files_list_home(spamc_t)
|
|
files_list_var_lib(spamc_t)
|
|
|
|
-auth_use_nsswitch(spamc_t)
|
|
+fs_search_auto_mountpoints(spamc_t)
|
|
|
|
logging_send_syslog_msg(spamc_t)
|
|
|
|
-miscfiles_read_localization(spamc_t)
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(spamc_t)
|
|
- fs_manage_nfs_files(spamc_t)
|
|
- fs_manage_nfs_symlinks(spamc_t)
|
|
-')
|
|
+auth_use_nsswitch(spamc_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(spamc_t)
|
|
- fs_manage_cifs_files(spamc_t)
|
|
- fs_manage_cifs_symlinks(spamc_t)
|
|
-')
|
|
+userdom_home_manager(spamc_t)
|
|
|
|
optional_policy(`
|
|
abrt_stream_connect(spamc_t)
|
|
@@ -243,6 +334,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # Allow connection to spamd socket above
|
|
evolution_stream_connect(spamc_t)
|
|
')
|
|
|
|
@@ -251,10 +343,16 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ postfix_domtrans_postdrop(spamc_t)
|
|
+ postfix_search_spool(spamc_t)
|
|
+ postfix_rw_local_pipes(spamc_t)
|
|
+ postfix_rw_inherited_master_pipes(spamc_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
mta_send_mail(spamc_t)
|
|
mta_read_config(spamc_t)
|
|
mta_read_queue(spamc_t)
|
|
- sendmail_rw_pipes(spamc_t)
|
|
sendmail_stub(spamc_t)
|
|
')
|
|
|
|
@@ -267,36 +365,38 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Daemon local policy
|
|
+# Server local policy
|
|
#
|
|
|
|
+# Spamassassin, when run as root and using per-user config files,
|
|
+# setuids to the user running spamc. Comment this if you are not
|
|
+# using this ability.
|
|
+
|
|
allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
|
|
dontaudit spamd_t self:capability sys_tty_config;
|
|
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow spamd_t self:fd use;
|
|
allow spamd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow spamd_t self:sock_file read_sock_file_perms;
|
|
+allow spamd_t self:shm create_shm_perms;
|
|
+allow spamd_t self:sem create_sem_perms;
|
|
+allow spamd_t self:msgq create_msgq_perms;
|
|
+allow spamd_t self:msg { send receive };
|
|
+allow spamd_t self:unix_dgram_socket create_socket_perms;
|
|
+allow spamd_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow spamd_t self:unix_dgram_socket sendto;
|
|
-allow spamd_t self:unix_stream_socket { accept connectto listen };
|
|
-allow spamd_t self:tcp_socket { accept listen };
|
|
-
|
|
-manage_dirs_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
|
-manage_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
|
-manage_lnk_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
|
-manage_fifo_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
|
-manage_sock_files_pattern(spamd_t, spamd_home_t, spamd_home_t)
|
|
-userdom_user_home_dir_filetrans(spamd_t, spamd_home_t, dir, ".spamd")
|
|
+allow spamd_t self:unix_stream_socket connectto;
|
|
+allow spamd_t self:tcp_socket create_stream_socket_perms;
|
|
+allow spamd_t self:udp_socket create_socket_perms;
|
|
|
|
-manage_dirs_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
-manage_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
-manage_lnk_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
-manage_fifo_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
-manage_sock_files_pattern(spamd_t, spamassassin_home_t, spamassassin_home_t)
|
|
-userdom_user_home_dir_filetrans(spamd_t, spamassassin_home_t, dir, ".spamassassin")
|
|
+# needed by razor
|
|
+rw_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
|
|
|
|
+can_exec(spamd_t, spamd_compiled_t)
|
|
manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
|
|
manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
|
|
|
|
-allow spamd_t spamd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
|
|
logging_log_filetrans(spamd_t, spamd_log_t, file)
|
|
|
|
manage_dirs_pattern(spamd_t, spamd_spool_t, spamd_spool_t)
|
|
@@ -308,7 +408,8 @@ manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
|
manage_files_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
|
|
files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
|
|
|
|
-allow spamd_t spamd_var_lib_t:dir list_dir_perms;
|
|
+# var/lib files for spamd
|
|
+manage_dirs_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
manage_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
manage_lnk_files_pattern(spamd_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
|
@@ -317,12 +418,13 @@ manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
|
manage_sock_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
|
|
files_pid_filetrans(spamd_t, spamd_var_run_t, { file dir })
|
|
|
|
-can_exec(spamd_t, { spamd_exec_t spamd_compiled_t })
|
|
+read_files_pattern(spamd_t, spamc_home_t, spamc_home_t)
|
|
+
|
|
+can_exec(spamd_t, spamd_exec_t)
|
|
|
|
kernel_read_all_sysctls(spamd_t)
|
|
kernel_read_system_state(spamd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(spamd_t)
|
|
corenet_all_recvfrom_netlabel(spamd_t)
|
|
corenet_tcp_sendrecv_generic_if(spamd_t)
|
|
corenet_udp_sendrecv_generic_if(spamd_t)
|
|
@@ -331,78 +433,58 @@ corenet_udp_sendrecv_generic_node(spamd_t)
|
|
corenet_tcp_sendrecv_all_ports(spamd_t)
|
|
corenet_udp_sendrecv_all_ports(spamd_t)
|
|
corenet_tcp_bind_generic_node(spamd_t)
|
|
-corenet_udp_bind_generic_node(spamd_t)
|
|
-
|
|
-corenet_sendrecv_spamd_server_packets(spamd_t)
|
|
corenet_tcp_bind_spamd_port(spamd_t)
|
|
-
|
|
-corenet_sendrecv_razor_client_packets(spamd_t)
|
|
corenet_tcp_connect_razor_port(spamd_t)
|
|
-
|
|
-corenet_sendrecv_smtp_client_packets(spamd_t)
|
|
corenet_tcp_connect_smtp_port(spamd_t)
|
|
-
|
|
-corenet_sendrecv_generic_server_packets(spamd_t)
|
|
+corenet_sendrecv_razor_client_packets(spamd_t)
|
|
+corenet_sendrecv_spamd_server_packets(spamd_t)
|
|
+# spamassassin 3.1 needs this for its
|
|
+# DnsResolver.pm module which binds to
|
|
+# random ports >= 1024.
|
|
+corenet_udp_bind_generic_node(spamd_t)
|
|
corenet_udp_bind_generic_port(spamd_t)
|
|
-
|
|
-corenet_sendrecv_imaze_server_packets(spamd_t)
|
|
corenet_udp_bind_imaze_port(spamd_t)
|
|
-
|
|
corenet_dontaudit_udp_bind_all_ports(spamd_t)
|
|
-
|
|
-corecmd_exec_bin(spamd_t)
|
|
+corenet_sendrecv_imaze_server_packets(spamd_t)
|
|
+corenet_sendrecv_generic_server_packets(spamd_t)
|
|
|
|
dev_read_sysfs(spamd_t)
|
|
dev_read_urand(spamd_t)
|
|
|
|
-domain_use_interactive_fds(spamd_t)
|
|
-
|
|
-files_read_usr_files(spamd_t)
|
|
-files_read_etc_runtime_files(spamd_t)
|
|
-
|
|
fs_getattr_all_fs(spamd_t)
|
|
fs_search_auto_mountpoints(spamd_t)
|
|
|
|
-auth_use_nsswitch(spamd_t)
|
|
auth_dontaudit_read_shadow(spamd_t)
|
|
|
|
+corecmd_exec_bin(spamd_t)
|
|
+
|
|
+domain_use_interactive_fds(spamd_t)
|
|
+
|
|
+files_read_etc_runtime_files(spamd_t)
|
|
+# /var/lib/spamassin
|
|
+files_read_var_lib_files(spamd_t)
|
|
+
|
|
init_dontaudit_rw_utmp(spamd_t)
|
|
|
|
+auth_use_nsswitch(spamd_t)
|
|
+
|
|
libs_use_ld_so(spamd_t)
|
|
libs_use_shared_libs(spamd_t)
|
|
|
|
logging_send_syslog_msg(spamd_t)
|
|
|
|
-miscfiles_read_localization(spamd_t)
|
|
-
|
|
-sysnet_use_ldap(spamd_t)
|
|
-
|
|
userdom_use_unpriv_users_fds(spamd_t)
|
|
-
|
|
-tunable_policy(`spamd_enable_home_dirs',`
|
|
- userdom_manage_user_home_content_dirs(spamd_t)
|
|
- userdom_manage_user_home_content_files(spamd_t)
|
|
- userdom_manage_user_home_content_symlinks(spamd_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(spamd_t)
|
|
- fs_manage_nfs_files(spamd_t)
|
|
- fs_manage_nfs_symlinks(spamd_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(spamd_t)
|
|
- fs_manage_cifs_files(spamd_t)
|
|
- fs_manage_cifs_symlinks(spamd_t)
|
|
-')
|
|
+userdom_search_user_home_dirs(spamd_t)
|
|
+userdom_home_manager(spamd_t)
|
|
|
|
optional_policy(`
|
|
- amavis_manage_lib_files(spamd_t)
|
|
+ antivirus_stream_connect(spamd_t)
|
|
+ antivirus_manage_db(spamd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- clamav_stream_connect(spamd_t)
|
|
+ exim_manage_spool_dirs(spamd_t)
|
|
+ exim_manage_spool_files(spamd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -421,21 +503,13 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- evolution_home_filetrans(spamd_t, spamd_tmp_t, { file sock_file })
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- exim_manage_spool_dirs(spamd_t)
|
|
- exim_manage_spool_files(spamd_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
milter_manage_spamass_state(spamd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mysql_stream_connect(spamd_t)
|
|
mysql_tcp_connect(spamd_t)
|
|
+ mysql_search_db(spamd_t)
|
|
+ mysql_stream_connect(spamd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -443,8 +517,8 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- postgresql_stream_connect(spamd_t)
|
|
postgresql_tcp_connect(spamd_t)
|
|
+ postgresql_stream_connect(spamd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -455,7 +529,12 @@ optional_policy(`
|
|
optional_policy(`
|
|
razor_domtrans(spamd_t)
|
|
razor_read_lib_files(spamd_t)
|
|
- razor_manage_home_content(spamd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`spamd_enable_home_dirs',`
|
|
+ razor_manage_user_home_files(spamd_t)
|
|
+ ')
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -463,9 +542,9 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ mta_send_mail(spamd_t)
|
|
sendmail_stub(spamd_t)
|
|
mta_read_config(spamd_t)
|
|
- mta_send_mail(spamd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -474,32 +553,32 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Update local policy
|
|
+# spamd_update local policy
|
|
#
|
|
|
|
-allow spamd_update_t self:capability dac_override;
|
|
allow spamd_update_t self:fifo_file manage_fifo_file_perms;
|
|
allow spamd_update_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow spamd_update_t self:capability dac_read_search;
|
|
+dontaudit spamd_update_t self:capability dac_override;
|
|
|
|
manage_dirs_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
|
|
manage_files_pattern(spamd_update_t, spamd_tmp_t, spamd_tmp_t)
|
|
files_tmp_filetrans(spamd_update_t, spamd_tmp_t, { file dir })
|
|
|
|
+allow spamd_update_t spamd_var_lib_t:dir list_dir_perms;
|
|
manage_dirs_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
manage_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
manage_lnk_files_pattern(spamd_update_t, spamd_var_lib_t, spamd_var_lib_t)
|
|
|
|
-kernel_read_system_state(spamd_update_t)
|
|
+allow spamd_update_t spamc_home_t:dir search_dir_perms;
|
|
+allow spamd_update_t spamd_tmp_t:file read_file_perms;
|
|
|
|
-corenet_all_recvfrom_unlabeled(spamd_update_t)
|
|
-corenet_all_recvfrom_netlabel(spamd_update_t)
|
|
-corenet_tcp_sendrecv_generic_if(spamd_update_t)
|
|
-corenet_tcp_sendrecv_generic_node(spamd_update_t)
|
|
-corenet_tcp_sendrecv_all_ports(spamd_update_t)
|
|
+allow spamd_update_t spamc_home_t:dir search_dir_perms;
|
|
|
|
-corenet_sendrecv_http_client_packets(spamd_update_t)
|
|
+kernel_read_system_state(spamd_update_t)
|
|
+
|
|
+# for updating rules
|
|
corenet_tcp_connect_http_port(spamd_update_t)
|
|
-corenet_tcp_sendrecv_http_port(spamd_update_t)
|
|
|
|
corecmd_exec_bin(spamd_update_t)
|
|
corecmd_exec_shell(spamd_update_t)
|
|
@@ -508,25 +587,21 @@ dev_read_urand(spamd_update_t)
|
|
|
|
domain_use_interactive_fds(spamd_update_t)
|
|
|
|
-files_read_usr_files(spamd_update_t)
|
|
|
|
auth_use_nsswitch(spamd_update_t)
|
|
auth_dontaudit_read_shadow(spamd_update_t)
|
|
|
|
-miscfiles_read_localization(spamd_update_t)
|
|
+mta_read_config(spamd_update_t)
|
|
|
|
-userdom_use_user_terminals(spamd_update_t)
|
|
+userdom_search_admin_dir(spamd_update_t)
|
|
+userdom_use_inherited_user_ptys(spamd_update_t)
|
|
|
|
optional_policy(`
|
|
cron_system_entry(spamd_update_t, spamd_update_exec_t)
|
|
')
|
|
|
|
-# probably want a solution same as httpd_use_gpg since this will
|
|
-# give spamd_update a path to users gpg keys
|
|
-# optional_policy(`
|
|
-# gpg_domtrans(spamd_update_t)
|
|
-# ')
|
|
-
|
|
optional_policy(`
|
|
- mta_read_config(spamd_update_t)
|
|
+ gpg_domtrans(spamd_update_t)
|
|
+ gpg_manage_home_content(spamd_update_t)
|
|
')
|
|
+
|
|
diff --git a/speedtouch.te b/speedtouch.te
|
|
index b38b8b1..eb36653 100644
|
|
--- a/speedtouch.te
|
|
+++ b/speedtouch.te
|
|
@@ -39,16 +39,12 @@ dev_read_usbfs(speedmgmt_t)
|
|
|
|
domain_use_interactive_fds(speedmgmt_t)
|
|
|
|
-files_read_etc_files(speedmgmt_t)
|
|
-files_read_usr_files(speedmgmt_t)
|
|
|
|
fs_getattr_all_fs(speedmgmt_t)
|
|
fs_search_auto_mountpoints(speedmgmt_t)
|
|
|
|
logging_send_syslog_msg(speedmgmt_t)
|
|
|
|
-miscfiles_read_localization(speedmgmt_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(speedmgmt_t)
|
|
userdom_dontaudit_search_user_home_dirs(speedmgmt_t)
|
|
|
|
diff --git a/squid.fc b/squid.fc
|
|
index 0a8b0f7..ebbec17 100644
|
|
--- a/squid.fc
|
|
+++ b/squid.fc
|
|
@@ -1,12 +1,15 @@
|
|
-/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
|
|
-
|
|
-/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/squid -- gen_context(system_u:object_r:squid_initrc_exec_t,s0)
|
|
+/etc/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
|
|
+/etc/lightsquid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
|
|
|
|
/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
|
|
|
|
+/usr/sbin/lightparser.pl -- gen_context(system_u:object_r:squid_cron_exec_t,s0)
|
|
+
|
|
/usr/sbin/squid -- gen_context(system_u:object_r:squid_exec_t,s0)
|
|
|
|
/usr/share/squid(/.*)? gen_context(system_u:object_r:squid_conf_t,s0)
|
|
+/usr/share/lightsquid/cgi(/.*)? gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
|
|
|
|
/var/cache/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
|
|
|
|
@@ -15,6 +18,7 @@
|
|
|
|
/var/run/squid\.pid -- gen_context(system_u:object_r:squid_var_run_t,s0)
|
|
|
|
-/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
|
|
+/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
|
|
+/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
|
|
|
|
-/var/squidGuard(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
|
|
+/var/lightsquid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
|
|
diff --git a/squid.if b/squid.if
|
|
index 5e1f053..e7820bc 100644
|
|
--- a/squid.if
|
|
+++ b/squid.if
|
|
@@ -72,7 +72,7 @@ interface(`squid_rw_stream_sockets',`
|
|
type squid_t;
|
|
')
|
|
|
|
- allow $1 squid_t:unix_stream_socket { getattr read write };
|
|
+ allow $1 squid_t:unix_stream_socket rw_socket_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -85,7 +85,6 @@ interface(`squid_rw_stream_sockets',`
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`squid_dontaudit_search_cache',`
|
|
gen_require(`
|
|
@@ -213,9 +212,13 @@ interface(`squid_admin',`
|
|
type squid_initrc_exec_t, squid_tmp_t;
|
|
')
|
|
|
|
- allow $1 squid_t:process { ptrace signal_perms };
|
|
+ allow $1 squid_t:process signal_perms;
|
|
ps_process_pattern($1, squid_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 squid_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, squid_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 squid_initrc_exec_t system_r;
|
|
diff --git a/squid.te b/squid.te
|
|
index 03472ed..7cb8bec 100644
|
|
--- a/squid.te
|
|
+++ b/squid.te
|
|
@@ -29,7 +29,7 @@ type squid_cache_t;
|
|
files_type(squid_cache_t)
|
|
|
|
type squid_conf_t;
|
|
-files_type(squid_conf_t)
|
|
+files_config_file(squid_conf_t)
|
|
|
|
type squid_initrc_exec_t;
|
|
init_script_file(squid_initrc_exec_t)
|
|
@@ -37,15 +37,21 @@ init_script_file(squid_initrc_exec_t)
|
|
type squid_log_t;
|
|
logging_log_file(squid_log_t)
|
|
|
|
-type squid_tmp_t;
|
|
-files_tmp_file(squid_tmp_t)
|
|
-
|
|
type squid_tmpfs_t;
|
|
files_tmpfs_file(squid_tmpfs_t)
|
|
|
|
+type squid_tmp_t;
|
|
+files_tmp_file(squid_tmp_t)
|
|
+
|
|
type squid_var_run_t;
|
|
files_pid_file(squid_var_run_t)
|
|
|
|
+type squid_cron_t;
|
|
+type squid_cron_exec_t;
|
|
+init_daemon_domain(squid_cron_t, squid_cron_exec_t)
|
|
+application_domain(squid_cron_t, squid_cron_exec_t)
|
|
+role system_r types squid_cron_t;
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -78,13 +84,13 @@ manage_files_pattern(squid_t, squid_log_t, squid_log_t)
|
|
manage_lnk_files_pattern(squid_t, squid_log_t, squid_log_t)
|
|
logging_log_filetrans(squid_t, squid_log_t, { file dir })
|
|
|
|
+manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
|
|
+fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
|
|
+
|
|
manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
|
|
manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
|
|
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
|
|
|
|
-manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
|
|
-fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
|
|
-
|
|
manage_files_pattern(squid_t, squid_var_run_t, squid_var_run_t)
|
|
files_pid_filetrans(squid_t, squid_var_run_t, file)
|
|
|
|
@@ -94,7 +100,6 @@ kernel_read_kernel_sysctls(squid_t)
|
|
kernel_read_system_state(squid_t)
|
|
kernel_read_network_state(squid_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(squid_t)
|
|
corenet_all_recvfrom_netlabel(squid_t)
|
|
corenet_tcp_sendrecv_generic_if(squid_t)
|
|
corenet_udp_sendrecv_generic_if(squid_t)
|
|
@@ -132,6 +137,7 @@ corenet_tcp_sendrecv_gopher_port(squid_t)
|
|
corenet_udp_sendrecv_gopher_port(squid_t)
|
|
|
|
corenet_sendrecv_squid_server_packets(squid_t)
|
|
+corenet_sendrecv_squid_client_packets(squid_t)
|
|
corenet_tcp_bind_squid_port(squid_t)
|
|
corenet_udp_bind_squid_port(squid_t)
|
|
corenet_tcp_sendrecv_squid_port(squid_t)
|
|
@@ -154,7 +160,6 @@ dev_read_urand(squid_t)
|
|
domain_use_interactive_fds(squid_t)
|
|
|
|
files_read_etc_runtime_files(squid_t)
|
|
-files_read_usr_files(squid_t)
|
|
files_search_spool(squid_t)
|
|
files_dontaudit_getattr_tmp_dirs(squid_t)
|
|
files_getattr_home_dir(squid_t)
|
|
@@ -176,7 +181,6 @@ libs_exec_lib_files(squid_t)
|
|
logging_send_syslog_msg(squid_t)
|
|
|
|
miscfiles_read_generic_certs(squid_t)
|
|
-miscfiles_read_localization(squid_t)
|
|
|
|
userdom_use_unpriv_users_fds(squid_t)
|
|
userdom_dontaudit_search_user_home_dirs(squid_t)
|
|
@@ -198,6 +202,8 @@ tunable_policy(`squid_use_tproxy',`
|
|
optional_policy(`
|
|
apache_content_template(squid)
|
|
|
|
+ allow httpd_squid_script_t self:tcp_socket create_socket_perms;
|
|
+
|
|
corenet_all_recvfrom_unlabeled(httpd_squid_script_t)
|
|
corenet_all_recvfrom_netlabel(httpd_squid_script_t)
|
|
corenet_tcp_sendrecv_generic_if(httpd_squid_script_t)
|
|
@@ -207,18 +213,18 @@ optional_policy(`
|
|
corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
|
|
corenet_tcp_sendrecv_http_cache_port(httpd_squid_script_t)
|
|
|
|
- sysnet_dns_name_resolve(httpd_squid_script_t)
|
|
+ corenet_tcp_connect_squid_port(httpd_squid_script_t)
|
|
|
|
- squid_read_config(httpd_squid_script_t)
|
|
-')
|
|
+ sysnet_dns_name_resolve(httpd_squid_script_t)
|
|
|
|
-optional_policy(`
|
|
- cron_system_entry(squid_t, squid_exec_t)
|
|
+ optional_policy(`
|
|
+ squid_read_config(httpd_squid_script_t)
|
|
+ ')
|
|
')
|
|
|
|
optional_policy(`
|
|
- kerberos_manage_host_rcache(squid_t)
|
|
- kerberos_tmp_filetrans_host_rcache(squid_t, file, "host_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(squid_t, "host_0")
|
|
+ kerberos_manage_host_rcache(squid_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -236,3 +242,24 @@ optional_policy(`
|
|
optional_policy(`
|
|
udev_read_db(squid_t)
|
|
')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# squid cron Local policy
|
|
+#
|
|
+manage_dirs_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
|
|
+manage_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
|
|
+manage_lnk_files_pattern(squid_cron_t, squid_cache_t, squid_cache_t)
|
|
+files_var_filetrans(squid_cron_t, squid_cache_t, dir, "squid")
|
|
+
|
|
+read_files_pattern(squid_cron_t, squid_conf_t, squid_conf_t)
|
|
+
|
|
+read_files_pattern(squid_cron_t, squid_log_t, squid_log_t)
|
|
+
|
|
+corecmd_exec_bin(squid_cron_t)
|
|
+
|
|
+dev_read_urand(squid_cron_t)
|
|
+
|
|
+optional_policy(`
|
|
+ cron_system_entry(squid_cron_t, squid_cron_exec_t)
|
|
+')
|
|
diff --git a/sssd.fc b/sssd.fc
|
|
index dbb005a..45291bb 100644
|
|
--- a/sssd.fc
|
|
+++ b/sssd.fc
|
|
@@ -1,15 +1,17 @@
|
|
/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
|
|
|
|
-/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
|
|
+/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
|
|
|
|
-/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
|
+/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
|
|
|
-/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
|
|
+/usr/lib/systemd/system/sssd.* -- gen_context(system_u:object_r:sssd_unit_file_t,s0)
|
|
|
|
-/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
|
|
+/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
|
|
+
|
|
+/var/lib/sss/mc(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
|
|
|
|
/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
|
|
|
|
-/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
|
|
+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
|
|
|
|
-/var/run/sssd\.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
|
+/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
|
diff --git a/sssd.if b/sssd.if
|
|
index a240455..16a04bf 100644
|
|
--- a/sssd.if
|
|
+++ b/sssd.if
|
|
@@ -1,21 +1,21 @@
|
|
-## <summary>System Security Services Daemon.</summary>
|
|
+## <summary>System Security Services Daemon</summary>
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Get attributes of sssd executable files.
|
|
+## Allow a domain to getattr on sssd binary.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sssd_getattr_exec',`
|
|
- gen_require(`
|
|
- type sssd_exec_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type sssd_t, sssd_exec_t;
|
|
+ ')
|
|
|
|
- allow $1 sssd_exec_t:file getattr_file_perms;
|
|
+ allow $1 sssd_exec_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
@@ -33,14 +33,12 @@ interface(`sssd_domtrans',`
|
|
type sssd_t, sssd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, sssd_exec_t, sssd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute sssd init scripts in
|
|
-## the initrc domain.
|
|
+## Execute sssd server in the sssd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -56,49 +54,90 @@ interface(`sssd_initrc_domtrans',`
|
|
init_labeled_script_domtrans($1, sssd_initrc_exec_t)
|
|
')
|
|
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute sssd server in the sssd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sssd_systemctl',`
|
|
+ gen_require(`
|
|
+ type sssd_t;
|
|
+ type sssd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 sssd_unit_file_t:file read_file_perms;
|
|
+ allow $1 sssd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, sssd_t)
|
|
+')
|
|
+
|
|
#######################################
|
|
## <summary>
|
|
-## Read sssd configuration content.
|
|
+## Read sssd configuration.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sssd_read_config',`
|
|
- gen_require(`
|
|
- type sssd_conf_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type sssd_conf_t;
|
|
+ ')
|
|
|
|
- files_search_etc($1)
|
|
- list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
|
|
- read_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
|
+ files_search_etc($1)
|
|
+ list_dirs_pattern($1, sssd_conf_t, sssd_conf_t)
|
|
+ read_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
-## Write sssd configuration files.
|
|
+## Write sssd configuration.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`sssd_write_config',`
|
|
- gen_require(`
|
|
- type sssd_conf_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type sssd_conf_t;
|
|
+ ')
|
|
|
|
- files_search_etc($1)
|
|
- write_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
|
+ files_search_etc($1)
|
|
+ write_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Write sssd configuration.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sssd_create_config',`
|
|
+ gen_require(`
|
|
+ type sssd_conf_t;
|
|
+ ')
|
|
+
|
|
+ files_search_etc($1)
|
|
+ create_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
|
')
|
|
|
|
####################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## sssd configuration files.
|
|
+## Manage sssd configuration.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -107,12 +146,12 @@ interface(`sssd_write_config',`
|
|
## </param>
|
|
#
|
|
interface(`sssd_manage_config',`
|
|
- gen_require(`
|
|
- type sssd_conf_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type sssd_conf_t;
|
|
+ ')
|
|
|
|
- files_search_etc($1)
|
|
- manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
|
+ files_search_etc($1)
|
|
+ manage_files_pattern($1, sssd_conf_t, sssd_conf_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -131,14 +170,13 @@ interface(`sssd_read_public_files',`
|
|
')
|
|
|
|
sssd_search_lib($1)
|
|
- allow $1 sssd_public_t:dir list_dir_perms;
|
|
+ list_dirs_pattern($1, sssd_public_t, sssd_public_t)
|
|
read_files_pattern($1, sssd_public_t, sssd_public_t)
|
|
')
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## sssd public files.
|
|
+## Dontaudit read sssd public files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -146,18 +184,36 @@ interface(`sssd_read_public_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`sssd_manage_public_files',`
|
|
+interface(`sssd_dontaudit_read_public_files',`
|
|
gen_require(`
|
|
type sssd_public_t;
|
|
')
|
|
|
|
- sssd_search_lib($1)
|
|
- manage_files_pattern($1, sssd_public_t, sssd_public_t)
|
|
+ dontaudit $1 sssd_public_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Manage sssd public files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sssd_manage_public_files',`
|
|
+ gen_require(`
|
|
+ type sssd_public_t;
|
|
+ ')
|
|
+
|
|
+ sssd_search_lib($1)
|
|
+ manage_files_pattern($1, sssd_public_t, sssd_public_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read sssd pid files.
|
|
+## Read sssd PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -176,8 +232,7 @@ interface(`sssd_read_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## sssd pid content.
|
|
+## Manage sssd var_run files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -216,8 +271,7 @@ interface(`sssd_search_lib',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Do not audit attempts to search
|
|
-## sssd lib directories.
|
|
+## Do not audit attempts to search sssd lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -235,6 +289,24 @@ interface(`sssd_dontaudit_search_lib',`
|
|
|
|
########################################
|
|
## <summary>
|
|
+## Do not audit attempts to read sssd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to not audit.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sssd_dontaudit_read_lib',`
|
|
+ gen_require(`
|
|
+ type sssd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 sssd_var_lib_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
## Read sssd lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
@@ -297,8 +369,7 @@ interface(`sssd_dbus_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to sssd with a unix
|
|
-## domain stream socket.
|
|
+## Connect to sssd over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -317,8 +388,27 @@ interface(`sssd_stream_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an sssd environment.
|
|
+## Dontaudit attempts to connect to sssd over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sssd_dontaudit_stream_connect',`
|
|
+ gen_require(`
|
|
+ type sssd_t, sssd_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ dontaudit $1 sssd_t:unix_stream_socket connectto;
|
|
+ dontaudit $1 sssd_var_lib_t:sock_file { read write };
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an sssd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -327,7 +417,7 @@ interface(`sssd_stream_connect',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the sssd domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -335,27 +425,29 @@ interface(`sssd_stream_connect',`
|
|
interface(`sssd_admin',`
|
|
gen_require(`
|
|
type sssd_t, sssd_public_t, sssd_initrc_exec_t;
|
|
- type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t;
|
|
- type sssd_log_t;
|
|
+ type sssd_unit_file_t;
|
|
')
|
|
|
|
- allow $1 sssd_t:process { ptrace signal_perms };
|
|
+ allow $1 sssd_t:process signal_perms;
|
|
ps_process_pattern($1, sssd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 sssd_t:process ptrace;
|
|
+ ')
|
|
|
|
+ # Allow sssd_t to restart the apache service
|
|
sssd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 sssd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, sssd_conf_t)
|
|
+ sssd_manage_pids($1)
|
|
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, { sssd_var_lib_t sssd_public_t })
|
|
+ sssd_manage_lib_files($1)
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, sssd_var_run_t)
|
|
+ admin_pattern($1, sssd_public_t)
|
|
+
|
|
+ sssd_systemctl($1)
|
|
+ admin_pattern($1, sssd_unit_file_t)
|
|
+ allow $1 sssd_unit_file_t:service all_service_perms;
|
|
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, sssd_log_t)
|
|
')
|
|
diff --git a/sssd.te b/sssd.te
|
|
index 2d8db1f..49327eb 100644
|
|
--- a/sssd.te
|
|
+++ b/sssd.te
|
|
@@ -28,9 +28,12 @@ logging_log_file(sssd_var_log_t)
|
|
type sssd_var_run_t;
|
|
files_pid_file(sssd_var_run_t)
|
|
|
|
+type sssd_unit_file_t;
|
|
+systemd_unit_file(sssd_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
-# Local policy
|
|
+# sssd local policy
|
|
#
|
|
|
|
allow sssd_t self:capability { chown dac_read_search dac_override kill net_admin sys_nice setgid setuid sys_admin sys_resource };
|
|
@@ -38,7 +41,7 @@ allow sssd_t self:capability2 block_suspend;
|
|
allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
|
|
allow sssd_t self:fifo_file rw_fifo_file_perms;
|
|
allow sssd_t self:key manage_key_perms;
|
|
-allow sssd_t self:unix_stream_socket { accept connectto listen };
|
|
+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
|
read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
|
|
|
|
@@ -51,9 +54,7 @@ manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
|
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
|
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
|
|
|
|
-append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
|
|
-create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
|
|
-setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
|
|
+manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
|
|
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
|
|
|
|
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
|
@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
|
|
kernel_read_network_state(sssd_t)
|
|
kernel_read_system_state(sssd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(sssd_t)
|
|
-corenet_all_recvfrom_netlabel(sssd_t)
|
|
-corenet_udp_sendrecv_generic_if(sssd_t)
|
|
-corenet_udp_sendrecv_generic_node(sssd_t)
|
|
-corenet_udp_sendrecv_all_ports(sssd_t)
|
|
-corenet_udp_bind_generic_node(sssd_t)
|
|
-
|
|
-corenet_sendrecv_generic_server_packets(sssd_t)
|
|
corenet_udp_bind_generic_port(sssd_t)
|
|
corenet_dontaudit_udp_bind_all_ports(sssd_t)
|
|
+corenet_tcp_connect_kerberos_password_port(sssd_t)
|
|
|
|
corecmd_exec_bin(sssd_t)
|
|
|
|
@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t)
|
|
domain_obj_id_change_exemption(sssd_t)
|
|
|
|
files_list_tmp(sssd_t)
|
|
-files_read_etc_files(sssd_t)
|
|
files_read_etc_runtime_files(sssd_t)
|
|
-files_read_usr_files(sssd_t)
|
|
files_list_var_lib(sssd_t)
|
|
|
|
fs_list_inotifyfs(sssd_t)
|
|
@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t)
|
|
|
|
seutil_read_file_contexts(sssd_t)
|
|
# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
|
|
-# seutil_rw_login_config_dirs(sssd_t)
|
|
-# seutil_manage_login_config_files(sssd_t)
|
|
+seutil_rw_login_config_dirs(sssd_t)
|
|
+seutil_manage_login_config_files(sssd_t)
|
|
|
|
mls_file_read_to_clearance(sssd_t)
|
|
mls_socket_read_to_clearance(sssd_t)
|
|
mls_socket_write_to_clearance(sssd_t)
|
|
mls_trusted_object(sssd_t)
|
|
|
|
+# auth_use_nsswitch(sssd_t)
|
|
auth_domtrans_chk_passwd(sssd_t)
|
|
auth_domtrans_upd_passwd(sssd_t)
|
|
auth_manage_cache(sssd_t)
|
|
@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t)
|
|
logging_send_audit_msgs(sssd_t)
|
|
|
|
miscfiles_read_generic_certs(sssd_t)
|
|
-miscfiles_read_localization(sssd_t)
|
|
|
|
sysnet_dns_name_resolve(sssd_t)
|
|
sysnet_use_ldap(sssd_t)
|
|
|
|
+userdom_manage_tmp_role(system_r, sssd_t)
|
|
+userdom_manage_all_users_keys(sssd_t)
|
|
+
|
|
optional_policy(`
|
|
dbus_system_bus_client(sssd_t)
|
|
dbus_connect_system_bus(sssd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- kerberos_read_config(sssd_t)
|
|
kerberos_manage_host_rcache(sssd_t)
|
|
- kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
|
|
+ kerberos_read_home_content(sssd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dirsrv_stream_connect(sssd_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ ldap_stream_connect(sssd_t)
|
|
+ ldap_read_certs(sssd_t)
|
|
+')
|
|
+
|
|
+userdom_home_reader(sssd_t)
|
|
+
|
|
diff --git a/stapserver.fc b/stapserver.fc
|
|
new file mode 100644
|
|
index 0000000..0ccce59
|
|
--- /dev/null
|
|
+++ b/stapserver.fc
|
|
@@ -0,0 +1,7 @@
|
|
+/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0)
|
|
+
|
|
+/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0)
|
|
+
|
|
+/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0)
|
|
+
|
|
+/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0)
|
|
diff --git a/stapserver.if b/stapserver.if
|
|
new file mode 100644
|
|
index 0000000..80c6480
|
|
--- /dev/null
|
|
+++ b/stapserver.if
|
|
@@ -0,0 +1,151 @@
|
|
+
|
|
+## <summary> Instrumentation System Server </summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute stapserver in the stapserver domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`stapserver_domtrans',`
|
|
+ gen_require(`
|
|
+ type stapserver_t, stapserver_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, stapserver_exec_t, stapserver_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Read stapserver's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`stapserver_read_log',`
|
|
+ gen_require(`
|
|
+ type stapserver_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, stapserver_log_t, stapserver_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to stapserver log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`stapserver_append_log',`
|
|
+ gen_require(`
|
|
+ type stapserver_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, stapserver_log_t, stapserver_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage stapserver log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`stapserver_manage_log',`
|
|
+ gen_require(`
|
|
+ type stapserver_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, stapserver_log_t, stapserver_log_t)
|
|
+ manage_files_pattern($1, stapserver_log_t, stapserver_log_t)
|
|
+ manage_lnk_files_pattern($1, stapserver_log_t, stapserver_log_t)
|
|
+')
|
|
+########################################
|
|
+## <summary>
|
|
+## Read stapserver PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`stapserver_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type stapserver_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 stapserver_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Manage stapserver lib files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`stapserver_manage_lib',`
|
|
+ gen_require(`
|
|
+ type stapserver_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ manage_dirs_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
|
|
+ manage_files_pattern($1, stapserver_var_lib_t, stapserver_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an stapserver environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`stapserver_admin',`
|
|
+ gen_require(`
|
|
+ type stapserver_t;
|
|
+ type stapserver_log_t;
|
|
+ type stapserver_var_run_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 stapserver_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, stapserver_t)
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, stapserver_log_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, stapserver_var_run_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/stapserver.te b/stapserver.te
|
|
new file mode 100644
|
|
index 0000000..2540ebd
|
|
--- /dev/null
|
|
+++ b/stapserver.te
|
|
@@ -0,0 +1,113 @@
|
|
+policy_module(systemtap, 1.1.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type stapserver_t;
|
|
+type stapserver_exec_t;
|
|
+init_daemon_domain(stapserver_t, stapserver_exec_t)
|
|
+
|
|
+type stapserver_var_lib_t;
|
|
+files_type(stapserver_var_lib_t)
|
|
+
|
|
+type stapserver_log_t;
|
|
+logging_log_file(stapserver_log_t)
|
|
+
|
|
+type stapserver_var_run_t;
|
|
+files_pid_file(stapserver_var_run_t)
|
|
+
|
|
+type stapserver_tmp_t;
|
|
+files_tmp_file(stapserver_tmp_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# stapserver local policy
|
|
+#
|
|
+
|
|
+#runuser
|
|
+allow stapserver_t self:capability { setuid setgid };
|
|
+allow stapserver_t self:process setsched;
|
|
+
|
|
+allow stapserver_t self:capability { dac_override kill };
|
|
+allow stapserver_t self:process { setrlimit signal };
|
|
+
|
|
+allow stapserver_t self:fifo_file rw_fifo_file_perms;
|
|
+allow stapserver_t self:key write;
|
|
+allow stapserver_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow stapserver_t self:tcp_socket { accept listen };
|
|
+
|
|
+manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
|
|
+manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
|
|
+files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
|
|
+
|
|
+manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
|
|
+manage_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
|
|
+logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
|
|
+
|
|
+manage_dirs_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
|
|
+manage_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
|
|
+manage_lnk_files_pattern(stapserver_t, stapserver_tmp_t, stapserver_tmp_t)
|
|
+files_tmp_filetrans(stapserver_t, stapserver_tmp_t, { file dir })
|
|
+
|
|
+manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
|
|
+manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
|
|
+files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
|
|
+
|
|
+kernel_read_system_state(stapserver_t)
|
|
+kernel_read_kernel_sysctls(stapserver_t)
|
|
+
|
|
+corecmd_exec_bin(stapserver_t)
|
|
+corecmd_exec_shell(stapserver_t)
|
|
+
|
|
+domain_read_all_domains_state(stapserver_t)
|
|
+domain_use_interactive_fds(stapserver_t)
|
|
+
|
|
+dev_read_sysfs(stapserver_t)
|
|
+dev_read_rand(stapserver_t)
|
|
+dev_read_urand(stapserver_t)
|
|
+
|
|
+files_list_tmp(stapserver_t)
|
|
+files_search_kernel_modules(stapserver_t)
|
|
+
|
|
+fs_search_cgroup_dirs(stapserver_t)
|
|
+
|
|
+auth_use_nsswitch(stapserver_t)
|
|
+
|
|
+init_read_utmp(stapserver_t)
|
|
+
|
|
+logging_send_audit_msgs(stapserver_t)
|
|
+logging_send_syslog_msg(stapserver_t)
|
|
+
|
|
+#lspci
|
|
+miscfiles_read_hwdata(stapserver_t)
|
|
+
|
|
+systemd_dbus_chat_logind(stapserver_t)
|
|
+
|
|
+userdom_use_user_terminals(stapserver_t)
|
|
+
|
|
+optional_policy(`
|
|
+ avahi_dbus_chat(stapserver_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ consoletype_exec(stapserver_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(stapserver_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ hostname_exec(stapserver_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ plymouthd_exec_plymouth(stapserver_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rpm_exec(stapserver_t)
|
|
+')
|
|
+
|
|
diff --git a/stunnel.te b/stunnel.te
|
|
index 27a8480..88f7dc8 100644
|
|
--- a/stunnel.te
|
|
+++ b/stunnel.te
|
|
@@ -48,7 +48,6 @@ kernel_read_network_state(stunnel_t)
|
|
|
|
corecmd_exec_bin(stunnel_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(stunnel_t)
|
|
corenet_all_recvfrom_netlabel(stunnel_t)
|
|
corenet_tcp_sendrecv_generic_if(stunnel_t)
|
|
corenet_tcp_sendrecv_generic_node(stunnel_t)
|
|
@@ -75,7 +74,6 @@ auth_use_nsswitch(stunnel_t)
|
|
logging_send_syslog_msg(stunnel_t)
|
|
|
|
miscfiles_read_generic_certs(stunnel_t)
|
|
-miscfiles_read_localization(stunnel_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
|
|
userdom_dontaudit_search_user_home_dirs(stunnel_t)
|
|
@@ -105,4 +103,5 @@ optional_policy(`
|
|
gen_require(`
|
|
type stunnel_port_t;
|
|
')
|
|
+
|
|
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
|
|
diff --git a/svnserve.fc b/svnserve.fc
|
|
index effffd0..12ca090 100644
|
|
--- a/svnserve.fc
|
|
+++ b/svnserve.fc
|
|
@@ -1,8 +1,13 @@
|
|
-/etc/rc\.d/init\.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
|
|
+/etc/rc.d/init.d/svnserve -- gen_context(system_u:object_r:svnserve_initrc_exec_t,s0)
|
|
|
|
-/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0)
|
|
+/usr/bin/svnserve -- gen_context(system_u:object_r:svnserve_exec_t,s0)
|
|
|
|
-/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
|
|
+/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/svnserve\.service -- gen_context(system_u:object_r:svnserve_unit_file_t,s0)
|
|
|
|
-/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
|
|
-/var/run/svnserve\.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
|
|
+/var/run/svnserve(/.*)? gen_context(system_u:object_r:svnserve_var_run_t,s0)
|
|
+/var/run/svnserve.pid -- gen_context(system_u:object_r:svnserve_var_run_t,s0)
|
|
+
|
|
+/var/svn(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
|
|
+/var/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
|
|
+/var/lib/subversion/repo(/.*)? gen_context(system_u:object_r:svnserve_content_t,s0)
|
|
diff --git a/svnserve.if b/svnserve.if
|
|
index 2ac91b6..dd2ac36 100644
|
|
--- a/svnserve.if
|
|
+++ b/svnserve.if
|
|
@@ -1,35 +1,118 @@
|
|
-## <summary>Server for the svn repository access method.</summary>
|
|
+
|
|
+## <summary>policy for svnserve</summary>
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to svnserve.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`svnserve_domtrans',`
|
|
+ gen_require(`
|
|
+ type svnserve_t, svnserve_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, svnserve_exec_t, svnserve_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute svnserve server in the svnserve domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`svnserve_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type svnserve_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute svnserve server in the svnserve domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`svnserve_systemctl',`
|
|
+ gen_require(`
|
|
+ type svnserve_t;
|
|
+ type svnserve_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 svnserve_unit_file_t:file read_file_perms;
|
|
+ allow $1 svnserve_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, svnserve_t)
|
|
+')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an svnserve environment.
|
|
+## Read svnserve PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
+#
|
|
+interface(`svnserve_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type svnserve_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 svnserve_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an svnserve environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`svnserve_admin',`
|
|
gen_require(`
|
|
- type svnserve_t, svnserve_initrc_exec_t, svnserve_var_run_t;
|
|
+ type svnserve_t;
|
|
+ type svnserve_var_run_t;
|
|
+ type svnserve_unit_file_t;
|
|
')
|
|
|
|
allow $1 svnserve_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, svnserve_t)
|
|
|
|
- init_labeled_script_domtrans($1, svnserve_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 svnserve_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
files_search_pids($1)
|
|
- admin_pattern($1, httpd_var_run_t)
|
|
+ admin_pattern($1, svnserve_var_run_t)
|
|
+
|
|
+ svnserve_systemctl($1)
|
|
+ admin_pattern($1, svnserve_unit_file_t)
|
|
+ allow $1 svnserve_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
+
|
|
diff --git a/svnserve.te b/svnserve.te
|
|
index 49d688d..f1c6367 100644
|
|
--- a/svnserve.te
|
|
+++ b/svnserve.te
|
|
@@ -12,12 +12,18 @@ init_daemon_domain(svnserve_t, svnserve_exec_t)
|
|
type svnserve_initrc_exec_t;
|
|
init_script_file(svnserve_initrc_exec_t)
|
|
|
|
+type svnserve_unit_file_t;
|
|
+systemd_unit_file(svnserve_unit_file_t)
|
|
+
|
|
type svnserve_content_t;
|
|
files_type(svnserve_content_t)
|
|
|
|
type svnserve_var_run_t;
|
|
files_pid_file(svnserve_var_run_t)
|
|
|
|
+type svnserve_tmp_t;
|
|
+files_tmp_file(svnserve_tmp_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -27,6 +33,11 @@ allow svnserve_t self:fifo_file rw_fifo_file_perms;
|
|
allow svnserve_t self:tcp_socket create_stream_socket_perms;
|
|
allow svnserve_t self:unix_stream_socket { listen accept };
|
|
|
|
+manage_dirs_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
|
|
+manage_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
|
|
+manage_lnk_files_pattern(svnserve_t, svnserve_tmp_t, svnserve_tmp_t)
|
|
+files_tmp_filetrans(svnserve_t, svnserve_tmp_t, { file dir })
|
|
+
|
|
manage_dirs_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
|
|
manage_files_pattern(svnserve_t, svnserve_content_t, svnserve_content_t)
|
|
|
|
@@ -34,9 +45,6 @@ manage_dirs_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
|
|
manage_files_pattern(svnserve_t, svnserve_var_run_t, svnserve_var_run_t)
|
|
files_pid_filetrans(svnserve_t, svnserve_var_run_t, { dir file })
|
|
|
|
-files_read_etc_files(svnserve_t)
|
|
-files_read_usr_files(svnserve_t)
|
|
-
|
|
corenet_all_recvfrom_unlabeled(svnserve_t)
|
|
corenet_all_recvfrom_netlabel(svnserve_t)
|
|
corenet_tcp_sendrecv_generic_if(svnserve_t)
|
|
@@ -54,6 +62,4 @@ corenet_udp_sendrecv_svn_port(svnserve_t)
|
|
|
|
logging_send_syslog_msg(svnserve_t)
|
|
|
|
-miscfiles_read_localization(svnserve_t)
|
|
-
|
|
sysnet_dns_name_resolve(svnserve_t)
|
|
diff --git a/swift.fc b/swift.fc
|
|
new file mode 100644
|
|
index 0000000..744f0ce
|
|
--- /dev/null
|
|
+++ b/swift.fc
|
|
@@ -0,0 +1,29 @@
|
|
+/usr/bin/swift-account-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+/usr/bin/swift-account-reaper -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+/usr/bin/swift-account-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+/usr/bin/swift-account-server -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+
|
|
+/usr/bin/swift-container-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+/usr/bin/swift-container-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+/usr/bin/swift-container-server -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+/usr/bin/swift-container-sync -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+/usr/bin/swift-container-updater -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+
|
|
+/usr/bin/swift-object-auditor -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+/usr/bin/swift-object-info -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+/usr/bin/swift-object-replicator -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+/usr/bin/swift-object-server -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+/usr/bin/swift-object-updater -- gen_context(system_u:object_r:swift_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/openstack-swift.* -- gen_context(system_u:object_r:swift_unit_file_t,s0)
|
|
+
|
|
+/var/cache/swift(/.*)? -- gen_context(system_u:object_r:swift_var_cache_t,s0)
|
|
+/var/run/swift(/.*)? -- gen_context(system_u:object_r:swift_var_run_t,s0)
|
|
+
|
|
+# This seems to be a de-facto standard when using swift.
|
|
+/srv/node(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
|
|
+
|
|
+# This is specific to RHOS's packstack utility
|
|
+ifdef(`distro_redhat', `
|
|
+/srv/loopback-device(/.*)? gen_context(system_u:object_r:swift_data_t,s0)
|
|
+')
|
|
diff --git a/swift.if b/swift.if
|
|
new file mode 100644
|
|
index 0000000..df82c36
|
|
--- /dev/null
|
|
+++ b/swift.if
|
|
@@ -0,0 +1,118 @@
|
|
+
|
|
+## <summary>policy for swift</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute TEMPLATE in the swift domin.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`swift_domtrans',`
|
|
+ gen_require(`
|
|
+ type swift_t, swift_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, swift_exec_t, swift_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read swift PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`swift_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type swift_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, swift_var_run_t, swift_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage swift data files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`swift_manage_data_files',`
|
|
+ gen_require(`
|
|
+ type swift_data_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ manage_files_pattern($1, swift_data_t, swift_data_t)
|
|
+ manage_dirs_pattern($1, swift_data_t, swift_data_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute swift server in the swift domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`swift_systemctl',`
|
|
+ gen_require(`
|
|
+ type swift_t;
|
|
+ type swift_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 swift_unit_file_t:file read_file_perms;
|
|
+ allow $1 swift_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, swift_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an swift environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`swift_admin',`
|
|
+ gen_require(`
|
|
+ type swift_t;
|
|
+ type swift_var_run_t;
|
|
+ type swift_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 swift_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, swift_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, swift_var_run_t)
|
|
+
|
|
+ swift_systemctl($1)
|
|
+ admin_pattern($1, swift_unit_file_t)
|
|
+ allow $1 swift_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/swift.te b/swift.te
|
|
new file mode 100644
|
|
index 0000000..c7b2bf6
|
|
--- /dev/null
|
|
+++ b/swift.te
|
|
@@ -0,0 +1,69 @@
|
|
+policy_module(swift, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type swift_t;
|
|
+type swift_exec_t;
|
|
+init_daemon_domain(swift_t, swift_exec_t)
|
|
+
|
|
+type swift_var_cache_t;
|
|
+files_type(swift_var_cache_t)
|
|
+
|
|
+type swift_var_run_t;
|
|
+files_pid_file(swift_var_run_t)
|
|
+
|
|
+type swift_unit_file_t;
|
|
+systemd_unit_file(swift_unit_file_t)
|
|
+
|
|
+type swift_data_t;
|
|
+files_type(swift_data_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# swift local policy
|
|
+#
|
|
+
|
|
+allow swift_t self:process signal;
|
|
+
|
|
+allow swift_t self:fifo_file rw_fifo_file_perms;
|
|
+allow swift_t self:tcp_socket create_stream_socket_perms;
|
|
+allow swift_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow swift_t self:unix_dgram_socket create_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
|
|
+manage_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
|
|
+manage_lnk_files_pattern(swift_t, swift_var_cache_t, swift_var_cache_t)
|
|
+files_var_filetrans(swift_t,swift_var_cache_t, { dir file })
|
|
+
|
|
+manage_dirs_pattern(swift_t, swift_var_run_t, swift_var_run_t)
|
|
+manage_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
|
|
+manage_lnk_files_pattern(swift_t, swift_var_run_t, swift_var_run_t)
|
|
+files_pid_filetrans(swift_t, swift_var_run_t, { dir })
|
|
+
|
|
+# swift makes use of rsync, so we need to give rsync permissions
|
|
+# to edit swift_data_t files as well as swift_t those permissions
|
|
+manage_dirs_pattern(swift_t, swift_data_t, swift_data_t)
|
|
+manage_files_pattern(swift_t, swift_data_t, swift_data_t)
|
|
+
|
|
+kernel_dgram_send(swift_t)
|
|
+kernel_read_system_state(swift_t)
|
|
+kernel_read_network_state(swift_t)
|
|
+
|
|
+corecmd_exec_shell(swift_t)
|
|
+
|
|
+dev_read_urand(swift_t)
|
|
+
|
|
+domain_use_interactive_fds(swift_t)
|
|
+
|
|
+files_dontaudit_search_home(swift_t)
|
|
+
|
|
+auth_use_nsswitch(swift_t)
|
|
+
|
|
+libs_exec_ldconfig(swift_t)
|
|
+
|
|
+logging_send_syslog_msg(swift_t)
|
|
+
|
|
+userdom_dontaudit_search_user_home_dirs(swift_t)
|
|
diff --git a/swift_alias.fc b/swift_alias.fc
|
|
new file mode 100644
|
|
index 0000000..b7db254
|
|
--- /dev/null
|
|
+++ b/swift_alias.fc
|
|
@@ -0,0 +1 @@
|
|
+# Empty
|
|
diff --git a/swift_alias.if b/swift_alias.if
|
|
new file mode 100644
|
|
index 0000000..3fed1a3
|
|
--- /dev/null
|
|
+++ b/swift_alias.if
|
|
@@ -0,0 +1,2 @@
|
|
+
|
|
+## <summary>swift_alias policy module</summary>
|
|
diff --git a/swift_alias.te b/swift_alias.te
|
|
new file mode 100644
|
|
index 0000000..6e39c4f
|
|
--- /dev/null
|
|
+++ b/swift_alias.te
|
|
@@ -0,0 +1,26 @@
|
|
+policy_module(swift_alias, 1.0.0)
|
|
+
|
|
+#
|
|
+# swift_alias.pp policy replaces swift.pp policy
|
|
+# which is a part of openstack-selinux.rpm package
|
|
+#
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+#call stub interfaces for basic types
|
|
+init_stub_initrc()
|
|
+corecmd_stub_bin()
|
|
+files_stub_var_run()
|
|
+files_stub_var()
|
|
+systemd_stub_unit_file()
|
|
+
|
|
+typealias initrc_t alias swift_t;
|
|
+typealias bin_t alias swift_exec_t;
|
|
+typealias var_run_t alias swift_var_run_t;
|
|
+typealias systemd_unit_file_t alias swift_unit_file_t;
|
|
+typealias var_t alias swift_data_t;
|
|
+
|
|
+
|
|
diff --git a/sxid.te b/sxid.te
|
|
index 01a9d0a..154872e 100644
|
|
--- a/sxid.te
|
|
+++ b/sxid.te
|
|
@@ -40,7 +40,6 @@ kernel_read_kernel_sysctls(sxid_t)
|
|
corecmd_exec_bin(sxid_t)
|
|
corecmd_exec_shell(sxid_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(sxid_t)
|
|
corenet_all_recvfrom_netlabel(sxid_t)
|
|
corenet_tcp_sendrecv_generic_if(sxid_t)
|
|
corenet_udp_sendrecv_generic_if(sxid_t)
|
|
@@ -66,7 +65,7 @@ fs_list_all(sxid_t)
|
|
|
|
term_dontaudit_use_console(sxid_t)
|
|
|
|
-files_read_non_auth_files(sxid_t)
|
|
+files_read_non_security_files(sxid_t)
|
|
auth_dontaudit_getattr_shadow(sxid_t)
|
|
|
|
init_use_fds(sxid_t)
|
|
@@ -74,8 +73,6 @@ init_use_script_ptys(sxid_t)
|
|
|
|
logging_send_syslog_msg(sxid_t)
|
|
|
|
-miscfiles_read_localization(sxid_t)
|
|
-
|
|
sysnet_read_config(sxid_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
|
|
diff --git a/sysstat.te b/sysstat.te
|
|
index b92f677..6dc2de3 100644
|
|
--- a/sysstat.te
|
|
+++ b/sysstat.te
|
|
@@ -24,9 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
|
|
allow sysstat_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
|
|
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
|
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
|
-setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
|
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
|
|
manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
|
|
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
|
|
|
|
@@ -38,6 +36,7 @@ kernel_read_kernel_sysctls(sysstat_t)
|
|
kernel_read_fs_sysctls(sysstat_t)
|
|
kernel_read_rpc_sysctls(sysstat_t)
|
|
|
|
+corecmd_exec_shell(sysstat_t)
|
|
corecmd_exec_bin(sysstat_t)
|
|
|
|
dev_read_sysfs(sysstat_t)
|
|
@@ -46,11 +45,13 @@ dev_read_urand(sysstat_t)
|
|
files_search_var(sysstat_t)
|
|
files_read_etc_runtime_files(sysstat_t)
|
|
|
|
-fs_getattr_xattr_fs(sysstat_t)
|
|
+fs_getattr_all_fs(sysstat_t)
|
|
fs_list_inotifyfs(sysstat_t)
|
|
|
|
+storage_getattr_fixed_disk_dev(sysstat_t)
|
|
+
|
|
term_use_console(sysstat_t)
|
|
-term_use_all_terms(sysstat_t)
|
|
+term_use_all_inherited_terms(sysstat_t)
|
|
|
|
auth_use_nsswitch(sysstat_t)
|
|
|
|
@@ -60,10 +61,9 @@ locallogin_use_fds(sysstat_t)
|
|
|
|
logging_send_syslog_msg(sysstat_t)
|
|
|
|
-miscfiles_read_localization(sysstat_t)
|
|
-
|
|
userdom_dontaudit_list_user_home_dirs(sysstat_t)
|
|
|
|
optional_policy(`
|
|
cron_system_entry(sysstat_t, sysstat_exec_t)
|
|
')
|
|
+
|
|
diff --git a/systemtap.fc b/systemtap.fc
|
|
deleted file mode 100644
|
|
index 1710cbb..0000000
|
|
--- a/systemtap.fc
|
|
+++ /dev/null
|
|
@@ -1,11 +0,0 @@
|
|
-/etc/stap-server(/.*)? -- gen_context(system_u:object_r:stapserver_conf_t,s0)
|
|
-
|
|
-/etc/rc\.d/init\.d/stap-server -- gen_context(system_u:object_r:stapserver_initrc_exec_t,s0)
|
|
-
|
|
-/usr/bin/stap-server -- gen_context(system_u:object_r:stapserver_exec_t,s0)
|
|
-
|
|
-/var/lib/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_lib_t,s0)
|
|
-
|
|
-/var/log/stap-server(/.*)? gen_context(system_u:object_r:stapserver_log_t,s0)
|
|
-
|
|
-/var/run/stap-server(/.*)? gen_context(system_u:object_r:stapserver_var_run_t,s0)
|
|
diff --git a/systemtap.if b/systemtap.if
|
|
deleted file mode 100644
|
|
index c755e2d..0000000
|
|
--- a/systemtap.if
|
|
+++ /dev/null
|
|
@@ -1,45 +0,0 @@
|
|
-## <summary>instrumentation system for Linux.</summary>
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an stapserver environment.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <rolecap/>
|
|
-#
|
|
-interface(`stapserver_admin',`
|
|
- gen_require(`
|
|
- type stapserver_t, stapserver_conf_t, stapserver_log_t;
|
|
- type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
|
|
- ')
|
|
-
|
|
- allow $1 stapserver_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, stapserver_t)
|
|
-
|
|
- init_labeled_script_domtrans($1, stapserver_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 stapserver_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, stapserver_conf_t)
|
|
-
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, stapserver_var_lib_t)
|
|
-
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, stapserver_log_t)
|
|
-
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, stapserver_var_run_t)
|
|
-')
|
|
diff --git a/systemtap.te b/systemtap.te
|
|
deleted file mode 100644
|
|
index ffde368..0000000
|
|
--- a/systemtap.te
|
|
+++ /dev/null
|
|
@@ -1,101 +0,0 @@
|
|
-policy_module(systemtap, 1.1.0)
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Declarations
|
|
-#
|
|
-
|
|
-type stapserver_t;
|
|
-type stapserver_exec_t;
|
|
-init_daemon_domain(stapserver_t, stapserver_exec_t)
|
|
-
|
|
-type stapserver_initrc_exec_t;
|
|
-init_script_file(stapserver_initrc_exec_t)
|
|
-
|
|
-type stapserver_conf_t;
|
|
-files_config_file(stapserver_conf_t)
|
|
-
|
|
-type stapserver_var_lib_t;
|
|
-files_type(stapserver_var_lib_t)
|
|
-
|
|
-type stapserver_log_t;
|
|
-logging_log_file(stapserver_log_t)
|
|
-
|
|
-type stapserver_var_run_t;
|
|
-files_pid_file(stapserver_var_run_t)
|
|
-
|
|
-########################################
|
|
-#
|
|
-# Local policy
|
|
-#
|
|
-
|
|
-allow stapserver_t self:capability { dac_override kill setuid setgid };
|
|
-allow stapserver_t self:process { setrlimit setsched signal };
|
|
-allow stapserver_t self:fifo_file rw_fifo_file_perms;
|
|
-allow stapserver_t self:key write;
|
|
-allow stapserver_t self:unix_stream_socket { accept listen };
|
|
-allow stapserver_t self:tcp_socket create_stream_socket_perms;
|
|
-
|
|
-allow stapserver_t stapserver_conf_t:file read_file_perms;
|
|
-
|
|
-manage_dirs_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
|
|
-manage_files_pattern(stapserver_t, stapserver_var_lib_t, stapserver_var_lib_t)
|
|
-files_var_lib_filetrans(stapserver_t, stapserver_var_lib_t, dir)
|
|
-
|
|
-manage_dirs_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
|
|
-append_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
|
|
-create_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
|
|
-setattr_files_pattern(stapserver_t, stapserver_log_t, stapserver_log_t)
|
|
-logging_log_filetrans(stapserver_t, stapserver_log_t, dir )
|
|
-
|
|
-manage_dirs_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
|
|
-manage_files_pattern(stapserver_t, stapserver_var_run_t, stapserver_var_run_t)
|
|
-files_pid_filetrans(stapserver_t, stapserver_var_run_t, dir )
|
|
-
|
|
-kernel_read_kernel_sysctls(stapserver_t)
|
|
-kernel_read_system_state(stapserver_t)
|
|
-
|
|
-corecmd_exec_bin(stapserver_t)
|
|
-corecmd_exec_shell(stapserver_t)
|
|
-
|
|
-domain_read_all_domains_state(stapserver_t)
|
|
-
|
|
-dev_read_rand(stapserver_t)
|
|
-dev_read_sysfs(stapserver_t)
|
|
-dev_read_urand(stapserver_t)
|
|
-
|
|
-files_list_tmp(stapserver_t)
|
|
-files_read_usr_files(stapserver_t)
|
|
-files_search_kernel_modules(stapserver_t)
|
|
-
|
|
-auth_use_nsswitch(stapserver_t)
|
|
-
|
|
-init_read_utmp(stapserver_t)
|
|
-
|
|
-logging_send_audit_msgs(stapserver_t)
|
|
-logging_send_syslog_msg(stapserver_t)
|
|
-
|
|
-miscfiles_read_localization(stapserver_t)
|
|
-miscfiles_read_hwdata(stapserver_t)
|
|
-
|
|
-userdom_use_user_terminals(stapserver_t)
|
|
-
|
|
-optional_policy(`
|
|
- consoletype_exec(stapserver_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- dbus_system_bus_client(stapserver_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- hostname_exec(stapserver_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- plymouthd_exec_plymouth(stapserver_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- rpm_exec(stapserver_t)
|
|
-')
|
|
diff --git a/tcpd.te b/tcpd.te
|
|
index 2d6d2c2..db18a80 100644
|
|
--- a/tcpd.te
|
|
+++ b/tcpd.te
|
|
@@ -23,7 +23,6 @@ manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
|
|
manage_files_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t)
|
|
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
|
|
|
|
-corenet_all_recvfrom_unlabeled(tcpd_t)
|
|
corenet_all_recvfrom_netlabel(tcpd_t)
|
|
corenet_tcp_sendrecv_generic_if(tcpd_t)
|
|
corenet_tcp_sendrecv_generic_node(tcpd_t)
|
|
@@ -31,15 +30,12 @@ corenet_tcp_sendrecv_all_ports(tcpd_t)
|
|
|
|
fs_getattr_xattr_fs(tcpd_t)
|
|
|
|
-corecmd_search_bin(tcpd_t)
|
|
+corecmd_exec_bin(tcpd_t)
|
|
|
|
-files_read_etc_files(tcpd_t)
|
|
files_dontaudit_search_var(tcpd_t)
|
|
|
|
logging_send_syslog_msg(tcpd_t)
|
|
|
|
-miscfiles_read_localization(tcpd_t)
|
|
-
|
|
sysnet_read_config(tcpd_t)
|
|
|
|
inetd_domtrans_child(tcpd_t)
|
|
diff --git a/tcsd.if b/tcsd.if
|
|
index b42ec1d..91b8f71 100644
|
|
--- a/tcsd.if
|
|
+++ b/tcsd.if
|
|
@@ -138,8 +138,11 @@ interface(`tcsd_admin',`
|
|
type tcsd_t, tcsd_initrc_exec_t, tcsd_var_lib_t;
|
|
')
|
|
|
|
- allow $1 tcsd_t:process { ptrace signal_perms };
|
|
+ allow $1 tcsd_t:process signal_perms;
|
|
ps_process_pattern($1, tcsd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 tcsd_t:process ptrace;
|
|
+ ')
|
|
|
|
tcsd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/tcsd.te b/tcsd.te
|
|
index b26d44a..5ab05dc 100644
|
|
--- a/tcsd.te
|
|
+++ b/tcsd.te
|
|
@@ -41,12 +41,8 @@ corenet_tcp_sendrecv_tcs_port(tcsd_t)
|
|
dev_read_urand(tcsd_t)
|
|
dev_rw_tpm(tcsd_t)
|
|
|
|
-files_read_usr_files(tcsd_t)
|
|
-
|
|
auth_use_nsswitch(tcsd_t)
|
|
|
|
init_read_utmp(tcsd_t)
|
|
|
|
logging_send_syslog_msg(tcsd_t)
|
|
-
|
|
-miscfiles_read_localization(tcsd_t)
|
|
diff --git a/telepathy.fc b/telepathy.fc
|
|
index 6c7f8f8..107300a 100644
|
|
--- a/telepathy.fc
|
|
+++ b/telepathy.fc
|
|
@@ -1,35 +1,24 @@
|
|
-HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t,s0)
|
|
+HOME_DIR/\.cache/\.mc_connections -- gen_context(system_u:object_r:telepathy_mission_control_cache_home_t, s0)
|
|
HOME_DIR/\.cache/telepathy(/.*)? gen_context(system_u:object_r:telepathy_cache_home_t, s0)
|
|
HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
|
|
HOME_DIR/\.cache/telepathy/logger(/.*)? gen_context(system_u:object_r:telepathy_logger_cache_home_t,s0)
|
|
-HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
|
|
-HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t,s0)
|
|
-HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t,s0)
|
|
+HOME_DIR/\.cache/telepathy/avatars/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
|
|
+HOME_DIR/\.cache/telepathy/gabble(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
|
|
+HOME_DIR/\.cache/wocky(/.*)? gen_context(system_u:object_r:telepathy_gabble_cache_home_t, s0)
|
|
+HOME_DIR/\.mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_home_t, s0)
|
|
HOME_DIR/\.local/share/telepathy(/.*)? gen_context(system_u:object_r:telepathy_data_home_t,s0)
|
|
-HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t,s0)
|
|
-HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t,s0)
|
|
-HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
|
|
+HOME_DIR/\.local/share/telepathy/mission-control(/.*)? gen_context(system_u:object_r:telepathy_mission_control_data_home_t, s0)
|
|
+HOME_DIR/\.telepathy-sunshine(/.*)? gen_context(system_u:object_r:telepathy_sunshine_home_t, s0)
|
|
+HOME_DIR/\.local/share/TpLogger(/.*)? gen_context(system_u:object_r:telepathy_logger_data_home_t,s0)
|
|
|
|
-/usr/lib/telepathy/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
|
|
-/usr/lib/telepathy/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
|
|
-/usr/lib/telepathy/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
|
|
-/usr/lib/telepathy/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
|
|
-/usr/lib/telepathy/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
|
|
-/usr/lib/telepathy/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
|
|
-/usr/lib/telepathy/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t,s0)
|
|
-/usr/lib/telepathy/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
|
|
-/usr/lib/telepathy/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
|
|
-/usr/lib/telepathy/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
|
|
-/usr/lib/telepathy/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
|
|
-
|
|
-/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t,s0)
|
|
-/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
|
|
-/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t,s0)
|
|
-/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t,s0)
|
|
-/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t,s0)
|
|
-/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
|
|
-/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
|
|
-/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
|
|
-/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t,s0)
|
|
-/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t,s0)
|
|
-/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t,s0)
|
|
+/usr/libexec/mission-control-5 -- gen_context(system_u:object_r:telepathy_mission_control_exec_t, s0)
|
|
+/usr/libexec/telepathy-butterfly -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
|
|
+/usr/libexec/telepathy-gabble -- gen_context(system_u:object_r:telepathy_gabble_exec_t, s0)
|
|
+/usr/libexec/telepathy-haze -- gen_context(system_u:object_r:telepathy_msn_exec_t, s0)
|
|
+/usr/libexec/telepathy-idle -- gen_context(system_u:object_r:telepathy_idle_exec_t, s0)
|
|
+/usr/libexec/telepathy-logger -- gen_context(system_u:object_r:telepathy_logger_exec_t,s0)
|
|
+/usr/libexec/telepathy-salut -- gen_context(system_u:object_r:telepathy_salut_exec_t, s0)
|
|
+/usr/libexec/telepathy-sofiasip -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
|
|
+/usr/libexec/telepathy-rakia -- gen_context(system_u:object_r:telepathy_sofiasip_exec_t, s0)
|
|
+/usr/libexec/telepathy-stream-engine -- gen_context(system_u:object_r:telepathy_stream_engine_exec_t, s0)
|
|
+/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
|
|
diff --git a/telepathy.if b/telepathy.if
|
|
index 42946bc..9f70e4c 100644
|
|
--- a/telepathy.if
|
|
+++ b/telepathy.if
|
|
@@ -2,45 +2,39 @@
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## The template to define a telepathy domain.
|
|
+## Creates basic types for telepathy
|
|
+## domain
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## Prefix for the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`telepathy_domain_template',`
|
|
gen_require(`
|
|
- attribute telepathy_domain, telepathy_executable, telepathy_tmp_content;
|
|
+ attribute telepathy_domain;
|
|
+ attribute telepathy_executable;
|
|
')
|
|
|
|
type telepathy_$1_t, telepathy_domain;
|
|
type telepathy_$1_exec_t, telepathy_executable;
|
|
- userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
|
|
+ application_domain(telepathy_$1_t, telepathy_$1_exec_t)
|
|
+ ubac_constrained(telepathy_$1_t)
|
|
|
|
- type telepathy_$1_tmp_t, telepathy_tmp_content;
|
|
+ type telepathy_$1_tmp_t;
|
|
userdom_user_tmp_file(telepathy_$1_tmp_t)
|
|
|
|
+ kernel_read_system_state(telepathy_$1_t)
|
|
+
|
|
auth_use_nsswitch(telepathy_$1_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## The role template for the telepathy module.
|
|
+## Role access for telepathy domains
|
|
+## that executes via dbus-session
|
|
## </summary>
|
|
-## <desc>
|
|
-## <p>
|
|
-## This template creates a derived domains which are used
|
|
-## for window manager applications.
|
|
-## </p>
|
|
-## </desc>
|
|
-## <param name="role_prefix">
|
|
-## <summary>
|
|
-## The prefix of the user domain (e.g., user
|
|
-## is the prefix for user_t).
|
|
-## </summary>
|
|
-## </param>
|
|
## <param name="user_role">
|
|
## <summary>
|
|
## The role associated with the user domain.
|
|
@@ -51,10 +45,15 @@ template(`telepathy_domain_template',`
|
|
## The type of the user domain.
|
|
## </summary>
|
|
## </param>
|
|
+## <param name="domain_prefix">
|
|
+## <summary>
|
|
+## User domain prefix to be used.
|
|
+## </summary>
|
|
+## </param>
|
|
#
|
|
-template(`telepathy_role_template',`
|
|
+template(`telepathy_role',`
|
|
gen_require(`
|
|
- attribute telepathy_domain, telepathy_tmp_content;
|
|
+ attribute telepathy_domain;
|
|
type telepathy_gabble_t, telepathy_sofiasip_t, telepathy_idle_t;
|
|
type telepathy_mission_control_t, telepathy_salut_t, telepathy_sunshine_t;
|
|
type telepathy_stream_engine_t, telepathy_msn_t, telepathy_gabble_exec_t;
|
|
@@ -63,91 +62,84 @@ template(`telepathy_role_template',`
|
|
type telepathy_mission_control_exec_t, telepathy_salut_exec_t;
|
|
type telepathy_sunshine_exec_t, telepathy_stream_engine_exec_t;
|
|
type telepathy_msn_exec_t;
|
|
-
|
|
- type telepathy_mission_control_cache_home_t, telepathy_cache_home_t, telepathy_logger_cache_home_t;
|
|
- type telepathy_gabble_cache_home_t, telepathy_mission_control_home_t, telepathy_data_home_t;
|
|
- type telepathy_mission_control_data_home_t, telepathy_sunshine_home_t, telepathy_logger_data_home_t;
|
|
')
|
|
|
|
- role $2 types telepathy_domain;
|
|
-
|
|
- allow $3 telepathy_domain:process { ptrace signal_perms };
|
|
- ps_process_pattern($3, telepathy_domain)
|
|
+ role $1 types telepathy_domain;
|
|
|
|
- telepathy_gabble_stream_connect($3)
|
|
- telepathy_msn_stream_connect($3)
|
|
- telepathy_salut_stream_connect($3)
|
|
+ allow $2 telepathy_domain:process signal_perms;
|
|
+ ps_process_pattern($2, telepathy_domain)
|
|
|
|
- dbus_spec_session_domain($1, telepathy_gabble_exec_t, telepathy_gabble_t)
|
|
- dbus_spec_session_domain($1, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
|
|
- dbus_spec_session_domain($1, telepathy_idle_exec_t, telepathy_idle_t)
|
|
- dbus_spec_session_domain($1, telepathy_logger_exec_t, telepathy_logger_t)
|
|
- dbus_spec_session_domain($1, telepathy_mission_control_exec_t, telepathy_mission_control_t)
|
|
- dbus_spec_session_domain($1, telepathy_salut_exec_t, telepathy_salut_t)
|
|
- dbus_spec_session_domain($1, telepathy_sunshine_exec_t, telepathy_sunshine_t)
|
|
- dbus_spec_session_domain($1, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
|
|
- dbus_spec_session_domain($1, telepathy_msn_exec_t, telepathy_msn_t)
|
|
+ telepathy_gabble_stream_connect($2)
|
|
+ telepathy_msn_stream_connect($2)
|
|
+ telepathy_salut_stream_connect($2)
|
|
|
|
- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
+ dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
|
|
+ dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
|
|
+ dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
|
|
+ dbus_session_domain($3, telepathy_logger_exec_t, telepathy_logger_t)
|
|
+ dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
|
|
+ dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
|
|
+ dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
|
|
+ dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
|
|
+ dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
|
|
|
|
- allow $3 { telepathy_mission_control_cache_home_t telepathy_cache_home_t telepathy_logger_cache_home_t }:file { manage_file_perms relabel_file_perms };
|
|
- allow $3 { telepathy_gabble_cache_home_t telepathy_mission_control_home_t telepathy_data_home_t }:file { manage_file_perms relabel_file_perms };
|
|
- allow $3 { telepathy_mission_control_data_home_t telepathy_sunshine_home_t telepathy_logger_data_home_t }:file { manage_file_perms relabel_file_perms };
|
|
-
|
|
- filetrans_pattern($3, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
|
|
- # gnome_cache_filetrans($3, telepathy_gabble_cache_home_t, dir, "wocky")
|
|
-
|
|
- filetrans_pattern($3, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
|
|
- # gnome_data_filetrans($3, telepathy_logger_data_home_t, dir, "TpLogger")
|
|
-
|
|
- userdom_user_home_dir_filetrans($3, telepathy_mission_control_home_t, dir, ".mission-control")
|
|
- filetrans_pattern($3, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
|
|
- # gnome_cache_filetrans($3, telepathy_mission_control_cache_home_t, file, ".mc_connections")
|
|
-
|
|
- userdom_user_home_dir_filetrans($3, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
|
|
-
|
|
- # gnome_cache_filetrans($3, telepathy_cache_home_t, dir, "telepathy")
|
|
- # gnome_data_filetrans($3, telepathy_data_home_t, dir, "telepathy")
|
|
-
|
|
- allow $3 telepathy_tmp_content:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $3 telepathy_tmp_content:file { manage_file_perms relabel_file_perms };
|
|
- allow $3 telepathy_tmp_content:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
|
+ telepathy_dbus_chat($2)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to gabble with a unix
|
|
-## domain stream socket.
|
|
+## Stream connect to Telepathy Gabble
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`telepathy_gabble_stream_connect',`
|
|
+interface(`telepathy_gabble_stream_connect', `
|
|
gen_require(`
|
|
type telepathy_gabble_t, telepathy_gabble_tmp_t;
|
|
')
|
|
|
|
- files_search_tmp($1)
|
|
stream_connect_pattern($1, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t, telepathy_gabble_t)
|
|
+ files_search_tmp($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send dbus messages to and from
|
|
-## gabble.
|
|
+## Allow Telepathy Gabble to stream connect to a domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`telepathy_gabble_stream_connect_to', `
|
|
+ gen_require(`
|
|
+ type telepathy_gabble_t;
|
|
+ ')
|
|
+
|
|
+ stream_connect_pattern(telepathy_gabble_t, $2, $2, $1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send DBus messages to and from
|
|
+## Telepathy Gabble.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`telepathy_gabble_dbus_chat',`
|
|
+interface(`telepathy_gabble_dbus_chat', `
|
|
gen_require(`
|
|
type telepathy_gabble_t;
|
|
class dbus send_msg;
|
|
@@ -159,10 +151,10 @@ interface(`telepathy_gabble_dbus_chat',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read mission control process state files.
|
|
+## Read telepathy mission control state.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
@@ -173,15 +165,12 @@ interface(`telepathy_mission_control_read_state',`
|
|
')
|
|
|
|
kernel_search_proc($1)
|
|
- allow $1 telepathy_mission_control_t:dir list_dir_perms;
|
|
- allow $1 telepathy_mission_control_t:file read_file_perms;
|
|
- allow $1 telepathy_mission_control_t:lnk_file read_lnk_file_perms;
|
|
+ ps_process_pattern($1, telepathy_mission_control_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Connect to msn with a unix
|
|
-## domain stream socket.
|
|
+## Stream connect to telepathy MSN managers
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -189,19 +178,18 @@ interface(`telepathy_mission_control_read_state',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`telepathy_msn_stream_connect',`
|
|
+interface(`telepathy_msn_stream_connect', `
|
|
gen_require(`
|
|
type telepathy_msn_t, telepathy_msn_tmp_t;
|
|
')
|
|
|
|
- files_search_tmp($1)
|
|
stream_connect_pattern($1, telepathy_msn_tmp_t, telepathy_msn_tmp_t, telepathy_msn_t)
|
|
+ files_search_tmp($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to salut with a unix
|
|
-## domain stream socket.
|
|
+## Stream connect to Telepathy Salut
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -209,11 +197,140 @@ interface(`telepathy_msn_stream_connect',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`telepathy_salut_stream_connect',`
|
|
+interface(`telepathy_salut_stream_connect', `
|
|
gen_require(`
|
|
type telepathy_salut_t, telepathy_salut_tmp_t;
|
|
')
|
|
|
|
- files_search_tmp($1)
|
|
stream_connect_pattern($1, telepathy_salut_tmp_t, telepathy_salut_tmp_t, telepathy_salut_t)
|
|
+ files_search_tmp($1)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Send DBus messages to and from
|
|
+## all Telepathy domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`telepathy_dbus_chat',`
|
|
+ gen_require(`
|
|
+ attribute telepathy_domain;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ allow $1 telepathy_domain:dbus send_msg;
|
|
+ allow telepathy_domain $1:dbus send_msg;
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Execute telepathy executable
|
|
+## in the specified domain.
|
|
+## </summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## Execute a telepathy executable
|
|
+## in the specified domain. This allows
|
|
+## the specified domain to execute any file
|
|
+## on these filesystems in the specified
|
|
+## domain.
|
|
+## </p>
|
|
+## <p>
|
|
+## No interprocess communication (signals, pipes,
|
|
+## etc.) is provided by this interface since
|
|
+## the domains are not owned by this module.
|
|
+## </p>
|
|
+## </desc>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="target_domain">
|
|
+## <summary>
|
|
+## The type of the new process.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`telepathy_command_domtrans', `
|
|
+ gen_require(`
|
|
+ attribute telepathy_executable;
|
|
+ ')
|
|
+
|
|
+ allow $2 telepathy_executable:file entrypoint;
|
|
+ domain_transition_pattern($1, telepathy_executable, $2)
|
|
+ type_transition $1 telepathy_executable:process $2;
|
|
+
|
|
+ # needs to dbus chat with unconfined_t and unconfined_dbusd_t
|
|
+ optional_policy(`
|
|
+ telepathy_dbus_chat($1)
|
|
+ telepathy_dbus_chat($2)
|
|
+ ')
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create telepathy content in the user home directory
|
|
+## with an correct label.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`telepathy_filetrans_home_content',`
|
|
+ gen_require(`
|
|
+ type telepathy_mission_control_cache_home_t;
|
|
+ type telepathy_mission_control_home_t;
|
|
+ type telepathy_logger_cache_home_t;
|
|
+ type telepathy_gabble_cache_home_t;
|
|
+ type telepathy_sunshine_home_t;
|
|
+ type telepathy_logger_data_home_t;
|
|
+ type telepathy_cache_home_t, telepathy_data_home_t;
|
|
+ type telepathy_mission_control_data_home_t;
|
|
+ ')
|
|
+
|
|
+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
|
|
+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_logger_cache_home_t, file, "sqlite-data-journal")
|
|
+ filetrans_pattern($1, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
|
|
+
|
|
+ filetrans_pattern($1, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, telepathy_mission_control_home_t, dir, ".mission-control")
|
|
+ userdom_user_home_dir_filetrans($1, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
|
|
+
|
|
+ optional_policy(`
|
|
+ gnome_cache_filetrans($1, telepathy_mission_control_cache_home_t, file, ".mc_connections")
|
|
+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "gabble")
|
|
+ gnome_cache_filetrans($1, telepathy_gabble_cache_home_t, dir, "wocky")
|
|
+ gnome_cache_filetrans($1, telepathy_cache_home_t, dir, "telepathy")
|
|
+
|
|
+ gnome_data_filetrans($1, telepathy_logger_data_home_t, dir, "TpLogger")
|
|
+ gnome_data_filetrans($1, telepathy_data_home_t, dir, "telepathy")
|
|
+ ')
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Execute telepathy in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`telepathy_exec',`
|
|
+ gen_require(`
|
|
+ attribute telepathy_executable;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ can_exec($1, telepathy_executable)
|
|
')
|
|
diff --git a/telepathy.te b/telepathy.te
|
|
index 9afcbc9..1664384 100644
|
|
--- a/telepathy.te
|
|
+++ b/telepathy.te
|
|
@@ -2,28 +2,27 @@ policy_module(telepathy, 1.4.2)
|
|
|
|
########################################
|
|
#
|
|
-# Declarations
|
|
+# Declarations.
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether telepathy connection
|
|
-## managers can connect to generic tcp ports.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow the Telepathy connection managers
|
|
+## to connect to any generic TCP port.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(telepathy_tcp_connect_generic_network_ports, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether telepathy connection
|
|
-## managers can connect to any port.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow the Telepathy connection managers
|
|
+## to connect to any network port.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(telepathy_connect_all_ports, false)
|
|
|
|
attribute telepathy_domain;
|
|
attribute telepathy_executable;
|
|
-attribute telepathy_tmp_content;
|
|
|
|
telepathy_domain_template(gabble)
|
|
|
|
@@ -67,179 +66,150 @@ userdom_user_home_content(telepathy_sunshine_home_t)
|
|
|
|
#######################################
|
|
#
|
|
-# Gabble local policy
|
|
+# Telepathy Gabble local policy.
|
|
#
|
|
|
|
-allow telepathy_gabble_t self:tcp_socket { accept listen };
|
|
+allow telepathy_gabble_t self:tcp_socket create_stream_socket_perms;
|
|
allow telepathy_gabble_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
|
|
-# ~/.cache/telepathy/gabble/caps-cache.db-journal
|
|
-manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
|
|
-manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
|
|
-filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir, "gabble")
|
|
-# gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir, "wocky")
|
|
-
|
|
manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
|
|
manage_sock_files_pattern(telepathy_gabble_t, telepathy_gabble_tmp_t, telepathy_gabble_tmp_t)
|
|
files_tmp_filetrans(telepathy_gabble_t, telepathy_gabble_tmp_t, { dir sock_file })
|
|
|
|
-corenet_all_recvfrom_unlabeled(telepathy_gabble_t)
|
|
+# ~/.cache/telepathy/gabble/caps-cache.db-journal
|
|
+optional_policy(`
|
|
+ manage_dirs_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
|
|
+ manage_files_pattern(telepathy_gabble_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
|
|
+ filetrans_pattern(telepathy_gabble_t, telepathy_cache_home_t, telepathy_gabble_cache_home_t, dir)
|
|
+ # ~/.cache/wocky
|
|
+ gnome_cache_filetrans(telepathy_gabble_t, telepathy_gabble_cache_home_t, dir)
|
|
+')
|
|
+
|
|
corenet_all_recvfrom_netlabel(telepathy_gabble_t)
|
|
corenet_tcp_sendrecv_generic_if(telepathy_gabble_t)
|
|
corenet_tcp_sendrecv_generic_node(telepathy_gabble_t)
|
|
-
|
|
-corenet_sendrecv_http_client_packets(telepathy_gabble_t)
|
|
corenet_tcp_connect_http_port(telepathy_gabble_t)
|
|
-corenet_tcp_sendrecv_http_port(telepathy_gabble_t)
|
|
-
|
|
-corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
|
|
corenet_tcp_connect_jabber_client_port(telepathy_gabble_t)
|
|
-corenet_tcp_sendrecv_jabber_client_port(telepathy_gabble_t)
|
|
-
|
|
-corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
|
|
corenet_tcp_connect_vnc_port(telepathy_gabble_t)
|
|
-corenet_tcp_sendrecv_vnc_port(telepathy_gabble_t)
|
|
+corenet_sendrecv_http_client_packets(telepathy_gabble_t)
|
|
+corenet_sendrecv_jabber_client_client_packets(telepathy_gabble_t)
|
|
+corenet_sendrecv_vnc_client_packets(telepathy_gabble_t)
|
|
|
|
dev_read_rand(telepathy_gabble_t)
|
|
|
|
files_read_config_files(telepathy_gabble_t)
|
|
-files_read_usr_files(telepathy_gabble_t)
|
|
+
|
|
+fs_getattr_all_fs(telepathy_gabble_t)
|
|
|
|
miscfiles_read_all_certs(telepathy_gabble_t)
|
|
|
|
tunable_policy(`telepathy_connect_all_ports',`
|
|
- corenet_sendrecv_all_client_packets(telepathy_gabble_t)
|
|
corenet_tcp_connect_all_ports(telepathy_gabble_t)
|
|
corenet_tcp_sendrecv_all_ports(telepathy_gabble_t)
|
|
+ corenet_udp_sendrecv_all_ports(telepathy_gabble_t)
|
|
')
|
|
|
|
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
|
|
- corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
|
|
corenet_tcp_connect_generic_port(telepathy_gabble_t)
|
|
- corenet_tcp_sendrecv_generic_port(telepathy_gabble_t)
|
|
+ corenet_sendrecv_generic_client_packets(telepathy_gabble_t)
|
|
')
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(telepathy_gabble_t)
|
|
- fs_manage_nfs_files(telepathy_gabble_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(telepathy_gabble_t)
|
|
- fs_manage_cifs_files(telepathy_gabble_t)
|
|
-')
|
|
+userdom_home_manager(telepathy_gabble_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(telepathy_gabble_t)
|
|
')
|
|
|
|
-# optional_policy(`
|
|
- # ~/.config/dconf/user
|
|
- # gnome_manage_generic_home_content(telepathy_gabble_t)
|
|
-# ')
|
|
+optional_policy(`
|
|
+ gnome_manage_home_config(telepathy_gabble_t)
|
|
+')
|
|
|
|
#######################################
|
|
#
|
|
-# Idle local policy
|
|
+# Telepathy Idle local policy.
|
|
#
|
|
|
|
corenet_all_recvfrom_netlabel(telepathy_idle_t)
|
|
-corenet_all_recvfrom_unlabeled(telepathy_idle_t)
|
|
corenet_tcp_sendrecv_generic_if(telepathy_idle_t)
|
|
corenet_tcp_sendrecv_generic_node(telepathy_idle_t)
|
|
-
|
|
-corenet_sendrecv_gatekeeper_client_packets(telepathy_idle_t)
|
|
corenet_tcp_connect_gatekeeper_port(telepathy_idle_t)
|
|
-corenet_tcp_sendrecv_gatekeeper_port(telepathy_idle_t)
|
|
-
|
|
-corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
|
|
corenet_tcp_connect_ircd_port(telepathy_idle_t)
|
|
-corenet_tcp_sendrecv_ircd_port(telepathy_idle_t)
|
|
+corenet_sendrecv_ircd_client_packets(telepathy_idle_t)
|
|
|
|
dev_read_rand(telepathy_idle_t)
|
|
|
|
-files_read_usr_files(telepathy_idle_t)
|
|
-
|
|
tunable_policy(`telepathy_connect_all_ports',`
|
|
- corenet_sendrecv_all_client_packets(telepathy_idle_t)
|
|
corenet_tcp_connect_all_ports(telepathy_idle_t)
|
|
corenet_tcp_sendrecv_all_ports(telepathy_idle_t)
|
|
+ corenet_udp_sendrecv_all_ports(telepathy_idle_t)
|
|
')
|
|
|
|
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
|
|
- corenet_sendrecv_generic_client_packets(telepathy_idle_t)
|
|
corenet_tcp_connect_generic_port(telepathy_idle_t)
|
|
- corenet_tcp_sendrecv_generic_port(telepathy_idle_t)
|
|
+ corenet_sendrecv_generic_client_packets(telepathy_idle_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
-# Logger local policy
|
|
+# Telepathy Logger local policy.
|
|
#
|
|
|
|
allow telepathy_logger_t self:unix_stream_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
|
|
manage_files_pattern(telepathy_logger_t, telepathy_logger_cache_home_t, telepathy_logger_cache_home_t)
|
|
-filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir, "logger")
|
|
+filetrans_pattern(telepathy_logger_t, telepathy_cache_home_t, telepathy_logger_cache_home_t, dir)
|
|
|
|
manage_dirs_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
|
|
manage_files_pattern(telepathy_logger_t, telepathy_logger_data_home_t, telepathy_logger_data_home_t)
|
|
-# gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir, "TpLogger")
|
|
|
|
-files_read_usr_files(telepathy_logger_t)
|
|
+optional_policy(`
|
|
+ gnome_data_filetrans(telepathy_logger_t, telepathy_logger_data_home_t, dir)
|
|
+')
|
|
+
|
|
files_search_pids(telepathy_logger_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(telepathy_logger_t)
|
|
- fs_manage_nfs_files(telepathy_logger_t)
|
|
-')
|
|
+fs_getattr_all_fs(telepathy_logger_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(telepathy_logger_t)
|
|
- fs_manage_cifs_files(telepathy_logger_t)
|
|
-')
|
|
+userdom_home_manager(telepathy_logger_t)
|
|
|
|
-# optional_policy(`
|
|
+optional_policy(`
|
|
# ~/.config/dconf/user
|
|
- # gnome_manage_generic_home_content(telepathy_logger_t)
|
|
-# ')
|
|
+ gnome_manage_home_config(telepathy_logger_t)
|
|
+')
|
|
|
|
#######################################
|
|
#
|
|
-# Mission-Control local policy
|
|
+# Telepathy Mission-Control local policy.
|
|
#
|
|
-
|
|
allow telepathy_mission_control_t self:process setsched;
|
|
|
|
manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
|
|
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_home_t, telepathy_mission_control_home_t)
|
|
-userdom_user_home_dir_filetrans(telepathy_mission_control_t, telepathy_mission_control_home_t, dir, ".mission-control")
|
|
+userdom_search_user_home_dirs(telepathy_mission_control_t)
|
|
|
|
-manage_dirs_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
|
|
+manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
|
|
+manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
|
|
+
|
|
+manage_dirs_pattern(telepathy_mission_control_t, { telepathy_data_home_t telepathy_mission_control_data_home_t }, { telepathy_data_home_t telepathy_mission_control_data_home_t })
|
|
manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_data_home_t, telepathy_mission_control_data_home_t)
|
|
-filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, dir, "mission-control")
|
|
+filetrans_pattern(telepathy_mission_control_t, telepathy_data_home_t, telepathy_mission_control_data_home_t, { dir file })
|
|
|
|
-manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
|
|
-# gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file, ".mc_connections")
|
|
+optional_policy(`
|
|
+ gnome_data_filetrans(telepathy_mission_control_t, telepathy_data_home_t, dir)
|
|
+ gnome_manage_home_config(telepathy_mission_control_t)
|
|
+')
|
|
|
|
manage_dirs_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
|
|
manage_files_pattern(telepathy_mission_control_t, telepathy_gabble_cache_home_t, telepathy_gabble_cache_home_t)
|
|
|
|
dev_read_rand(telepathy_mission_control_t)
|
|
|
|
-files_list_tmp(telepathy_mission_control_t)
|
|
-files_read_usr_files(telepathy_mission_control_t)
|
|
+fs_getattr_all_fs(telepathy_mission_control_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(telepathy_mission_control_t)
|
|
- fs_manage_nfs_files(telepathy_mission_control_t)
|
|
-')
|
|
+files_list_tmp(telepathy_mission_control_t)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(telepathy_mission_control_t)
|
|
- fs_manage_cifs_files(telepathy_mission_control_t)
|
|
-')
|
|
+userdom_home_manager(telepathy_mission_control_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(telepathy_mission_control_t)
|
|
@@ -248,59 +218,51 @@ optional_policy(`
|
|
devicekit_dbus_chat_power(telepathy_mission_control_t)
|
|
')
|
|
optional_policy(`
|
|
- gnome_dbus_chat_all_gkeyringd(telepathy_mission_control_t)
|
|
+ gnome_dbus_chat_gkeyringd(telepathy_mission_control_t)
|
|
')
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(telepathy_mission_control_t)
|
|
')
|
|
')
|
|
|
|
-# optional_policy(`
|
|
- # ~/.config/dconf/user
|
|
- # gnome_manage_generic_home_content(telepathy_mission_control_t)
|
|
-# ')
|
|
+# ~/.cache/.mc_connections.
|
|
+optional_policy(`
|
|
+ manage_files_pattern(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_cache_home_t)
|
|
+ gnome_cache_filetrans(telepathy_mission_control_t, telepathy_mission_control_cache_home_t, file)
|
|
+')
|
|
|
|
#######################################
|
|
#
|
|
-# Butterfly and Haze local policy
|
|
+# Telepathy Butterfly and Haze local policy.
|
|
#
|
|
|
|
allow telepathy_msn_t self:process setsched;
|
|
+allow telepathy_msn_t self:unix_dgram_socket { write create connect };
|
|
|
|
manage_dirs_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
|
|
manage_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
|
|
manage_sock_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
|
|
+exec_files_pattern(telepathy_msn_t, telepathy_msn_tmp_t, telepathy_msn_tmp_t)
|
|
files_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
|
|
-
|
|
userdom_user_tmp_filetrans(telepathy_msn_t, telepathy_msn_tmp_t, { dir file sock_file })
|
|
-
|
|
+userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
|
|
can_exec(telepathy_msn_t, telepathy_msn_tmp_t)
|
|
|
|
corenet_all_recvfrom_netlabel(telepathy_msn_t)
|
|
-corenet_all_recvfrom_unlabeled(telepathy_msn_t)
|
|
corenet_tcp_sendrecv_generic_if(telepathy_msn_t)
|
|
corenet_tcp_sendrecv_generic_node(telepathy_msn_t)
|
|
-
|
|
-corenet_sendrecv_http_client_packets(telepathy_msn_t)
|
|
+corenet_tcp_bind_generic_node(telepathy_msn_t)
|
|
corenet_tcp_connect_http_port(telepathy_msn_t)
|
|
-corenet_tcp_sendrecv_http_port(telepathy_msn_t)
|
|
-
|
|
-corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
|
|
corenet_tcp_connect_mmcc_port(telepathy_msn_t)
|
|
-corenet_tcp_sendrecv_mmcc_port(telepathy_msn_t)
|
|
-
|
|
-corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
|
|
corenet_tcp_connect_msnp_port(telepathy_msn_t)
|
|
-corenet_tcp_sendrecv_msnp_port(telepathy_msn_t)
|
|
-
|
|
-corenet_sendrecv_sip_client_packets(telepathy_msn_t)
|
|
corenet_tcp_connect_sip_port(telepathy_msn_t)
|
|
-corenet_tcp_sendrecv_sip_port(telepathy_msn_t)
|
|
+corenet_sendrecv_http_client_packets(telepathy_msn_t)
|
|
+corenet_sendrecv_mmcc_client_packets(telepathy_msn_t)
|
|
+corenet_sendrecv_msnp_client_packets(telepathy_msn_t)
|
|
|
|
corecmd_exec_bin(telepathy_msn_t)
|
|
corecmd_exec_shell(telepathy_msn_t)
|
|
-
|
|
-files_read_usr_files(telepathy_msn_t)
|
|
+corecmd_read_bin_symlinks(telepathy_msn_t)
|
|
|
|
init_read_state(telepathy_msn_t)
|
|
|
|
@@ -310,18 +272,19 @@ logging_send_syslog_msg(telepathy_msn_t)
|
|
|
|
miscfiles_read_all_certs(telepathy_msn_t)
|
|
|
|
-# userdom_dontaudit_setattr_user_tmp(telepathy_msn_t)
|
|
-
|
|
tunable_policy(`telepathy_connect_all_ports',`
|
|
- corenet_sendrecv_all_client_packets(telepathy_msn_t)
|
|
corenet_tcp_connect_all_ports(telepathy_msn_t)
|
|
corenet_tcp_sendrecv_all_ports(telepathy_msn_t)
|
|
+ corenet_udp_sendrecv_all_ports(telepathy_msn_t)
|
|
')
|
|
|
|
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
|
|
- corenet_sendrecv_generic_client_packets(telepathy_msn_t)
|
|
corenet_tcp_connect_generic_port(telepathy_msn_t)
|
|
- corenet_tcp_sendrecv_generic_port(telepathy_msn_t)
|
|
+ corenet_sendrecv_generic_client_packets(telepathy_msn_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ gnome_read_gconf_home_files(telepathy_msn_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -332,43 +295,33 @@ optional_policy(`
|
|
')
|
|
')
|
|
|
|
-# optional_policy(`
|
|
- # ~/.config/dconf/user
|
|
- # gnome_manage_generic_home_content(telepathy_msn_t)
|
|
-# ')
|
|
-
|
|
#######################################
|
|
#
|
|
-# Salut local policy
|
|
+# Telepathy Salut local policy.
|
|
#
|
|
|
|
-allow telepathy_salut_t self:tcp_socket { accept listen };
|
|
+allow telepathy_salut_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
manage_sock_files_pattern(telepathy_salut_t, telepathy_salut_tmp_t, telepathy_salut_tmp_t)
|
|
files_tmp_filetrans(telepathy_salut_t, telepathy_salut_tmp_t, sock_file)
|
|
|
|
corenet_all_recvfrom_netlabel(telepathy_salut_t)
|
|
-corenet_all_recvfrom_unlabeled(telepathy_salut_t)
|
|
corenet_tcp_sendrecv_generic_if(telepathy_salut_t)
|
|
corenet_tcp_sendrecv_generic_node(telepathy_salut_t)
|
|
corenet_tcp_bind_generic_node(telepathy_salut_t)
|
|
-
|
|
-corenet_sendrecv_presence_server_packets(telepathy_salut_t)
|
|
corenet_tcp_bind_presence_port(telepathy_salut_t)
|
|
-corenet_sendrecv_presence_client_packets(telepathy_salut_t)
|
|
corenet_tcp_connect_presence_port(telepathy_salut_t)
|
|
-corenet_tcp_sendrecv_presence_port(telepathy_salut_t)
|
|
+corenet_sendrecv_presence_server_packets(telepathy_salut_t)
|
|
|
|
tunable_policy(`telepathy_connect_all_ports',`
|
|
- corenet_sendrecv_all_client_packets(telepathy_salut_t)
|
|
corenet_tcp_connect_all_ports(telepathy_salut_t)
|
|
corenet_tcp_sendrecv_all_ports(telepathy_salut_t)
|
|
+ corenet_udp_sendrecv_all_ports(telepathy_salut_t)
|
|
')
|
|
|
|
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
|
|
- corenet_sendrecv_generic_client_packets(telepathy_salut_t)
|
|
corenet_tcp_connect_generic_port(telepathy_salut_t)
|
|
- corenet_tcp_sendrecv_generic_port(telepathy_salut_t)
|
|
+ corenet_sendrecv_generic_client_packets(telepathy_salut_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -381,73 +334,53 @@ optional_policy(`
|
|
|
|
#######################################
|
|
#
|
|
-# Sofiasip local policy
|
|
+# Telepathy Sofiasip local policy.
|
|
#
|
|
|
|
-allow telepathy_sofiasip_t self:rawip_socket create_stream_socket_perms;
|
|
-allow telepathy_sofiasip_t self:tcp_socket { accept listen };
|
|
+allow telepathy_sofiasip_t self:rawip_socket { create_socket_perms listen };
|
|
+allow telepathy_sofiasip_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
corenet_all_recvfrom_netlabel(telepathy_sofiasip_t)
|
|
-corenet_all_recvfrom_unlabeled(telepathy_sofiasip_t)
|
|
corenet_tcp_sendrecv_generic_if(telepathy_sofiasip_t)
|
|
corenet_raw_sendrecv_generic_if(telepathy_sofiasip_t)
|
|
corenet_raw_sendrecv_generic_node(telepathy_sofiasip_t)
|
|
corenet_tcp_sendrecv_generic_node(telepathy_sofiasip_t)
|
|
corenet_tcp_bind_generic_node(telepathy_sofiasip_t)
|
|
corenet_raw_bind_generic_node(telepathy_sofiasip_t)
|
|
-
|
|
-corenet_sendrecv_all_server_packets(telepathy_sofiasip_t)
|
|
corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
|
|
-corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
|
|
-
|
|
corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
|
|
-
|
|
-corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
|
|
corenet_tcp_connect_sip_port(telepathy_sofiasip_t)
|
|
-corenet_tcp_sendrecv_sip_port(telepathy_sofiasip_t)
|
|
+corenet_sendrecv_sip_client_packets(telepathy_sofiasip_t)
|
|
|
|
kernel_request_load_module(telepathy_sofiasip_t)
|
|
|
|
tunable_policy(`telepathy_connect_all_ports',`
|
|
- corenet_sendrecv_all_client_packets(telepathy_sofiasip_t)
|
|
corenet_tcp_connect_all_ports(telepathy_sofiasip_t)
|
|
corenet_tcp_sendrecv_all_ports(telepathy_sofiasip_t)
|
|
+ corenet_udp_sendrecv_all_ports(telepathy_sofiasip_t)
|
|
')
|
|
|
|
tunable_policy(`telepathy_tcp_connect_generic_network_ports',`
|
|
- corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
|
|
corenet_tcp_connect_generic_port(telepathy_sofiasip_t)
|
|
- corenet_tcp_sendrecv_generic_port(telepathy_sofiasip_t)
|
|
+ corenet_sendrecv_generic_client_packets(telepathy_sofiasip_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
-# Sunshine local policy
|
|
+# Telepathy Sunshine local policy.
|
|
#
|
|
|
|
manage_dirs_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
|
|
manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_home_t, telepathy_sunshine_home_t)
|
|
-userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, dir, ".telepathy-sunshine")
|
|
+userdom_user_home_dir_filetrans(telepathy_sunshine_t, telepathy_sunshine_home_t, { dir file })
|
|
+userdom_search_user_home_dirs(telepathy_sunshine_t)
|
|
|
|
manage_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
|
|
+exec_files_pattern(telepathy_sunshine_t, telepathy_sunshine_tmp_t, telepathy_sunshine_tmp_t)
|
|
files_tmp_filetrans(telepathy_sunshine_t, telepathy_sunshine_tmp_t, file)
|
|
|
|
-can_exec(telepathy_sunshine_t, telepathy_sunshine_tmp_t)
|
|
-
|
|
corecmd_exec_bin(telepathy_sunshine_t)
|
|
|
|
-files_read_usr_files(telepathy_sunshine_t)
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(telepathy_sunshine_t)
|
|
- fs_manage_nfs_files(telepathy_sunshine_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(telepathy_sunshine_t)
|
|
- fs_manage_cifs_files(telepathy_sunshine_t)
|
|
-')
|
|
-
|
|
optional_policy(`
|
|
xserver_read_xdm_pid(telepathy_sunshine_t)
|
|
xserver_stream_connect(telepathy_sunshine_t)
|
|
@@ -455,31 +388,49 @@ optional_policy(`
|
|
|
|
#######################################
|
|
#
|
|
-# Common telepathy domain local policy
|
|
+# telepathy domains common policy
|
|
#
|
|
|
|
allow telepathy_domain self:process { getsched signal sigkill };
|
|
allow telepathy_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow telepathy_domain self:tcp_socket create_socket_perms;
|
|
+allow telepathy_domain self:udp_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(telepathy_domain, telepathy_cache_home_t, telepathy_cache_home_t)
|
|
-# gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
|
|
-
|
|
-manage_dirs_pattern(telepathy_domain, telepathy_data_home_t, telepathy_data_home_t)
|
|
-# gnome_data_filetrans(telepathy_domain, telepathy_data_home_t, dir, "telepathy")
|
|
+optional_policy(`
|
|
+ gnome_cache_filetrans(telepathy_domain, telepathy_cache_home_t, dir, "telepathy")
|
|
+')
|
|
|
|
dev_read_urand(telepathy_domain)
|
|
|
|
-kernel_read_system_state(telepathy_domain)
|
|
|
|
fs_getattr_all_fs(telepathy_domain)
|
|
fs_search_auto_mountpoints(telepathy_domain)
|
|
+fs_rw_inherited_tmpfs_files(telepathy_domain)
|
|
|
|
-miscfiles_read_localization(telepathy_domain)
|
|
+userdom_search_user_tmp_dirs(telepathy_domain)
|
|
+userdom_search_user_home_dirs(telepathy_domain)
|
|
|
|
optional_policy(`
|
|
automount_dontaudit_getattr_tmp_dirs(telepathy_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_read_generic_cache_files(telepathy_domain)
|
|
+ gnome_write_generic_cache_files(telepathy_domain)
|
|
+ gnome_filetrans_config_home_content(telepathy_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ systemd_dbus_chat_logind(telepathy_domain)
|
|
+ systemd_write_inhibit_pipes(telepathy_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ telepathy_dbus_chat(telepathy_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
xserver_rw_xdm_pipes(telepathy_domain)
|
|
')
|
|
+
|
|
diff --git a/telnet.te b/telnet.te
|
|
index d7c8633..a91c027 100644
|
|
--- a/telnet.te
|
|
+++ b/telnet.te
|
|
@@ -30,16 +30,19 @@ files_pid_file(telnetd_var_run_t)
|
|
allow telnetd_t self:capability { fsetid chown fowner setuid setgid sys_tty_config dac_override };
|
|
allow telnetd_t self:process signal_perms;
|
|
allow telnetd_t self:fifo_file rw_fifo_file_perms;
|
|
-allow telnetd_t self:tcp_socket { accept listen };
|
|
+allow telnetd_t self:tcp_socket connected_stream_socket_perms;
|
|
+allow telnetd_t self:udp_socket create_socket_perms;
|
|
+# for identd; cjp: this should probably only be inetd_child rules?
|
|
+allow telnetd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
|
|
allow telnetd_t telnetd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
|
+
|
|
term_create_pty(telnetd_t, telnetd_devpts_t)
|
|
|
|
allow telnetd_t telnetd_keytab_t:file read_file_perms;
|
|
|
|
manage_dirs_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
|
|
manage_files_pattern(telnetd_t, telnetd_tmp_t, telnetd_tmp_t)
|
|
-files_tmp_filetrans(telnetd_t, telnetd_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(telnetd_t, telnetd_var_run_t, telnetd_var_run_t)
|
|
files_pid_filetrans(telnetd_t, telnetd_var_run_t, file)
|
|
@@ -48,7 +51,6 @@ kernel_read_kernel_sysctls(telnetd_t)
|
|
kernel_read_system_state(telnetd_t)
|
|
kernel_read_network_state(telnetd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(telnetd_t)
|
|
corenet_all_recvfrom_netlabel(telnetd_t)
|
|
corenet_tcp_sendrecv_generic_if(telnetd_t)
|
|
corenet_tcp_sendrecv_generic_node(telnetd_t)
|
|
@@ -63,7 +65,6 @@ dev_read_urand(telnetd_t)
|
|
|
|
domain_interactive_fd(telnetd_t)
|
|
|
|
-files_read_usr_files(telnetd_t)
|
|
files_read_etc_runtime_files(telnetd_t)
|
|
files_search_home(telnetd_t)
|
|
|
|
@@ -76,12 +77,12 @@ init_rw_utmp(telnetd_t)
|
|
|
|
logging_send_syslog_msg(telnetd_t)
|
|
|
|
-miscfiles_read_localization(telnetd_t)
|
|
-
|
|
seutil_read_config(telnetd_t)
|
|
|
|
userdom_search_user_home_dirs(telnetd_t)
|
|
userdom_setattr_user_ptys(telnetd_t)
|
|
+userdom_manage_user_tmp_files(telnetd_t)
|
|
+userdom_tmp_filetrans_user_tmp(telnetd_t, file)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_search_nfs(telnetd_t)
|
|
@@ -93,7 +94,7 @@ tunable_policy(`use_samba_home_dirs',`
|
|
|
|
optional_policy(`
|
|
kerberos_read_keytab(telnetd_t)
|
|
- kerberos_tmp_filetrans_host_rcache(telnetd_t, file, "host_0")
|
|
+ kerberos_tmp_filetrans_host_rcache(telnetd_t, "host_0")
|
|
kerberos_manage_host_rcache(telnetd_t)
|
|
kerberos_use(telnetd_t)
|
|
')
|
|
diff --git a/tftp.fc b/tftp.fc
|
|
index 3dd87da..0d13384 100644
|
|
--- a/tftp.fc
|
|
+++ b/tftp.fc
|
|
@@ -1,9 +1,9 @@
|
|
-/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_conf_t,s0)
|
|
+/etc/(x)?inetd\.d/tftp -- gen_context(system_u:object_r:tftpd_etc_t,s0)
|
|
|
|
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
|
|
/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
|
|
|
|
-/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
|
|
-/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
|
|
+/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
|
|
+/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
|
|
|
|
-/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
|
|
+/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_rw_t,s0)
|
|
diff --git a/tftp.if b/tftp.if
|
|
index 9957e30..cf0b925 100644
|
|
--- a/tftp.if
|
|
+++ b/tftp.if
|
|
@@ -1,8 +1,8 @@
|
|
-## <summary>Trivial file transfer protocol daemon.</summary>
|
|
+## <summary>Trivial file transfer protocol daemon</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read tftp content files.
|
|
+## Read tftp content
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -13,18 +13,21 @@
|
|
interface(`tftp_read_content',`
|
|
gen_require(`
|
|
type tftpdir_t;
|
|
+ type tftpdir_rw_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
- allow $1 tftpdir_t:dir list_dir_perms;
|
|
- allow $1 tftpdir_t:file read_file_perms;
|
|
- allow $1 tftpdir_t:lnk_file read_lnk_file_perms;
|
|
+ list_dirs_pattern($1, tftpdir_t, tftpdir_t)
|
|
+ read_files_pattern($1, tftpdir_t, tftpdir_t)
|
|
+ read_lnk_files_pattern($1, tftpdir_t, tftpdir_t)
|
|
+
|
|
+ list_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
|
|
+ read_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
|
|
+ read_lnk_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## tftp rw content.
|
|
+## Search tftp /var/lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -32,20 +35,18 @@ interface(`tftp_read_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`tftp_manage_rw_content',`
|
|
+interface(`tftp_search_rw_content',`
|
|
gen_require(`
|
|
type tftpdir_rw_t;
|
|
')
|
|
|
|
+ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
|
|
files_search_var_lib($1)
|
|
- allow $1 tftpdir_rw_t:dir manage_dir_perms;
|
|
- allow $1 tftpdir_rw_t:file manage_file_perms;
|
|
- allow $1 tftpdir_rw_t:lnk_file manage_lnk_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read tftpd configuration files.
|
|
+## Manage tftp /var/lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -53,19 +54,19 @@ interface(`tftp_manage_rw_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`tftp_read_config_files',`
|
|
+interface(`tftp_manage_rw_content',`
|
|
gen_require(`
|
|
- type tftpd_conf_t;
|
|
+ type tftpdir_rw_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
- allow $1 tftpd_conf_t:file read_file_perms;
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
|
|
+ manage_files_pattern($1, tftpdir_rw_t, tftpdir_rw_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## tftpd configuration files.
|
|
+## Read tftp config files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -73,55 +74,44 @@ interface(`tftp_read_config_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`tftp_manage_config_files',`
|
|
+interface(`tftp_read_config',`
|
|
gen_require(`
|
|
- type tftpd_conf_t;
|
|
+ type tftpd_etc_t;
|
|
')
|
|
|
|
- files_search_etc($1)
|
|
- allow $1 tftpd_conf_t:file manage_file_perms;
|
|
+ read_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create objects in etc directories
|
|
-## with tftp conf type.
|
|
+## Manage tftp config files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`tftp_etc_filetrans_config',`
|
|
+interface(`tftp_manage_config',`
|
|
gen_require(`
|
|
- type tftp_conf_t;
|
|
+ type tftpd_etc_t;
|
|
')
|
|
|
|
- files_etc_filetrans($1, tftp_conf_t, $2, $3)
|
|
+ manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
|
|
+ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create objects in tftpdir directories
|
|
-## with a private type.
|
|
+## with specified types.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="private_type">
|
|
+## <param name="file_type">
|
|
## <summary>
|
|
## Private file type.
|
|
## </summary>
|
|
@@ -131,25 +121,38 @@ interface(`tftp_etc_filetrans_config',`
|
|
## Class of the object being created.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
#
|
|
interface(`tftp_filetrans_tftpdir',`
|
|
gen_require(`
|
|
type tftpdir_rw_t;
|
|
')
|
|
|
|
+ filetrans_pattern($1, tftpdir_rw_t, $2, $3)
|
|
files_search_var_lib($1)
|
|
- filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an tftp environment.
|
|
+## Transition to tftp named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tftp_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type tftpd_etc_t;
|
|
+ ')
|
|
+
|
|
+ files_etc_filetrans($1, tftpd_etc_t, file, "tftp")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an tftp environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -161,18 +164,22 @@ interface(`tftp_filetrans_tftpdir',`
|
|
interface(`tftp_admin',`
|
|
gen_require(`
|
|
type tftpd_t, tftpdir_t, tftpdir_rw_t, tftpd_var_run_t;
|
|
- type tftpd_conf_t;
|
|
')
|
|
|
|
- allow $1 tftpd_t:process { ptrace signal_perms };
|
|
+ allow $1 tftpd_t:process signal_perms;
|
|
ps_process_pattern($1, tftpd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 tftpd_t:process ptrace;
|
|
+ ')
|
|
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, tftpd_conf_t)
|
|
+ files_list_var_lib($1)
|
|
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, { tftpdir_t tftpdir_rw_t })
|
|
+ admin_pattern($1, tftpdir_rw_t)
|
|
+
|
|
+ admin_pattern($1, tftpdir_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, tftpd_var_run_t)
|
|
+
|
|
+ tftp_manage_config($1)
|
|
')
|
|
diff --git a/tftp.te b/tftp.te
|
|
index cfaa2a1..a9bc6f1 100644
|
|
--- a/tftp.te
|
|
+++ b/tftp.te
|
|
@@ -6,30 +6,24 @@ policy_module(tftp, 1.13.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether tftp can modify
|
|
-## public files used for public file
|
|
-## transfer services. Directories/Files must
|
|
-## be labeled public_content_rw_t.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow tftp to modify public files
|
|
+## used for public file transfer services.
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(tftp_anon_write, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether tftp can manage
|
|
-## generic user home content.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow tftp to read and write files in the user home directories
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(tftp_enable_homedir, false)
|
|
+gen_tunable(tftp_home_dir, false)
|
|
|
|
type tftpd_t;
|
|
type tftpd_exec_t;
|
|
init_daemon_domain(tftpd_t, tftpd_exec_t)
|
|
|
|
-type tftpd_conf_t;
|
|
-files_config_file(tftpd_conf_t)
|
|
-
|
|
type tftpd_var_run_t;
|
|
files_pid_file(tftpd_var_run_t)
|
|
|
|
@@ -39,6 +33,9 @@ files_type(tftpdir_t)
|
|
type tftpdir_rw_t;
|
|
files_type(tftpdir_rw_t)
|
|
|
|
+type tftpd_etc_t;
|
|
+files_config_file(tftpd_etc_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -46,15 +43,17 @@ files_type(tftpdir_rw_t)
|
|
|
|
allow tftpd_t self:capability { setgid setuid sys_chroot };
|
|
dontaudit tftpd_t self:capability sys_tty_config;
|
|
-allow tftpd_t self:tcp_socket { accept listen };
|
|
-allow tftpd_t self:unix_stream_socket { accept listen };
|
|
-
|
|
-allow tftpd_t tftpd_conf_t:file read_file_perms;
|
|
+allow tftpd_t self:tcp_socket create_stream_socket_perms;
|
|
+allow tftpd_t self:udp_socket create_socket_perms;
|
|
+allow tftpd_t self:unix_dgram_socket create_socket_perms;
|
|
+allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow tftpd_t tftpdir_t:dir list_dir_perms;
|
|
allow tftpd_t tftpdir_t:file read_file_perms;
|
|
allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
|
|
|
|
+read_files_pattern(tftpd_t, tftpd_etc_t, tftpd_etc_t)
|
|
+
|
|
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
|
|
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
|
|
manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
|
|
@@ -65,18 +64,23 @@ files_pid_filetrans(tftpd_t, tftpd_var_run_t, file)
|
|
kernel_read_system_state(tftpd_t)
|
|
kernel_read_kernel_sysctls(tftpd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(tftpd_t)
|
|
corenet_all_recvfrom_netlabel(tftpd_t)
|
|
+corenet_tcp_sendrecv_generic_if(tftpd_t)
|
|
corenet_udp_sendrecv_generic_if(tftpd_t)
|
|
+corenet_tcp_sendrecv_generic_node(tftpd_t)
|
|
corenet_udp_sendrecv_generic_node(tftpd_t)
|
|
+corenet_tcp_sendrecv_all_ports(tftpd_t)
|
|
+corenet_udp_sendrecv_all_ports(tftpd_t)
|
|
+corenet_tcp_bind_generic_node(tftpd_t)
|
|
corenet_udp_bind_generic_node(tftpd_t)
|
|
-
|
|
-corenet_sendrecv_tftp_server_packets(tftpd_t)
|
|
corenet_udp_bind_tftp_port(tftpd_t)
|
|
-corenet_udp_sendrecv_tftp_port(tftpd_t)
|
|
+corenet_sendrecv_tftp_server_packets(tftpd_t)
|
|
|
|
dev_read_sysfs(tftpd_t)
|
|
|
|
+fs_getattr_all_fs(tftpd_t)
|
|
+fs_search_auto_mountpoints(tftpd_t)
|
|
+
|
|
domain_use_interactive_fds(tftpd_t)
|
|
|
|
files_read_etc_runtime_files(tftpd_t)
|
|
@@ -84,43 +88,46 @@ files_read_var_files(tftpd_t)
|
|
files_read_var_symlinks(tftpd_t)
|
|
files_search_var(tftpd_t)
|
|
|
|
-fs_getattr_all_fs(tftpd_t)
|
|
-fs_search_auto_mountpoints(tftpd_t)
|
|
-
|
|
auth_use_nsswitch(tftpd_t)
|
|
|
|
logging_send_syslog_msg(tftpd_t)
|
|
|
|
-miscfiles_read_localization(tftpd_t)
|
|
miscfiles_read_public_files(tftpd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
|
|
userdom_dontaudit_use_user_terminals(tftpd_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(tftpd_t, { dir file lnk_file })
|
|
+userdom_dontaudit_search_user_home_dirs(tftpd_t)
|
|
+
|
|
+userdom_home_manager(tftpd_t)
|
|
|
|
tunable_policy(`tftp_anon_write',`
|
|
miscfiles_manage_public_files(tftpd_t)
|
|
')
|
|
|
|
-tunable_policy(`tftp_enable_homedir',`
|
|
- allow tftpd_t self:capability { dac_override dac_read_search };
|
|
+tunable_policy(`tftp_home_dir',`
|
|
+ allow tftpd_t self:capability { dac_override dac_read_search };
|
|
|
|
+ # allow access to /home
|
|
files_list_home(tftpd_t)
|
|
- userdom_manage_user_home_content_dirs(tftpd_t)
|
|
- userdom_manage_user_home_content_files(tftpd_t)
|
|
- userdom_manage_user_home_content_symlinks(tftpd_t)
|
|
+ userdom_read_user_home_content_files(tftpd_t)
|
|
+ userdom_manage_user_home_content(tftpd_t)
|
|
+
|
|
+ auth_read_all_dirs_except_shadow(tftpd_t)
|
|
+ auth_read_all_files_except_shadow(tftpd_t)
|
|
+ auth_read_all_symlinks_except_shadow(tftpd_t)
|
|
+',`
|
|
+ # Needed for permissive mode, to make sure everything gets labeled correctly
|
|
+ userdom_user_home_dir_filetrans_pattern(tftpd_t, { dir file lnk_file })
|
|
')
|
|
|
|
-tunable_policy(`tftp_enable_homedir && use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(tftpd_t)
|
|
- fs_manage_nfs_files(tftpd_t)
|
|
- fs_read_nfs_symlinks(tftpd_t)
|
|
+tunable_policy(`tftp_home_dir && use_nfs_home_dirs',`
|
|
+ fs_manage_nfs_files(tftpd_t)
|
|
+ fs_read_nfs_symlinks(tftpd_t)
|
|
')
|
|
|
|
-tunable_policy(`tftp_enable_homedir && use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(tftpd_t)
|
|
- fs_manage_cifs_files(tftpd_t)
|
|
- fs_read_cifs_symlinks(tftpd_t)
|
|
+tunable_policy(`tftp_home_dir && use_samba_home_dirs',`
|
|
+ fs_manage_cifs_files(tftpd_t)
|
|
+ fs_read_cifs_symlinks(tftpd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/tgtd.fc b/tgtd.fc
|
|
index 38389e6..4847b43 100644
|
|
--- a/tgtd.fc
|
|
+++ b/tgtd.fc
|
|
@@ -1,7 +1,4 @@
|
|
-/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
|
|
-
|
|
-/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
|
|
-
|
|
-/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
|
|
-
|
|
-/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
|
|
+/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
|
|
+/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
|
|
+/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
|
|
+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
|
|
diff --git a/tgtd.if b/tgtd.if
|
|
index 5406b6e..dc5b46e 100644
|
|
--- a/tgtd.if
|
|
+++ b/tgtd.if
|
|
@@ -97,6 +97,6 @@ interface(`tgtd_admin',`
|
|
files_search_tmp($1)
|
|
admin_pattern($1, tgtd_tmp_t)
|
|
|
|
- files_search_tmpfs($1)
|
|
+ fs_search_tmpfs($1)
|
|
admin_pattern($1, tgtd_tmpfs_t)
|
|
')
|
|
diff --git a/tgtd.te b/tgtd.te
|
|
index d010963..5ecc3bf 100644
|
|
--- a/tgtd.te
|
|
+++ b/tgtd.te
|
|
@@ -29,7 +29,7 @@ files_pid_file(tgtd_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow tgtd_t self:capability sys_resource;
|
|
+allow tgtd_t self:capability { dac_override ipc_lock sys_resource sys_rawio sys_admin };
|
|
allow tgtd_t self:capability2 block_suspend;
|
|
allow tgtd_t self:process { setrlimit signal };
|
|
allow tgtd_t self:fifo_file rw_fifo_file_perms;
|
|
@@ -58,13 +58,13 @@ kernel_read_system_state(tgtd_t)
|
|
kernel_read_fs_sysctls(tgtd_t)
|
|
|
|
corenet_all_recvfrom_netlabel(tgtd_t)
|
|
-corenet_all_recvfrom_unlabeled(tgtd_t)
|
|
corenet_tcp_sendrecv_generic_if(tgtd_t)
|
|
corenet_tcp_sendrecv_generic_node(tgtd_t)
|
|
corenet_tcp_bind_generic_node(tgtd_t)
|
|
|
|
corenet_sendrecv_iscsi_server_packets(tgtd_t)
|
|
corenet_tcp_bind_iscsi_port(tgtd_t)
|
|
+corenet_tcp_connect_isns_port(tgtd_t)
|
|
corenet_tcp_sendrecv_iscsi_port(tgtd_t)
|
|
|
|
corenet_sendrecv_iscsi_client_packets(tgtd_t)
|
|
@@ -72,16 +72,16 @@ corenet_tcp_connect_isns_port(tgtd_t)
|
|
|
|
dev_read_sysfs(tgtd_t)
|
|
|
|
-files_read_etc_files(tgtd_t)
|
|
+files_list_mnt(tgtd_t)
|
|
|
|
fs_read_anon_inodefs_files(tgtd_t)
|
|
|
|
storage_manage_fixed_disk(tgtd_t)
|
|
+storage_read_scsi_generic(tgtd_t)
|
|
+storage_write_scsi_generic(tgtd_t)
|
|
|
|
logging_send_syslog_msg(tgtd_t)
|
|
|
|
-miscfiles_read_localization(tgtd_t)
|
|
-
|
|
optional_policy(`
|
|
iscsi_manage_semaphores(tgtd_t)
|
|
')
|
|
diff --git a/thin.fc b/thin.fc
|
|
new file mode 100644
|
|
index 0000000..1f8a908
|
|
--- /dev/null
|
|
+++ b/thin.fc
|
|
@@ -0,0 +1,12 @@
|
|
+/usr/bin/thin -- gen_context(system_u:object_r:thin_exec_t,s0)
|
|
+
|
|
+/usr/bin/aeolus-configserver-thinwrapper -- gen_context(system_u:object_r:thin_aeolus_configserver_exec_t,s0)
|
|
+
|
|
+/var/lib/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_lib_t,s0)
|
|
+
|
|
+/var/log/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_log_t,s0)
|
|
+/var/log/thin\.log.* -- gen_context(system_u:object_r:thin_log_t,s0)
|
|
+
|
|
+/var/run/aeolus-configserver(/.*)? gen_context(system_u:object_r:thin_aeolus_configserver_var_run_t,s0)
|
|
+/var/run/aeolus/thin\.pid -- gen_context(system_u:object_r:thin_var_run_t,s0)
|
|
+/var/run/thin(/.*)? gen_context(system_u:object_r:thin_var_run_t,s0)
|
|
diff --git a/thin.if b/thin.if
|
|
new file mode 100644
|
|
index 0000000..5e3637e
|
|
--- /dev/null
|
|
+++ b/thin.if
|
|
@@ -0,0 +1,64 @@
|
|
+## <summary>thin policy</summary>
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## thin daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`thin_domain_template',`
|
|
+ gen_require(`
|
|
+ attribute thin_domain;
|
|
+ ')
|
|
+
|
|
+ type $1_t, thin_domain;
|
|
+ type $1_exec_t;
|
|
+ init_daemon_domain($1_t, $1_exec_t)
|
|
+
|
|
+ can_exec($1_t, $1_exec_t)
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Execute mongod in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`thin_exec',`
|
|
+ gen_require(`
|
|
+ type thin_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, thin_exec_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## Connect to thin over a unix domain
|
|
+## stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`thin_stream_connect',`
|
|
+ gen_require(`
|
|
+ type thin_t, thin_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, thin_var_run_t, thin_var_run_t, thin_t)
|
|
+')
|
|
diff --git a/thin.te b/thin.te
|
|
new file mode 100644
|
|
index 0000000..39d17b7
|
|
--- /dev/null
|
|
+++ b/thin.te
|
|
@@ -0,0 +1,115 @@
|
|
+policy_module(thin, 1.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+attribute thin_domain;
|
|
+
|
|
+thin_domain_template(thin)
|
|
+
|
|
+type thin_log_t;
|
|
+logging_log_file(thin_log_t)
|
|
+
|
|
+type thin_var_run_t;
|
|
+files_pid_file(thin_var_run_t)
|
|
+
|
|
+thin_domain_template(thin_aeolus_configserver)
|
|
+
|
|
+type thin_aeolus_configserver_lib_t;
|
|
+files_type(thin_aeolus_configserver_lib_t)
|
|
+
|
|
+type thin_aeolus_configserver_log_t;
|
|
+logging_log_file(thin_aeolus_configserver_log_t)
|
|
+
|
|
+type thin_aeolus_configserver_var_run_t;
|
|
+files_pid_file(thin_aeolus_configserver_var_run_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# thin_domain local policy
|
|
+#
|
|
+
|
|
+allow thin_domain self:process signal;
|
|
+
|
|
+allow thin_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow thin_domain self:tcp_socket create_stream_socket_perms;
|
|
+
|
|
+# we want to stay in a new thin domain if we call thin binary from a script
|
|
+# # initrc_t@thin_test_exec_t->thin_test_t@thin_exec_t->thin_test_t
|
|
+can_exec(thin_domain, thin_exec_t)
|
|
+
|
|
+corecmd_exec_bin(thin_domain)
|
|
+corecmd_exec_shell(thin_domain)
|
|
+
|
|
+corenet_tcp_bind_generic_node(thin_domain)
|
|
+
|
|
+dev_read_rand(thin_domain)
|
|
+dev_read_urand(thin_domain)
|
|
+
|
|
+
|
|
+auth_read_passwd(thin_domain)
|
|
+
|
|
+miscfiles_read_certs(thin_domain)
|
|
+
|
|
+
|
|
+fs_search_auto_mountpoints(thin_domain)
|
|
+
|
|
+init_read_utmp(thin_domain)
|
|
+
|
|
+kernel_read_kernel_sysctls(thin_domain)
|
|
+
|
|
+optional_policy(`
|
|
+ apache_read_sys_content(thin_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sysnet_read_config(thin_domain)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# thin local policy
|
|
+#
|
|
+
|
|
+allow thin_t self:capability { setuid kill setgid dac_override };
|
|
+allow thin_t self:capability2 block_suspend;
|
|
+
|
|
+allow thin_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow thin_t self:udp_socket create_socket_perms;
|
|
+allow thin_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+manage_files_pattern(thin_t, thin_log_t, thin_log_t)
|
|
+manage_dirs_pattern(thin_t, thin_log_t, thin_log_t)
|
|
+logging_log_filetrans(thin_t, thin_log_t, { file dir })
|
|
+
|
|
+manage_dirs_pattern(thin_t, thin_var_run_t, thin_var_run_t)
|
|
+manage_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
|
|
+manage_lnk_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
|
|
+manage_sock_files_pattern(thin_t, thin_var_run_t, thin_var_run_t)
|
|
+files_pid_filetrans(thin_t, thin_var_run_t, { dir file sock_file })
|
|
+
|
|
+corenet_tcp_bind_ntop_port(thin_t)
|
|
+corenet_tcp_connect_postgresql_port(thin_t)
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# thin aeolus configserver local policy
|
|
+#
|
|
+
|
|
+allow thin_aeolus_configserver_t self:capability { setuid setgid };
|
|
+
|
|
+corenet_tcp_bind_tram_port(thin_aeolus_configserver_t)
|
|
+
|
|
+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
|
|
+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, thin_aeolus_configserver_lib_t)
|
|
+files_var_lib_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_lib_t, { file dir })
|
|
+
|
|
+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
|
|
+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, thin_aeolus_configserver_log_t)
|
|
+logging_log_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_log_t, { file dir })
|
|
+
|
|
+manage_files_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
|
|
+manage_dirs_pattern(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, thin_aeolus_configserver_var_run_t)
|
|
+files_pid_filetrans(thin_aeolus_configserver_t, thin_aeolus_configserver_var_run_t, { dir file })
|
|
diff --git a/thumb.fc b/thumb.fc
|
|
new file mode 100644
|
|
index 0000000..92b6843
|
|
--- /dev/null
|
|
+++ b/thumb.fc
|
|
@@ -0,0 +1,18 @@
|
|
+HOME_DIR/\.texlive2012(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
|
|
+HOME_DIR/\.thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
|
|
+HOME_DIR/\.cache/thumbnails(/.*)? gen_context(system_u:object_r:thumb_home_t,s0)
|
|
+HOME_DIR/missfont\.log.* gen_context(system_u:object_r:thumb_home_t,s0)
|
|
+
|
|
+/usr/bin/evince-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
+/usr/bin/gsf-office-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
+/usr/bin/gnome-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
+/usr/bin/gnome-[^/]*-thumbnailer(.sh)? -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
+/usr/bin/raw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
+/usr/bin/shotwell-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
+/usr/bin/totem-video-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
+/usr/bin/whaaw-thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
+/usr/bin/[^/]*thumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
+/usr/bin/ffmpegthumbnailer -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
+/usr/bin/mate-thumbnail-font -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
+
|
|
+/usr/lib/tumbler[^/]*/tumblerd -- gen_context(system_u:object_r:thumb_exec_t,s0)
|
|
diff --git a/thumb.if b/thumb.if
|
|
new file mode 100644
|
|
index 0000000..c1fd8b4
|
|
--- /dev/null
|
|
+++ b/thumb.if
|
|
@@ -0,0 +1,133 @@
|
|
+
|
|
+## <summary>policy for thumb</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to thumb.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`thumb_domtrans',`
|
|
+ gen_require(`
|
|
+ type thumb_t, thumb_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, thumb_exec_t, thumb_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute thumb in the thumb domain, and
|
|
+## allow the specified role the thumb domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the thumb domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`thumb_run',`
|
|
+ gen_require(`
|
|
+ type thumb_t;
|
|
+ ')
|
|
+
|
|
+ thumb_domtrans($1)
|
|
+ role $2 types thumb_t;
|
|
+
|
|
+ allow $1 thumb_t:process signal_perms;
|
|
+
|
|
+ dontaudit thumb_t $1:dir list_dir_perms;
|
|
+ dontaudit thumb_t $1:file read_file_perms;
|
|
+ dontaudit thumb_t $1:unix_stream_socket rw_socket_perms;
|
|
+
|
|
+ allow thumb_t $1:shm create_shm_perms;
|
|
+ allow thumb_t $1:sem create_sem_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Role access for thumb
|
|
+## </summary>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## User domain for the role
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`thumb_role',`
|
|
+ gen_require(`
|
|
+ type thumb_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ thumb_run($2, $1)
|
|
+
|
|
+ ps_process_pattern($2, thumb_t)
|
|
+ allow thumb_t $2:unix_stream_socket connectto;
|
|
+
|
|
+ thumb_dbus_chat($2)
|
|
+ thumb_filetrans_home_content($2)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Send and receive messages from
|
|
+## thumb over dbus.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`thumb_dbus_chat',`
|
|
+ gen_require(`
|
|
+ type thumb_t;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+
|
|
+ allow $1 thumb_t:dbus send_msg;
|
|
+ allow thumb_t $1:dbus send_msg;
|
|
+ ps_process_pattern(thumb_t, $1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create thumb content in the user home directory
|
|
+## with an correct label.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`thumb_filetrans_home_content',`
|
|
+
|
|
+ gen_require(`
|
|
+ type thumb_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, thumb_home_t, dir, ".thumbnails")
|
|
+ userdom_user_home_dir_filetrans($1, thumb_home_t, file, "missfont.log")
|
|
+
|
|
+ optional_policy(`
|
|
+ gnome_cache_filetrans($1, thumb_home_t, dir, "thumbnails")
|
|
+ ')
|
|
+')
|
|
diff --git a/thumb.te b/thumb.te
|
|
new file mode 100644
|
|
index 0000000..b57cc3c
|
|
--- /dev/null
|
|
+++ b/thumb.te
|
|
@@ -0,0 +1,149 @@
|
|
+policy_module(thumb, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+type thumb_t;
|
|
+type thumb_exec_t;
|
|
+application_domain(thumb_t, thumb_exec_t)
|
|
+ubac_constrained(thumb_t)
|
|
+userdom_home_manager(thumb_t)
|
|
+
|
|
+type thumb_tmp_t;
|
|
+files_tmp_file(thumb_tmp_t)
|
|
+ubac_constrained(thumb_tmp_t)
|
|
+
|
|
+type thumb_home_t;
|
|
+userdom_user_home_content(thumb_home_t)
|
|
+
|
|
+type thumb_tmpfs_t;
|
|
+files_tmpfs_file(thumb_tmpfs_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# thumb local policy
|
|
+#
|
|
+
|
|
+allow thumb_t self:process { setsched signal signull setrlimit };
|
|
+dontaudit thumb_t self:capability sys_tty_config;
|
|
+
|
|
+tunable_policy(`deny_execmem',`',`
|
|
+ allow thumb_t self:process execmem;
|
|
+')
|
|
+
|
|
+allow thumb_t self:fifo_file manage_fifo_file_perms;
|
|
+allow thumb_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow thumb_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow thumb_t self:udp_socket create_socket_perms;
|
|
+allow thumb_t self:tcp_socket create_socket_perms;
|
|
+allow thumb_t self:shm create_shm_perms;
|
|
+allow thumb_t self:sem create_sem_perms;
|
|
+
|
|
+manage_dirs_pattern(thumb_t, thumb_home_t, thumb_home_t)
|
|
+manage_files_pattern(thumb_t, thumb_home_t, thumb_home_t)
|
|
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, dir, ".thumbnails")
|
|
+userdom_user_home_dir_filetrans(thumb_t, thumb_home_t, file, "missfont.log")
|
|
+userdom_dontaudit_access_check_user_content(thumb_t)
|
|
+userdom_rw_inherited_user_tmpfs_files(thumb_t)
|
|
+
|
|
+manage_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
|
|
+manage_dirs_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
|
|
+manage_sock_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
|
|
+exec_files_pattern(thumb_t, thumb_tmp_t, thumb_tmp_t)
|
|
+files_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
|
|
+userdom_user_tmp_filetrans(thumb_t, thumb_tmp_t, { file dir sock_file })
|
|
+xserver_xdm_tmp_filetrans(thumb_t, thumb_tmp_t, sock_file)
|
|
+
|
|
+manage_dirs_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
|
|
+manage_files_pattern(thumb_t, thumb_tmpfs_t, thumb_tmpfs_t)
|
|
+fs_tmpfs_filetrans(thumb_t, thumb_tmpfs_t, { dir file })
|
|
+
|
|
+can_exec(thumb_t, thumb_exec_t)
|
|
+
|
|
+kernel_read_system_state(thumb_t)
|
|
+
|
|
+corecmd_exec_bin(thumb_t)
|
|
+corecmd_exec_shell(thumb_t)
|
|
+
|
|
+dev_read_sysfs(thumb_t)
|
|
+dev_read_urand(thumb_t)
|
|
+dev_dontaudit_rw_dri(thumb_t)
|
|
+dev_rw_xserver_misc(thumb_t)
|
|
+
|
|
+domain_use_interactive_fds(thumb_t)
|
|
+domain_dontaudit_read_all_domains_state(thumb_t)
|
|
+
|
|
+files_read_non_security_files(thumb_t)
|
|
+
|
|
+fs_getattr_all_fs(thumb_t)
|
|
+fs_read_dos_files(thumb_t)
|
|
+fs_rw_inherited_tmpfs_files(thumb_t)
|
|
+
|
|
+auth_read_passwd(thumb_t)
|
|
+
|
|
+tunable_policy(`selinuxuser_execmod',`
|
|
+ libs_legacy_use_shared_libs(thumb_t)
|
|
+')
|
|
+
|
|
+miscfiles_read_fonts(thumb_t)
|
|
+miscfiles_dontaudit_setattr_fonts_dirs(thumb_t)
|
|
+miscfiles_dontaudit_setattr_fonts_cache_dirs(thumb_t)
|
|
+
|
|
+sysnet_read_config(thumb_t)
|
|
+
|
|
+userdom_dontaudit_setattr_user_tmp(thumb_t)
|
|
+userdom_read_user_tmp_files(thumb_t)
|
|
+userdom_read_user_home_content_files(thumb_t)
|
|
+userdom_exec_user_home_content_files(thumb_t)
|
|
+userdom_dontaudit_write_user_tmp_files(thumb_t)
|
|
+userdom_dontaudit_delete_user_tmp_files(thumb_t)
|
|
+userdom_read_home_audio_files(thumb_t)
|
|
+userdom_home_reader(thumb_t)
|
|
+
|
|
+userdom_use_user_terminals(thumb_t)
|
|
+
|
|
+xserver_read_xdm_home_files(thumb_t)
|
|
+xserver_append_xdm_home_files(thumb_t)
|
|
+xserver_dontaudit_read_xdm_pid(thumb_t)
|
|
+xserver_dontaudit_xdm_tmp_dirs(thumb_t)
|
|
+xserver_stream_connect(thumb_t)
|
|
+xserver_use_user_fonts(thumb_t)
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_dontaudit_stream_connect_session_bus(thumb_t)
|
|
+ dbus_dontaudit_chat_session_bus(thumb_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ # .config
|
|
+ gnome_dontaudit_search_config(thumb_t)
|
|
+ gnome_dontaudit_write_config_files(thumb_t)
|
|
+ gnome_append_generic_cache_files(thumb_t)
|
|
+ gnome_read_generic_data_home_files(thumb_t)
|
|
+ gnome_dontaudit_rw_generic_cache_files(thumb_t)
|
|
+ gnome_manage_gstreamer_home_files(thumb_t)
|
|
+ gnome_manage_gstreamer_home_dirs(thumb_t)
|
|
+ gnome_exec_gstreamer_home_files(thumb_t)
|
|
+ gnome_create_generic_cache_dir(thumb_t)
|
|
+ gnome_cache_filetrans(thumb_t, thumb_home_t, dir, "thumbnails")
|
|
+ gnome_cache_filetrans(thumb_t, thumb_home_t, file)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sssd_dontaudit_stream_connect(thumb_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nscd_dontaudit_write_sock_file(thumb_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ nslcd_dontaudit_write_sock_file(thumb_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`nis_enabled',`
|
|
+ corenet_dontaudit_udp_bind_all_ports(thumb_t)
|
|
+ corenet_dontaudit_udp_bind_generic_node(thumb_t)
|
|
+')
|
|
diff --git a/thunderbird.te b/thunderbird.te
|
|
index 5e867da..b25ea6e 100644
|
|
--- a/thunderbird.te
|
|
+++ b/thunderbird.te
|
|
@@ -53,7 +53,6 @@ kernel_read_system_state(thunderbird_t)
|
|
|
|
corecmd_exec_shell(thunderbird_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(thunderbird_t)
|
|
corenet_all_recvfrom_netlabel(thunderbird_t)
|
|
corenet_tcp_sendrecv_generic_if(thunderbird_t)
|
|
corenet_tcp_sendrecv_generic_node(thunderbird_t)
|
|
@@ -82,7 +81,6 @@ dev_read_urand(thunderbird_t)
|
|
dev_dontaudit_search_sysfs(thunderbird_t)
|
|
|
|
files_list_tmp(thunderbird_t)
|
|
-files_read_usr_files(thunderbird_t)
|
|
files_read_etc_runtime_files(thunderbird_t)
|
|
files_read_var_files(thunderbird_t)
|
|
files_read_var_symlinks(thunderbird_t)
|
|
@@ -98,7 +96,6 @@ fs_search_auto_mountpoints(thunderbird_t)
|
|
auth_use_nsswitch(thunderbird_t)
|
|
|
|
miscfiles_read_fonts(thunderbird_t)
|
|
-miscfiles_read_localization(thunderbird_t)
|
|
|
|
userdom_write_user_tmp_sockets(thunderbird_t)
|
|
|
|
@@ -107,23 +104,14 @@ userdom_manage_user_tmp_files(thunderbird_t)
|
|
|
|
userdom_manage_user_home_content_dirs(thunderbird_t)
|
|
userdom_manage_user_home_content_files(thunderbird_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(thunderbird_t, { dir file })
|
|
+userdom_filetrans_home_content(thunderbird_t)
|
|
|
|
xserver_user_x_domain_template(thunderbird, thunderbird_t, thunderbird_tmpfs_t)
|
|
xserver_read_xdm_tmp_files(thunderbird_t)
|
|
xserver_dontaudit_getattr_xdm_tmp_sockets(thunderbird_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(thunderbird_t)
|
|
- fs_manage_nfs_files(thunderbird_t)
|
|
- fs_manage_nfs_symlinks(thunderbird_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(thunderbird_t)
|
|
- fs_manage_cifs_files(thunderbird_t)
|
|
- fs_manage_cifs_symlinks(thunderbird_t)
|
|
-')
|
|
+# Access ~/.thunderbird
|
|
+userdom_home_manager(thunderbird_t)
|
|
|
|
ifndef(`enable_mls',`
|
|
fs_search_removable(thunderbird_t)
|
|
diff --git a/timidity.te b/timidity.te
|
|
index 97cd155..49321a5 100644
|
|
--- a/timidity.te
|
|
+++ b/timidity.te
|
|
@@ -36,7 +36,6 @@ fs_tmpfs_filetrans(timidity_t, timidity_tmpfs_t, { dir file lnk_file sock_file f
|
|
kernel_read_kernel_sysctls(timidity_t)
|
|
kernel_read_system_state(timidity_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(timidity_t)
|
|
corenet_all_recvfrom_netlabel(timidity_t)
|
|
corenet_tcp_sendrecv_generic_if(timidity_t)
|
|
corenet_udp_sendrecv_generic_if(timidity_t)
|
|
@@ -51,8 +50,6 @@ dev_write_sound(timidity_t)
|
|
|
|
domain_use_interactive_fds(timidity_t)
|
|
|
|
-files_read_etc_files(timidity_t)
|
|
-files_read_usr_files(timidity_t)
|
|
files_search_tmp(timidity_t)
|
|
|
|
fs_search_auto_mountpoints(timidity_t)
|
|
diff --git a/tmpreaper.te b/tmpreaper.te
|
|
index 585a77f..10d7105 100644
|
|
--- a/tmpreaper.te
|
|
+++ b/tmpreaper.te
|
|
@@ -8,6 +8,7 @@ policy_module(tmpreaper, 1.7.1)
|
|
type tmpreaper_t;
|
|
type tmpreaper_exec_t;
|
|
init_system_domain(tmpreaper_t, tmpreaper_exec_t)
|
|
+application_domain(tmpreaper_t, tmpreaper_exec_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -19,6 +20,7 @@ allow tmpreaper_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
kernel_list_unlabeled(tmpreaper_t)
|
|
kernel_read_system_state(tmpreaper_t)
|
|
+kernel_delete_unlabeled(tmpreaper_t)
|
|
|
|
dev_read_urand(tmpreaper_t)
|
|
|
|
@@ -27,15 +29,19 @@ corecmd_exec_shell(tmpreaper_t)
|
|
|
|
fs_getattr_xattr_fs(tmpreaper_t)
|
|
fs_list_all(tmpreaper_t)
|
|
+fs_setattr_tmpfs_dirs(tmpreaper_t)
|
|
+fs_delete_tmpfs_files(tmpreaper_t)
|
|
|
|
-files_getattr_all_dirs(tmpreaper_t)
|
|
-files_getattr_all_files(tmpreaper_t)
|
|
files_read_var_lib_files(tmpreaper_t)
|
|
files_purge_tmp(tmpreaper_t)
|
|
+files_delete_all_non_security_files(tmpreaper_t)
|
|
+# why does it need setattr?
|
|
files_setattr_all_tmp_dirs(tmpreaper_t)
|
|
+files_setattr_isid_type_dirs(tmpreaper_t)
|
|
+files_setattr_usr_dirs(tmpreaper_t)
|
|
+files_getattr_all_dirs(tmpreaper_t)
|
|
+files_getattr_all_files(tmpreaper_t)
|
|
|
|
-mcs_file_read_all(tmpreaper_t)
|
|
-mcs_file_write_all(tmpreaper_t)
|
|
mls_file_read_all_levels(tmpreaper_t)
|
|
mls_file_write_all_levels(tmpreaper_t)
|
|
|
|
@@ -45,7 +51,6 @@ init_use_inherited_script_ptys(tmpreaper_t)
|
|
|
|
logging_send_syslog_msg(tmpreaper_t)
|
|
|
|
-miscfiles_read_localization(tmpreaper_t)
|
|
miscfiles_delete_man_pages(tmpreaper_t)
|
|
|
|
ifdef(`distro_debian',`
|
|
@@ -53,10 +58,13 @@ ifdef(`distro_debian',`
|
|
')
|
|
|
|
ifdef(`distro_redhat',`
|
|
- userdom_list_all_user_home_content(tmpreaper_t)
|
|
+ userdom_list_user_home_content(tmpreaper_t)
|
|
+ userdom_list_admin_dir(tmpreaper_t)
|
|
userdom_delete_all_user_home_content_dirs(tmpreaper_t)
|
|
userdom_delete_all_user_home_content_files(tmpreaper_t)
|
|
+ userdom_delete_all_user_home_content_sock_files(tmpreaper_t)
|
|
userdom_delete_all_user_home_content_symlinks(tmpreaper_t)
|
|
+ userdom_setattr_all_user_home_content_dirs(tmpreaper_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -64,6 +72,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ apache_delete_sys_content_rw(tmpreaper_t)
|
|
apache_list_cache(tmpreaper_t)
|
|
apache_delete_cache_dirs(tmpreaper_t)
|
|
apache_delete_cache_files(tmpreaper_t)
|
|
@@ -79,7 +88,19 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- lpd_manage_spool(tmpreaper_t)
|
|
+ lpd_manage_spool(tmpreaper_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ mandb_delete_cache(tmpreaper_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ sandbox_list(tmpreaper_t)
|
|
+ sandbox_delete_dirs(tmpreaper_t)
|
|
+ sandbox_delete_files(tmpreaper_t)
|
|
+ sandbox_delete_sock_files(tmpreaper_t)
|
|
+ sandbox_setattr_dirs(tmpreaper_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/tomcat.fc b/tomcat.fc
|
|
new file mode 100644
|
|
index 0000000..a8385bc
|
|
--- /dev/null
|
|
+++ b/tomcat.fc
|
|
@@ -0,0 +1,11 @@
|
|
+/usr/lib/systemd/system/tomcat.service -- gen_context(system_u:object_r:tomcat_unit_file_t,s0)
|
|
+
|
|
+/usr/sbin/tomcat(6)? -- gen_context(system_u:object_r:tomcat_exec_t,s0)
|
|
+
|
|
+/var/cache/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_cache_t,s0)
|
|
+
|
|
+/var/lib/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_var_lib_t,s0)
|
|
+
|
|
+/var/log/tomcat6?(/.*)? gen_context(system_u:object_r:tomcat_log_t,s0)
|
|
+
|
|
+/var/run/tomcat6?\.pid -- gen_context(system_u:object_r:tomcat_var_run_t,s0)
|
|
diff --git a/tomcat.if b/tomcat.if
|
|
new file mode 100644
|
|
index 0000000..9abef48
|
|
--- /dev/null
|
|
+++ b/tomcat.if
|
|
@@ -0,0 +1,395 @@
|
|
+
|
|
+## <summary>policy for tomcat</summary>
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## tomcat daemon domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`tomcat_domain_template',`
|
|
+ gen_require(`
|
|
+ attribute tomcat_domain;
|
|
+ ')
|
|
+
|
|
+ type $1_t, tomcat_domain;
|
|
+ type $1_exec_t;
|
|
+ init_daemon_domain($1_t, $1_exec_t)
|
|
+
|
|
+ type $1_cache_t;
|
|
+ files_type($1_cache_t)
|
|
+
|
|
+ type $1_log_t;
|
|
+ logging_log_file($1_log_t)
|
|
+
|
|
+ type $1_var_lib_t;
|
|
+ files_type($1_var_lib_t)
|
|
+
|
|
+ type $1_var_run_t;
|
|
+ files_pid_file($1_var_run_t)
|
|
+
|
|
+ type $1_tmp_t;
|
|
+ files_tmp_file($1_tmp_t)
|
|
+
|
|
+ ##################################
|
|
+ #
|
|
+ # Local policy
|
|
+ #
|
|
+
|
|
+ manage_dirs_pattern($1_t, $1_cache_t, $1_cache_t)
|
|
+ manage_files_pattern($1_t, $1_cache_t, $1_cache_t)
|
|
+ manage_lnk_files_pattern($1_t, $1_cache_t, $1_cache_t)
|
|
+ files_var_filetrans($1_t, $1_cache_t, { dir file })
|
|
+
|
|
+ manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
|
|
+ manage_files_pattern($1_t, $1_log_t, $1_log_t)
|
|
+ manage_lnk_files_pattern($1_t, $1_log_t, $1_log_t)
|
|
+ logging_log_filetrans($1_t, $1_log_t, { dir file })
|
|
+
|
|
+ manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
|
|
+ manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
|
|
+ manage_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
|
|
+ files_var_lib_filetrans($1_t, $1_var_lib_t, { dir file lnk_file })
|
|
+
|
|
+ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
|
+ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
|
+ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
|
|
+ files_pid_filetrans($1_t, $1_var_run_t, { dir file lnk_file })
|
|
+
|
|
+ manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
|
+ manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
|
+ manage_fifo_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
|
+ files_tmp_filetrans($1_t, $1_tmp_t, { file fifo_file dir })
|
|
+
|
|
+ can_exec($1_t, $1_exec_t)
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+
|
|
+ logging_send_syslog_msg($1_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to tomcat.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_domtrans',`
|
|
+ gen_require(`
|
|
+ type tomcat_t, tomcat_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, tomcat_exec_t, tomcat_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search tomcat cache directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_search_cache',`
|
|
+ gen_require(`
|
|
+ type tomcat_cache_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 tomcat_cache_t:dir search_dir_perms;
|
|
+ files_search_var($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read tomcat cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_read_cache_files',`
|
|
+ gen_require(`
|
|
+ type tomcat_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ read_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete
|
|
+## tomcat cache files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_manage_cache_files',`
|
|
+ gen_require(`
|
|
+ type tomcat_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_files_pattern($1, tomcat_cache_t, tomcat_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage tomcat cache dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_manage_cache_dirs',`
|
|
+ gen_require(`
|
|
+ type tomcat_cache_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var($1)
|
|
+ manage_dirs_pattern($1, tomcat_cache_t, tomcat_cache_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read tomcat's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`tomcat_read_log',`
|
|
+ gen_require(`
|
|
+ type tomcat_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, tomcat_log_t, tomcat_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to tomcat log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_append_log',`
|
|
+ gen_require(`
|
|
+ type tomcat_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, tomcat_log_t, tomcat_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage tomcat log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_manage_log',`
|
|
+ gen_require(`
|
|
+ type tomcat_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, tomcat_log_t, tomcat_log_t)
|
|
+ manage_files_pattern($1, tomcat_log_t, tomcat_log_t)
|
|
+ manage_lnk_files_pattern($1, tomcat_log_t, tomcat_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search tomcat lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_search_lib',`
|
|
+ gen_require(`
|
|
+ type tomcat_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 tomcat_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read tomcat lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type tomcat_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage tomcat lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type tomcat_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage tomcat lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type tomcat_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, tomcat_var_lib_t, tomcat_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read tomcat PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_read_pid_files',`
|
|
+ gen_require(`
|
|
+ type tomcat_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ allow $1 tomcat_var_run_t:file read_file_perms;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute tomcat server in the tomcat domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tomcat_systemctl',`
|
|
+ gen_require(`
|
|
+ type tomcat_t;
|
|
+ type tomcat_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 tomcat_unit_file_t:file read_file_perms;
|
|
+ allow $1 tomcat_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, tomcat_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an tomcat environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`tomcat_admin',`
|
|
+ gen_require(`
|
|
+ type tomcat_t;
|
|
+ type tomcat_cache_t;
|
|
+ type tomcat_log_t;
|
|
+ type tomcat_var_lib_t;
|
|
+ type tomcat_var_run_t;
|
|
+ type tomcat_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 tomcat_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, tomcat_t)
|
|
+
|
|
+ files_search_var($1)
|
|
+ admin_pattern($1, tomcat_cache_t)
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, tomcat_log_t)
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ admin_pattern($1, tomcat_var_lib_t)
|
|
+
|
|
+ files_search_pids($1)
|
|
+ admin_pattern($1, tomcat_var_run_t)
|
|
+
|
|
+ tomcat_systemctl($1)
|
|
+ admin_pattern($1, tomcat_unit_file_t)
|
|
+ allow $1 tomcat_unit_file_t:service all_service_perms;
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
+')
|
|
diff --git a/tomcat.te b/tomcat.te
|
|
new file mode 100644
|
|
index 0000000..5a263b2
|
|
--- /dev/null
|
|
+++ b/tomcat.te
|
|
@@ -0,0 +1,69 @@
|
|
+policy_module(tomcat, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+attribute tomcat_domain;
|
|
+
|
|
+tomcat_domain_template(tomcat)
|
|
+
|
|
+type tomcat_unit_file_t;
|
|
+systemd_unit_file(tomcat_unit_file_t)
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# tomcat local policy
|
|
+#
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(tomcat_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# tomcat domain local policy
|
|
+#
|
|
+
|
|
+allow tomcat_t self:process execmem;
|
|
+allow tomcat_t self:process { signal signull };
|
|
+
|
|
+allow tomcat_t self:tcp_socket { accept listen };
|
|
+allow tomcat_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow tomcat_domain self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+# we want to stay in a new tomcat domain if we call tomcat binary from a script
|
|
+# initrc_t@tomcat_test_exec_t->tomcat_test_t@tomcat_exec_t->tomcat_test_t
|
|
+can_exec(tomcat_domain, tomcat_exec_t)
|
|
+
|
|
+kernel_read_network_state(tomcat_domain)
|
|
+
|
|
+corecmd_exec_bin(tomcat_domain)
|
|
+corecmd_exec_shell(tomcat_domain)
|
|
+
|
|
+corenet_tcp_bind_generic_node(tomcat_domain)
|
|
+corenet_udp_bind_generic_node(tomcat_domain)
|
|
+corenet_tcp_bind_http_port(tomcat_domain)
|
|
+corenet_tcp_bind_http_cache_port(tomcat_domain)
|
|
+corenet_tcp_bind_mxi_port(tomcat_domain)
|
|
+corenet_tcp_connect_http_port(tomcat_domain)
|
|
+corenet_tcp_connect_mxi_port(tomcat_domain)
|
|
+
|
|
+dev_read_rand(tomcat_domain)
|
|
+dev_read_urand(tomcat_domain)
|
|
+dev_read_sysfs(tomcat_domain)
|
|
+
|
|
+domain_use_interactive_fds(tomcat_domain)
|
|
+
|
|
+fs_getattr_all_fs(tomcat_domain)
|
|
+fs_read_hugetlbfs_files(tomcat_domain)
|
|
+
|
|
+
|
|
+auth_read_passwd(tomcat_domain)
|
|
+
|
|
+sysnet_dns_name_resolve(tomcat_domain)
|
|
+
|
|
+optional_policy(`
|
|
+ tomcat_search_lib(tomcat_domain)
|
|
+')
|
|
diff --git a/tor.fc b/tor.fc
|
|
index dce42ec..b6b67bf 100644
|
|
--- a/tor.fc
|
|
+++ b/tor.fc
|
|
@@ -5,6 +5,8 @@
|
|
/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
|
|
/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
|
|
|
|
+/usr/lib/systemd/system/tor.* -- gen_context(system_u:object_r:tor_unit_file_t,s0)
|
|
+
|
|
/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
|
|
/var/lib/tor-data(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
|
|
|
|
diff --git a/tor.if b/tor.if
|
|
index 61c2e07..5e1df41 100644
|
|
--- a/tor.if
|
|
+++ b/tor.if
|
|
@@ -19,6 +19,29 @@ interface(`tor_domtrans',`
|
|
domtrans_pattern($1, tor_exec_t, tor_t)
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Execute tor server in the tor domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tor_systemctl',`
|
|
+ gen_require(`
|
|
+ type tor_t;
|
|
+ type tor_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 tor_unit_file_t:file read_file_perms;
|
|
+ allow $1 tor_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, tor_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
@@ -39,12 +62,18 @@ interface(`tor_domtrans',`
|
|
interface(`tor_admin',`
|
|
gen_require(`
|
|
type tor_t, tor_var_log_t, tor_etc_t;
|
|
- type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t;
|
|
+ type tor_var_lib_t, tor_var_run_t;
|
|
+ type tor_initrc_exec_t;
|
|
+ type tor_unit_file_t;
|
|
')
|
|
|
|
- allow $1 tor_t:process { ptrace signal_perms };
|
|
+ allow $1 tor_t:process signal_perms;
|
|
ps_process_pattern($1, tor_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 tor_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, tor_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 tor_initrc_exec_t system_r;
|
|
@@ -61,4 +90,13 @@ interface(`tor_admin',`
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, tor_var_run_t)
|
|
+
|
|
+ tor_systemctl($1)
|
|
+ admin_pattern($1, tor_unit_file_t)
|
|
+ allow $1 tor_unit_file_t:service all_service_perms;
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_passwd_agent_exec($1)
|
|
+ systemd_read_fifo_file_passwd_run($1)
|
|
+ ')
|
|
')
|
|
diff --git a/tor.te b/tor.te
|
|
index 5ceacde..5fde651 100644
|
|
--- a/tor.te
|
|
+++ b/tor.te
|
|
@@ -13,6 +13,13 @@ policy_module(tor, 1.9.0)
|
|
## </desc>
|
|
gen_tunable(tor_bind_all_unreserved_ports, false)
|
|
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow tor to act as a relay
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(tor_can_network_relay, false)
|
|
+
|
|
type tor_t;
|
|
type tor_exec_t;
|
|
init_daemon_domain(tor_t, tor_exec_t)
|
|
@@ -33,6 +40,9 @@ type tor_var_run_t;
|
|
files_pid_file(tor_var_run_t)
|
|
init_daemon_run_dir(tor_var_run_t, "tor")
|
|
|
|
+type tor_unit_file_t;
|
|
+systemd_unit_file(tor_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -77,7 +87,6 @@ corenet_tcp_sendrecv_generic_node(tor_t)
|
|
corenet_udp_sendrecv_generic_node(tor_t)
|
|
corenet_tcp_bind_generic_node(tor_t)
|
|
corenet_udp_bind_generic_node(tor_t)
|
|
-
|
|
corenet_sendrecv_dns_server_packets(tor_t)
|
|
corenet_udp_bind_dns_port(tor_t)
|
|
corenet_udp_sendrecv_dns_port(tor_t)
|
|
@@ -98,19 +107,22 @@ dev_read_urand(tor_t)
|
|
domain_use_interactive_fds(tor_t)
|
|
|
|
files_read_etc_runtime_files(tor_t)
|
|
-files_read_usr_files(tor_t)
|
|
|
|
auth_use_nsswitch(tor_t)
|
|
|
|
logging_send_syslog_msg(tor_t)
|
|
|
|
-miscfiles_read_localization(tor_t)
|
|
-
|
|
tunable_policy(`tor_bind_all_unreserved_ports',`
|
|
corenet_sendrecv_all_server_packets(tor_t)
|
|
corenet_tcp_bind_all_unreserved_ports(tor_t)
|
|
')
|
|
|
|
+tunable_policy(`tor_can_network_relay',`
|
|
+ # allow httpd to work as a relay
|
|
+ corenet_tcp_connect_all_ephemeral_ports(tor_t)
|
|
+ corenet_tcp_bind_http_port(tor_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(tor_t)
|
|
')
|
|
diff --git a/transproxy.te b/transproxy.te
|
|
index 34973ee..1c9a4c6 100644
|
|
--- a/transproxy.te
|
|
+++ b/transproxy.te
|
|
@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(transproxy_t)
|
|
kernel_list_proc(transproxy_t)
|
|
kernel_read_proc_symlinks(transproxy_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(transproxy_t)
|
|
corenet_all_recvfrom_netlabel(transproxy_t)
|
|
corenet_tcp_sendrecv_generic_if(transproxy_t)
|
|
corenet_tcp_sendrecv_generic_node(transproxy_t)
|
|
@@ -46,15 +45,12 @@ dev_read_sysfs(transproxy_t)
|
|
|
|
domain_use_interactive_fds(transproxy_t)
|
|
|
|
-files_read_etc_files(transproxy_t)
|
|
|
|
fs_getattr_all_fs(transproxy_t)
|
|
fs_search_auto_mountpoints(transproxy_t)
|
|
|
|
logging_send_syslog_msg(transproxy_t)
|
|
|
|
-miscfiles_read_localization(transproxy_t)
|
|
-
|
|
sysnet_read_config(transproxy_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(transproxy_t)
|
|
diff --git a/tripwire.te b/tripwire.te
|
|
index 03aa6b7..a9ff883 100644
|
|
--- a/tripwire.te
|
|
+++ b/tripwire.te
|
|
@@ -86,7 +86,7 @@ files_getattr_all_sockets(tripwire_t)
|
|
|
|
logging_send_syslog_msg(tripwire_t)
|
|
|
|
-userdom_use_user_terminals(tripwire_t)
|
|
+userdom_use_inherited_user_terminals(tripwire_t)
|
|
|
|
optional_policy(`
|
|
cron_system_entry(tripwire_t, tripwire_exec_t)
|
|
@@ -107,9 +107,7 @@ files_search_etc(twadmin_t)
|
|
|
|
logging_send_syslog_msg(twadmin_t)
|
|
|
|
-miscfiles_read_localization(twadmin_t)
|
|
-
|
|
-userdom_use_user_terminals(twadmin_t)
|
|
+userdom_use_inherited_user_terminals(twadmin_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -135,9 +133,7 @@ files_search_var_lib(twprint_t)
|
|
|
|
logging_send_syslog_msg(twprint_t)
|
|
|
|
-miscfiles_read_localization(twprint_t)
|
|
-
|
|
-userdom_use_user_terminals(twprint_t)
|
|
+userdom_use_inherited_user_terminals(twprint_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -150,6 +146,4 @@ files_read_all_files(siggen_t)
|
|
|
|
logging_send_syslog_msg(siggen_t)
|
|
|
|
-miscfiles_read_localization(siggen_t)
|
|
-
|
|
-userdom_use_user_terminals(siggen_t)
|
|
+userdom_use_inherited_user_terminals(siggen_t)
|
|
diff --git a/tuned.if b/tuned.if
|
|
index e29db63..061fb98 100644
|
|
--- a/tuned.if
|
|
+++ b/tuned.if
|
|
@@ -119,9 +119,13 @@ interface(`tuned_admin',`
|
|
type tuned_etc_t, tuned_rw_etc_t, tuned_log_t;
|
|
')
|
|
|
|
- allow $1 tuned_t:process { ptrace signal_perms };
|
|
+ allow $1 tuned_t:process signal_perms;
|
|
ps_process_pattern($1, tuned_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 tuned_t:process ptrace;
|
|
+ ')
|
|
+
|
|
tuned_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 tuned_initrc_exec_t system_r;
|
|
diff --git a/tuned.te b/tuned.te
|
|
index 393a330..90924a4 100644
|
|
--- a/tuned.te
|
|
+++ b/tuned.te
|
|
@@ -21,6 +21,9 @@ files_config_file(tuned_rw_etc_t)
|
|
type tuned_log_t;
|
|
logging_log_file(tuned_log_t)
|
|
|
|
+type tuned_tmp_t;
|
|
+files_tmp_file(tuned_tmp_t)
|
|
+
|
|
type tuned_var_run_t;
|
|
files_pid_file(tuned_var_run_t)
|
|
|
|
@@ -29,10 +32,13 @@ files_pid_file(tuned_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow tuned_t self:capability { sys_admin sys_nice };
|
|
+allow tuned_t self:capability { net_admin sys_admin sys_nice sys_rawio };
|
|
dontaudit tuned_t self:capability { dac_override sys_tty_config };
|
|
-allow tuned_t self:process { setsched signal };
|
|
+allow tuned_t self:process { setsched signal };
|
|
allow tuned_t self:fifo_file rw_fifo_file_perms;
|
|
+allow tuned_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
+allow tuned_t self:netlink_socket create_socket_perms;
|
|
+allow tuned_t self:udp_socket create_socket_perms;
|
|
|
|
read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
|
|
exec_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
|
|
@@ -41,14 +47,18 @@ manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
|
|
files_etc_filetrans(tuned_t, tuned_rw_etc_t, file, "active_profile")
|
|
|
|
manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
|
|
-append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
|
|
-create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
|
|
-setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
|
|
-logging_log_filetrans(tuned_t, tuned_log_t, file)
|
|
+manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
|
|
+logging_log_filetrans(tuned_t, tuned_log_t, file, "tuned.log")
|
|
+
|
|
+manage_dirs_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
|
|
+manage_files_pattern(tuned_t, tuned_tmp_t, tuned_tmp_t)
|
|
+files_tmp_filetrans(tuned_t, tuned_tmp_t, { file dir })
|
|
+can_exec(tuned_t, tuned_tmp_t)
|
|
|
|
manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
|
|
manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
|
|
files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
|
|
+can_exec(tuned_t, tuned_var_run_t)
|
|
|
|
kernel_read_system_state(tuned_t)
|
|
kernel_read_network_state(tuned_t)
|
|
@@ -57,6 +67,8 @@ kernel_request_load_module(tuned_t)
|
|
kernel_rw_kernel_sysctl(tuned_t)
|
|
kernel_rw_hotplug_sysctls(tuned_t)
|
|
kernel_rw_vm_sysctls(tuned_t)
|
|
+kernel_setsched(tuned_t)
|
|
+kernel_rw_all_sysctls(tuned_t)
|
|
|
|
corecmd_exec_bin(tuned_t)
|
|
corecmd_exec_shell(tuned_t)
|
|
@@ -64,31 +76,55 @@ corecmd_exec_shell(tuned_t)
|
|
dev_getattr_all_blk_files(tuned_t)
|
|
dev_getattr_all_chr_files(tuned_t)
|
|
dev_read_urand(tuned_t)
|
|
+dev_rw_cpu_microcode(tuned_t)
|
|
dev_rw_sysfs(tuned_t)
|
|
dev_rw_netcontrol(tuned_t)
|
|
|
|
-files_read_usr_files(tuned_t)
|
|
+files_dontaudit_all_access_check(tuned_t)
|
|
files_dontaudit_search_home(tuned_t)
|
|
-files_dontaudit_list_tmp(tuned_t)
|
|
+files_list_tmp(tuned_t)
|
|
|
|
-fs_getattr_xattr_fs(tuned_t)
|
|
+fs_getattr_all_fs(tuned_t)
|
|
+fs_search_all(tuned_t)
|
|
+fs_rw_hugetlbfs_files(tuned_t)
|
|
+
|
|
+auth_use_nsswitch(tuned_t)
|
|
|
|
logging_send_syslog_msg(tuned_t)
|
|
|
|
-miscfiles_read_localization(tuned_t)
|
|
+mount_read_pid_files(tuned_t)
|
|
|
|
udev_read_pid_files(tuned_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(tuned_t)
|
|
|
|
optional_policy(`
|
|
+ dbus_system_bus_client(tuned_t)
|
|
+ dbus_connect_system_bus(tuned_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dmidecode_domtrans(tuned_t)
|
|
+')
|
|
+
|
|
+# to allow disk tuning
|
|
+optional_policy(`
|
|
fstools_domtrans(tuned_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ gnome_dontaudit_search_config(tuned_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ libs_exec_ldconfig(tuned_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
mount_domtrans(tuned_t)
|
|
')
|
|
|
|
+# to allow network interface tuning
|
|
optional_policy(`
|
|
sysnet_domtrans_ifconfig(tuned_t)
|
|
')
|
|
diff --git a/tvtime.if b/tvtime.if
|
|
index 1bb0f7c..372be2f 100644
|
|
--- a/tvtime.if
|
|
+++ b/tvtime.if
|
|
@@ -1,5 +1,23 @@
|
|
## <summary>High quality television application.</summary>
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Transition to alsa named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`tvtime_filetrans_home_content',`
|
|
+ gen_require(`
|
|
+ type tvtime_home_t;
|
|
+ ')
|
|
+
|
|
+ userdom_user_home_dir_filetrans($1, tvtime_home_t, dir, ".tvtime")
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Role access for tvtime
|
|
diff --git a/tvtime.te b/tvtime.te
|
|
index afd2d6c..3ce900e 100644
|
|
--- a/tvtime.te
|
|
+++ b/tvtime.te
|
|
@@ -42,7 +42,6 @@ allow tvtime_t self:unix_stream_socket rw_stream_socket_perms;
|
|
manage_dirs_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
|
|
manage_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
|
|
manage_lnk_files_pattern(tvtime_t, tvtime_home_t, tvtime_home_t)
|
|
-userdom_user_home_dir_filetrans(tvtime_t, tvtime_home_t, dir)
|
|
|
|
manage_dirs_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
|
|
manage_files_pattern(tvtime_t, tvtime_tmp_t, tvtime_tmp_t)
|
|
@@ -61,7 +60,6 @@ dev_read_realtime_clock(tvtime_t)
|
|
dev_read_sound(tvtime_t)
|
|
dev_read_urand(tvtime_t)
|
|
|
|
-files_read_usr_files(tvtime_t)
|
|
|
|
fs_getattr_all_fs(tvtime_t)
|
|
fs_search_auto_mountpoints(tvtime_t)
|
|
@@ -69,21 +67,12 @@ fs_search_auto_mountpoints(tvtime_t)
|
|
auth_use_nsswitch(tvtime_t)
|
|
|
|
miscfiles_read_fonts(tvtime_t)
|
|
-miscfiles_read_localization(tvtime_t)
|
|
|
|
-userdom_use_user_terminals(tvtime_t)
|
|
+userdom_use_inherited_user_terminals(tvtime_t)
|
|
+userdom_read_user_home_content_files(tvtime_t)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(tvtime_t)
|
|
- fs_manage_nfs_files(tvtime_t)
|
|
- fs_manage_nfs_symlinks(tvtime_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(tvtime_t)
|
|
- fs_manage_cifs_files(tvtime_t)
|
|
- fs_manage_cifs_symlinks(tvtime_t)
|
|
-')
|
|
+# X access, Home files
|
|
+userdom_home_manager(tvtime_t)
|
|
|
|
optional_policy(`
|
|
xserver_user_x_domain_template(tvtime, tvtime_t, tvtime_tmpfs_t)
|
|
diff --git a/tzdata.te b/tzdata.te
|
|
index 221c43b..2b9c49a 100644
|
|
--- a/tzdata.te
|
|
+++ b/tzdata.te
|
|
@@ -27,11 +27,10 @@ term_dontaudit_list_ptys(tzdata_t)
|
|
|
|
locallogin_dontaudit_use_fds(tzdata_t)
|
|
|
|
-miscfiles_read_localization(tzdata_t)
|
|
miscfiles_manage_localization(tzdata_t)
|
|
miscfiles_etc_filetrans_localization(tzdata_t)
|
|
|
|
-userdom_use_user_terminals(tzdata_t)
|
|
+userdom_use_inherited_user_terminals(tzdata_t)
|
|
|
|
optional_policy(`
|
|
postfix_search_spool(tzdata_t)
|
|
diff --git a/ucspitcp.te b/ucspitcp.te
|
|
index 7745b72..329c3d8 100644
|
|
--- a/ucspitcp.te
|
|
+++ b/ucspitcp.te
|
|
@@ -33,7 +33,6 @@ corenet_udp_sendrecv_all_ports(rblsmtpd_t)
|
|
corenet_tcp_bind_generic_node(rblsmtpd_t)
|
|
corenet_udp_bind_generic_port(rblsmtpd_t)
|
|
|
|
-files_read_etc_files(rblsmtpd_t)
|
|
files_search_var(rblsmtpd_t)
|
|
|
|
optional_policy(`
|
|
@@ -82,7 +81,6 @@ corenet_udp_bind_dns_port(ucspitcp_t)
|
|
corenet_sendrecv_generic_server_packets(ucspitcp_t)
|
|
corenet_udp_bind_generic_port(ucspitcp_t)
|
|
|
|
-files_read_etc_files(ucspitcp_t)
|
|
files_search_var(ucspitcp_t)
|
|
|
|
sysnet_read_config(ucspitcp_t)
|
|
diff --git a/ulogd.if b/ulogd.if
|
|
index 9b95c3e..a892845 100644
|
|
--- a/ulogd.if
|
|
+++ b/ulogd.if
|
|
@@ -123,8 +123,11 @@ interface(`ulogd_admin',`
|
|
type ulogd_var_log_t, ulogd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 ulogd_t:process { ptrace signal_perms };
|
|
+ allow $1 ulogd_t:process signal_perms;
|
|
ps_process_pattern($1, ulogd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 ulogd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, ulogd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/ulogd.te b/ulogd.te
|
|
index de35e5f..436d24c 100644
|
|
--- a/ulogd.te
|
|
+++ b/ulogd.te
|
|
@@ -29,8 +29,10 @@ logging_log_file(ulogd_var_log_t)
|
|
allow ulogd_t self:capability { net_admin setuid setgid sys_nice };
|
|
allow ulogd_t self:process setsched;
|
|
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
|
|
+allow ulogd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow ulogd_t self:netlink_socket create_socket_perms;
|
|
-allow ulogd_t self:tcp_socket create_stream_socket_perms;
|
|
+allow ulogd_t self:tcp_socket { create_stream_socket_perms connect };
|
|
+allow ulogd_t self:udp_socket create_socket_perms;
|
|
|
|
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
|
|
|
|
@@ -42,10 +44,7 @@ create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
|
|
setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
|
|
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
|
|
|
|
-files_read_etc_files(ulogd_t)
|
|
-files_read_usr_files(ulogd_t)
|
|
|
|
-miscfiles_read_localization(ulogd_t)
|
|
|
|
sysnet_dns_name_resolve(ulogd_t)
|
|
|
|
diff --git a/uml.if b/uml.if
|
|
index ab5c1d0..d13105e 100644
|
|
--- a/uml.if
|
|
+++ b/uml.if
|
|
@@ -32,7 +32,7 @@ interface(`uml_role',`
|
|
allow uml_t $2:unix_dgram_socket sendto;
|
|
|
|
ps_process_pattern($2, uml_t)
|
|
- allow $2 uml_t:process { ptrace signal_perms };
|
|
+ allow $2 uml_t:process signal_perms;
|
|
|
|
allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
|
|
diff --git a/uml.te b/uml.te
|
|
index b68bd49..da0c691 100644
|
|
--- a/uml.te
|
|
+++ b/uml.te
|
|
@@ -90,7 +90,6 @@ kernel_write_proc_files(uml_t)
|
|
|
|
corecmd_exec_bin(uml_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(uml_t)
|
|
corenet_all_recvfrom_netlabel(uml_t)
|
|
corenet_tcp_sendrecv_generic_if(uml_t)
|
|
corenet_tcp_sendrecv_generic_node(uml_t)
|
|
@@ -115,7 +114,13 @@ init_dontaudit_write_utmp(uml_t)
|
|
|
|
libs_exec_lib_files(uml_t)
|
|
|
|
-userdom_use_user_terminals(uml_t)
|
|
+# Inherit and use descriptors from newrole.
|
|
+seutil_use_newrole_fds(uml_t)
|
|
+
|
|
+# Use the network.
|
|
+sysnet_read_config(uml_t)
|
|
+
|
|
+userdom_use_inherited_user_terminals(uml_t)
|
|
userdom_attach_admin_tun_iface(uml_t)
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
@@ -133,10 +138,6 @@ tunable_policy(`use_samba_home_dirs',`
|
|
')
|
|
|
|
optional_policy(`
|
|
- seutil_use_newrole_fds(uml_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
virt_attach_tun_iface(uml_t)
|
|
')
|
|
|
|
@@ -171,8 +172,6 @@ init_use_script_ptys(uml_switch_t)
|
|
|
|
logging_send_syslog_msg(uml_switch_t)
|
|
|
|
-miscfiles_read_localization(uml_switch_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(uml_switch_t)
|
|
userdom_dontaudit_search_user_home_dirs(uml_switch_t)
|
|
|
|
diff --git a/updfstab.te b/updfstab.te
|
|
index 5ceb912..dfec9ac 100644
|
|
--- a/updfstab.te
|
|
+++ b/updfstab.te
|
|
@@ -66,8 +66,6 @@ init_use_script_ptys(updfstab_t)
|
|
logging_search_logs(updfstab_t)
|
|
logging_send_syslog_msg(updfstab_t)
|
|
|
|
-miscfiles_read_localization(updfstab_t)
|
|
-
|
|
seutil_read_config(updfstab_t)
|
|
seutil_read_default_contexts(updfstab_t)
|
|
seutil_read_file_contexts(updfstab_t)
|
|
@@ -75,9 +73,8 @@ seutil_read_file_contexts(updfstab_t)
|
|
userdom_dontaudit_search_user_home_content(updfstab_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(updfstab_t)
|
|
|
|
-optional_policy(`
|
|
- auth_domtrans_pam_console(updfstab_t)
|
|
-')
|
|
+auth_use_nsswitch(updfstab_t)
|
|
+auth_domtrans_pam_console(updfstab_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(updfstab_t)
|
|
diff --git a/uptime.if b/uptime.if
|
|
index 01a3234..19f4724 100644
|
|
--- a/uptime.if
|
|
+++ b/uptime.if
|
|
@@ -19,7 +19,7 @@
|
|
#
|
|
interface(`uptime_admin',`
|
|
gen_require(`
|
|
- type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
|
|
+ type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
|
|
type uptimed_spool_t, uptimed_var_run_t;
|
|
')
|
|
|
|
diff --git a/uptime.te b/uptime.te
|
|
index 58397dc..e6b6a34 100644
|
|
--- a/uptime.te
|
|
+++ b/uptime.te
|
|
@@ -16,7 +16,7 @@ type uptimed_initrc_exec_t;
|
|
init_script_file(uptimed_initrc_exec_t)
|
|
|
|
type uptimed_spool_t;
|
|
-files_type(uptimed_spool_t)
|
|
+files_spool_file(uptimed_spool_t)
|
|
|
|
type uptimed_var_run_t;
|
|
files_pid_file(uptimed_var_run_t)
|
|
@@ -55,8 +55,6 @@ fs_search_auto_mountpoints(uptimed_t)
|
|
|
|
logging_send_syslog_msg(uptimed_t)
|
|
|
|
-miscfiles_read_localization(uptimed_t)
|
|
-
|
|
userdom_dontaudit_use_unpriv_user_fds(uptimed_t)
|
|
userdom_dontaudit_search_user_home_dirs(uptimed_t)
|
|
|
|
diff --git a/usbmodules.te b/usbmodules.te
|
|
index 279e511..4f79ad6 100644
|
|
--- a/usbmodules.te
|
|
+++ b/usbmodules.te
|
|
@@ -24,8 +24,6 @@ files_list_kernel_modules(usbmodules_t)
|
|
dev_list_usbfs(usbmodules_t)
|
|
dev_rw_usbfs(usbmodules_t)
|
|
|
|
-files_list_etc(usbmodules_t)
|
|
-
|
|
term_read_console(usbmodules_t)
|
|
term_write_console(usbmodules_t)
|
|
|
|
@@ -35,10 +33,12 @@ logging_send_syslog_msg(usbmodules_t)
|
|
|
|
miscfiles_read_hwdata(usbmodules_t)
|
|
|
|
-modutils_read_module_deps(usbmodules_t)
|
|
-
|
|
-userdom_use_user_terminals(usbmodules_t)
|
|
+userdom_use_inherited_user_terminals(usbmodules_t)
|
|
|
|
optional_policy(`
|
|
hotplug_read_config(usbmodules_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ modutils_read_module_deps(usbmodules_t)
|
|
+')
|
|
diff --git a/usbmuxd.fc b/usbmuxd.fc
|
|
index 220f6ad..cd80b9b 100644
|
|
--- a/usbmuxd.fc
|
|
+++ b/usbmuxd.fc
|
|
@@ -1,3 +1,4 @@
|
|
/usr/sbin/usbmuxd -- gen_context(system_u:object_r:usbmuxd_exec_t,s0)
|
|
|
|
-/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
|
|
+/var/run/usbmuxd.* gen_context(system_u:object_r:usbmuxd_var_run_t,s0)
|
|
+/usr/lib/systemd/system/usbmuxd.* -- gen_context(system_u:object_r:usbmuxd_unit_file_t,s0)
|
|
diff --git a/usbmuxd.if b/usbmuxd.if
|
|
index 1ec5e99..88e287d 100644
|
|
--- a/usbmuxd.if
|
|
+++ b/usbmuxd.if
|
|
@@ -38,3 +38,66 @@ interface(`usbmuxd_stream_connect',`
|
|
files_search_pids($1)
|
|
stream_connect_pattern($1, usbmuxd_var_run_t, usbmuxd_var_run_t, usbmuxd_t)
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute usbmuxd server in the usbmuxd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`usbmuxd_systemctl',`
|
|
+ gen_require(`
|
|
+ type usbmuxd_t;
|
|
+ type usbmuxd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 usbmuxd_unit_file_t:file read_file_perms;
|
|
+ allow $1 usbmuxd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, usbmuxd_t)
|
|
+')
|
|
+
|
|
+#####################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an usbmuxd environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed to manage the usbmuxd domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`usbmuxd_admin',`
|
|
+ gen_require(`
|
|
+ type usbmuxd_t,usbmuxd_var_run_t;
|
|
+ type usbmuxd_unit_file_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 usbmuxd_t:process { signal_perms };
|
|
+ ps_process_pattern($1, usbmuxd_t)
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 usbmuxd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
+ allow $2 system_r;
|
|
+
|
|
+ files_list_pids($1)
|
|
+ admin_pattern($1, usbmuxd_var_run_t)
|
|
+
|
|
+ usbmuxd_systemctl($1)
|
|
+ admin_pattern($1, usbmuxd_unit_file_t)
|
|
+ allow $1 usbmuxd_unit_file_t:service all_service_perms;
|
|
+')
|
|
diff --git a/usbmuxd.te b/usbmuxd.te
|
|
index 34a8917..120d801 100644
|
|
--- a/usbmuxd.te
|
|
+++ b/usbmuxd.te
|
|
@@ -10,12 +10,16 @@ roleattribute system_r usbmuxd_roles;
|
|
|
|
type usbmuxd_t;
|
|
type usbmuxd_exec_t;
|
|
+init_system_domain(usbmuxd_t, usbmuxd_exec_t)
|
|
application_domain(usbmuxd_t, usbmuxd_exec_t)
|
|
role usbmuxd_roles types usbmuxd_t;
|
|
|
|
type usbmuxd_var_run_t;
|
|
files_pid_file(usbmuxd_var_run_t)
|
|
|
|
+type usbmuxd_unit_file_t;
|
|
+systemd_unit_file(usbmuxd_unit_file_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -24,6 +28,7 @@ files_pid_file(usbmuxd_var_run_t)
|
|
allow usbmuxd_t self:capability { kill setgid setuid };
|
|
allow usbmuxd_t self:process { signal signull };
|
|
allow usbmuxd_t self:fifo_file rw_fifo_file_perms;
|
|
+allow usbmuxd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
|
|
manage_files_pattern(usbmuxd_t, usbmuxd_var_run_t, usbmuxd_var_run_t)
|
|
@@ -38,6 +43,10 @@ dev_rw_generic_usb_dev(usbmuxd_t)
|
|
|
|
auth_use_nsswitch(usbmuxd_t)
|
|
|
|
-miscfiles_read_localization(usbmuxd_t)
|
|
-
|
|
logging_send_syslog_msg(usbmuxd_t)
|
|
+
|
|
+seutil_dontaudit_read_file_contexts(usbmuxd_t)
|
|
+
|
|
+optional_policy(`
|
|
+ virt_dontaudit_read_chr_dev(usbmuxd_t)
|
|
+')
|
|
diff --git a/userhelper.fc b/userhelper.fc
|
|
index c416a83..cd83b89 100644
|
|
--- a/userhelper.fc
|
|
+++ b/userhelper.fc
|
|
@@ -1,5 +1,10 @@
|
|
-/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
|
|
+#
|
|
+# /etc
|
|
+#
|
|
+/etc/security/console\.apps(/.*)? gen_context(system_u:object_r:userhelper_conf_t,s0)
|
|
|
|
-/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
|
|
-
|
|
-/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
|
|
\ No newline at end of file
|
|
+#
|
|
+# /usr
|
|
+#
|
|
+/usr/sbin/userhelper -- gen_context(system_u:object_r:userhelper_exec_t,s0)
|
|
+/usr/bin/consolehelper -- gen_context(system_u:object_r:consolehelper_exec_t,s0)
|
|
diff --git a/userhelper.if b/userhelper.if
|
|
index 98b51fd..35d784a 100644
|
|
--- a/userhelper.if
|
|
+++ b/userhelper.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>A wrapper that helps users run system programs.</summary>
|
|
+## <summary>SELinux utility to run a shell with a new role</summary>
|
|
|
|
#######################################
|
|
## <summary>
|
|
@@ -23,9 +23,9 @@
|
|
#
|
|
template(`userhelper_role_template',`
|
|
gen_require(`
|
|
- attribute userhelper_type, consolehelper_type;
|
|
- attribute_role userhelper_roles, consolehelper_roles;
|
|
- type userhelper_exec_t, consolehelper_exec_t, userhelper_conf_t;
|
|
+ attribute userhelper_type;
|
|
+ type userhelper_exec_t, userhelper_conf_t;
|
|
+ class dbus send_msg;
|
|
')
|
|
|
|
########################################
|
|
@@ -33,64 +33,123 @@ template(`userhelper_role_template',`
|
|
# Declarations
|
|
#
|
|
|
|
- type $1_consolehelper_t, consolehelper_type;
|
|
- userdom_user_application_domain($1_consolehelper_t, consolehelper_exec_t)
|
|
-
|
|
- role consolehelper_roles types $1_consolehelper_t;
|
|
- roleattribute $2 consolehelper_roles;
|
|
-
|
|
type $1_userhelper_t, userhelper_type;
|
|
userdom_user_application_domain($1_userhelper_t, userhelper_exec_t)
|
|
-
|
|
domain_role_change_exemption($1_userhelper_t)
|
|
domain_obj_id_change_exemption($1_userhelper_t)
|
|
domain_interactive_fd($1_userhelper_t)
|
|
domain_subj_id_change_exemption($1_userhelper_t)
|
|
-
|
|
- role userhelper_roles types $1_userhelper_t;
|
|
- roleattribute $2 userhelper_roles;
|
|
+ role $2 types $1_userhelper_t;
|
|
|
|
########################################
|
|
#
|
|
- # Consolehelper local policy
|
|
+ # Local policy
|
|
#
|
|
+ allow $1_userhelper_t self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
|
|
+ allow $1_userhelper_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
+ allow $1_userhelper_t self:process setexec;
|
|
+ allow $1_userhelper_t self:fd use;
|
|
+ allow $1_userhelper_t self:fifo_file rw_fifo_file_perms;
|
|
+ allow $1_userhelper_t self:shm create_shm_perms;
|
|
+ allow $1_userhelper_t self:sem create_sem_perms;
|
|
+ allow $1_userhelper_t self:msgq create_msgq_perms;
|
|
+ allow $1_userhelper_t self:msg { send receive };
|
|
+ allow $1_userhelper_t self:unix_dgram_socket create_socket_perms;
|
|
+ allow $1_userhelper_t self:unix_stream_socket create_stream_socket_perms;
|
|
+ allow $1_userhelper_t self:unix_dgram_socket sendto;
|
|
+ allow $1_userhelper_t self:unix_stream_socket connectto;
|
|
+ allow $1_userhelper_t self:sock_file read_sock_file_perms;
|
|
+
|
|
+ #Transition to the derived domain.
|
|
+ domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
|
|
|
|
- allow $1_consolehelper_t $3:unix_stream_socket connectto;
|
|
+ allow $1_userhelper_t userhelper_conf_t:dir rw_dir_perms;
|
|
+ rw_files_pattern($1_userhelper_t, userhelper_conf_t, userhelper_conf_t)
|
|
|
|
- domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
|
|
+ can_exec($1_userhelper_t, userhelper_exec_t)
|
|
|
|
- allow $3 $1_consolehelper_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($3, $1_consolehelper_t)
|
|
+ dontaudit $3 $1_userhelper_t:process signal;
|
|
|
|
- auth_use_pam($1_consolehelper_t)
|
|
+ kernel_read_all_sysctls($1_userhelper_t)
|
|
+ kernel_getattr_debugfs($1_userhelper_t)
|
|
+ kernel_read_system_state($1_userhelper_t)
|
|
|
|
- optional_policy(`
|
|
- dbus_connect_all_session_bus($1_consolehelper_t)
|
|
+ # Execute shells
|
|
+ corecmd_exec_shell($1_userhelper_t)
|
|
+ # By default, revert to the calling domain when a program is executed
|
|
+ corecmd_bin_domtrans($1_userhelper_t, $3)
|
|
|
|
- optional_policy(`
|
|
- userhelper_dbus_chat_all_consolehelper($3)
|
|
- ')
|
|
- ')
|
|
+ # Inherit descriptors from the current session.
|
|
+ domain_use_interactive_fds($1_userhelper_t)
|
|
+ # for when the user types "exec userhelper" at the command line
|
|
+ domain_sigchld_interactive_fds($1_userhelper_t)
|
|
+
|
|
+ dev_read_urand($1_userhelper_t)
|
|
+ # Read /dev directories and any symbolic links.
|
|
+ dev_list_all_dev_nodes($1_userhelper_t)
|
|
+
|
|
+ files_list_var_lib($1_userhelper_t)
|
|
+ # Read the /etc/security/default_type file
|
|
+ files_read_etc_files($1_userhelper_t)
|
|
+ # Read /var.
|
|
+ files_read_var_files($1_userhelper_t)
|
|
+ files_read_var_symlinks($1_userhelper_t)
|
|
+ # for some PAM modules and for cwd
|
|
+ files_search_home($1_userhelper_t)
|
|
+
|
|
+ fs_search_auto_mountpoints($1_userhelper_t)
|
|
+ fs_read_nfs_files($1_userhelper_t)
|
|
+ fs_read_nfs_symlinks($1_userhelper_t)
|
|
+
|
|
+ # Allow $1_userhelper to obtain contexts to relabel TTYs
|
|
+ selinux_get_fs_mount($1_userhelper_t)
|
|
+ selinux_validate_context($1_userhelper_t)
|
|
+ selinux_compute_access_vector($1_userhelper_t)
|
|
+ selinux_compute_create_context($1_userhelper_t)
|
|
+ selinux_compute_relabel_context($1_userhelper_t)
|
|
+ selinux_compute_user_contexts($1_userhelper_t)
|
|
+
|
|
+ # Read the devpts root directory.
|
|
+ term_list_ptys($1_userhelper_t)
|
|
+ # Relabel terminals.
|
|
+ term_relabel_all_ttys($1_userhelper_t)
|
|
+ term_relabel_all_ptys($1_userhelper_t)
|
|
+ # Access terminals.
|
|
+ term_use_all_ttys($1_userhelper_t)
|
|
+ term_use_all_ptys($1_userhelper_t)
|
|
|
|
- ########################################
|
|
- #
|
|
- # Userhelper local policy
|
|
- #
|
|
+ auth_domtrans_chk_passwd($1_userhelper_t)
|
|
+ auth_manage_pam_pid($1_userhelper_t)
|
|
+ auth_manage_var_auth($1_userhelper_t)
|
|
+ auth_search_pam_console_data($1_userhelper_t)
|
|
+ auth_use_nsswitch($1_userhelper_t)
|
|
|
|
- domtrans_pattern($3, userhelper_exec_t, $1_userhelper_t)
|
|
+ logging_send_syslog_msg($1_userhelper_t)
|
|
|
|
- dontaudit $3 $1_userhelper_t:process signal;
|
|
+ # Inherit descriptors from the current session.
|
|
+ init_use_fds($1_userhelper_t)
|
|
+ # Write to utmp.
|
|
+ init_manage_utmp($1_userhelper_t)
|
|
+ init_pid_filetrans_utmp($1_userhelper_t)
|
|
|
|
- corecmd_bin_domtrans($1_userhelper_t, $3)
|
|
|
|
- auth_domtrans_chk_passwd($1_userhelper_t)
|
|
- auth_use_nsswitch($1_userhelper_t)
|
|
+ seutil_read_config($1_userhelper_t)
|
|
+ seutil_read_default_contexts($1_userhelper_t)
|
|
|
|
+ # Allow $1_userhelper_t to transition to user domains.
|
|
userdom_bin_spec_domtrans_unpriv_users($1_userhelper_t)
|
|
userdom_entry_spec_domtrans_unpriv_users($1_userhelper_t)
|
|
|
|
+ ifdef(`distro_redhat',`
|
|
+ optional_policy(`
|
|
+ # Allow transitioning to rpm_t, for up2date
|
|
+ rpm_domtrans($1_userhelper_t)
|
|
+ ')
|
|
+ ')
|
|
+
|
|
optional_policy(`
|
|
tunable_policy(`! secure_mode',`
|
|
+ #if we are not in secure mode then we can transition to sysadm_t
|
|
sysadm_bin_spec_domtrans($1_userhelper_t)
|
|
sysadm_entry_spec_domtrans($1_userhelper_t)
|
|
')
|
|
@@ -99,7 +158,7 @@ template(`userhelper_role_template',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search userhelper configuration directories.
|
|
+## Search the userhelper configuration directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -118,7 +177,7 @@ interface(`userhelper_search_config',`
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to search
|
|
-## userhelper configuration directories.
|
|
+## the userhelper configuration directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -136,28 +195,26 @@ interface(`userhelper_dontaudit_search_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send and receive messages from
|
|
-## consolehelper over dbus.
|
|
+## Do not audit attempts to write
|
|
+## the userhelper configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`userhelper_dbus_chat_all_consolehelper',`
|
|
+interface(`userhelper_dontaudit_write_config',`
|
|
gen_require(`
|
|
- attribute consolehelper_type;
|
|
- class dbus send_msg;
|
|
+ type userhelper_conf_t;
|
|
')
|
|
|
|
- allow $1 consolehelper_type:dbus send_msg;
|
|
- allow consolehelper_type $1:dbus send_msg;
|
|
+ dontaudit $1 userhelper_conf_t:file write;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Use userhelper all userhelper file descriptors.
|
|
+## Allow domain to use userhelper file descriptor.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -175,7 +232,7 @@ interface(`userhelper_use_fd',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send child terminated signals to all userhelper.
|
|
+## Allow domain to send sigchld to userhelper.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -206,10 +263,79 @@ interface(`userhelper_exec',`
|
|
type userhelper_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, userhelper_exec_t)
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## The role template for the consolehelper module.
|
|
+## </summary>
|
|
+## <desc>
|
|
+## <p>
|
|
+## This template creates a derived domains which are used
|
|
+## for consolehelper applications.
|
|
+## </p>
|
|
+## </desc>
|
|
+## <param name="role_prefix">
|
|
+## <summary>
|
|
+## The prefix of the user domain (e.g., user
|
|
+## is the prefix for user_t).
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="user_role">
|
|
+## <summary>
|
|
+## The role associated with the user domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="user_domain">
|
|
+## <summary>
|
|
+## The type of the user domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`userhelper_console_role_template',`
|
|
+ gen_require(`
|
|
+ type consolehelper_exec_t;
|
|
+ attribute consolehelper_domain;
|
|
+ class dbus send_msg;
|
|
+ ')
|
|
+ type $1_consolehelper_t, consolehelper_domain;
|
|
+ domain_type($1_consolehelper_t)
|
|
+ domain_entry_file($1_consolehelper_t, consolehelper_exec_t)
|
|
+ role $2 types $1_consolehelper_t;
|
|
+
|
|
+ domtrans_pattern($3, consolehelper_exec_t, $1_consolehelper_t)
|
|
+
|
|
+ allow $3 $1_consolehelper_t:process signal;
|
|
+ allow $3 $1_consolehelper_t:dbus send_msg;
|
|
+ allow $1_consolehelper_t $3:dbus send_msg;
|
|
+ allow $1_consolehelper_t $3:unix_stream_socket connectto;
|
|
+
|
|
+ kernel_read_system_state($1_consolehelper_t)
|
|
+
|
|
+ auth_use_pam($1_consolehelper_t)
|
|
+
|
|
+ userdom_manage_tmpfs_role($2, $1_consolehelper_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ dbus_connect_session_bus($1_consolehelper_t)
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
+ shutdown_run($1_consolehelper_t, $2)
|
|
+ shutdown_send_sigchld($3)
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
+ mock_run($1_consolehelper_t, $2)
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
+ xserver_run_xauth($1_consolehelper_t, $2)
|
|
+ xserver_read_xdm_pid($1_consolehelper_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
## Execute the consolehelper program
|
|
diff --git a/userhelper.te b/userhelper.te
|
|
index 42cfce0..1733490 100644
|
|
--- a/userhelper.te
|
|
+++ b/userhelper.te
|
|
@@ -5,11 +5,8 @@ policy_module(userhelper, 1.8.1)
|
|
# Declarations
|
|
#
|
|
|
|
-attribute consolehelper_type;
|
|
attribute userhelper_type;
|
|
-
|
|
-attribute_role consolehelper_roles;
|
|
-attribute_role userhelper_roles;
|
|
+attribute consolehelper_domain;
|
|
|
|
type userhelper_conf_t;
|
|
files_config_file(userhelper_conf_t)
|
|
@@ -22,141 +19,77 @@ application_executable_file(consolehelper_exec_t)
|
|
|
|
########################################
|
|
#
|
|
-# Common consolehelper domain local policy
|
|
+# consolehelper local policy
|
|
#
|
|
|
|
-allow consolehelper_type self:capability { setgid setuid dac_override };
|
|
-allow consolehelper_type self:process signal;
|
|
-allow consolehelper_type self:fifo_file rw_fifo_file_perms;
|
|
-allow consolehelper_type self:unix_stream_socket create_stream_socket_perms;
|
|
-allow consolehelper_type self:shm create_shm_perms;
|
|
-
|
|
-dontaudit consolehelper_type userhelper_conf_t:file audit_access;
|
|
-read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
|
|
+allow consolehelper_domain self:shm create_shm_perms;
|
|
+allow consolehelper_domain self:capability { setgid setuid dac_override sys_nice };
|
|
+allow consolehelper_domain self:process { signal_perms getsched setsched };
|
|
|
|
-domain_use_interactive_fds(consolehelper_type)
|
|
+allow consolehelper_domain userhelper_conf_t:file audit_access;
|
|
+dontaudit consolehelper_domain userhelper_conf_t:file write;
|
|
+read_files_pattern(consolehelper_domain, userhelper_conf_t, userhelper_conf_t)
|
|
|
|
-kernel_read_system_state(consolehelper_type)
|
|
-kernel_read_kernel_sysctls(consolehelper_type)
|
|
+# Init script handling
|
|
+domain_use_interactive_fds(consolehelper_domain)
|
|
|
|
-corecmd_exec_bin(consolehelper_type)
|
|
+# internal communication is often done using fifo and unix sockets.
|
|
+allow consolehelper_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow consolehelper_domain self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
-dev_getattr_all_chr_files(consolehelper_type)
|
|
-dev_dontaudit_list_all_dev_nodes(consolehelper_type)
|
|
+kernel_read_kernel_sysctls(consolehelper_domain)
|
|
|
|
-files_read_config_files(consolehelper_type)
|
|
-files_read_usr_files(consolehelper_type)
|
|
+corecmd_exec_bin(consolehelper_domain)
|
|
|
|
-fs_getattr_all_dirs(consolehelper_type)
|
|
-fs_getattr_all_fs(consolehelper_type)
|
|
-fs_search_auto_mountpoints(consolehelper_type)
|
|
-files_search_mnt(consolehelper_type)
|
|
+dev_getattr_all_chr_files(consolehelper_domain)
|
|
+dev_dontaudit_list_all_dev_nodes(consolehelper_domain)
|
|
+dev_dontaudit_getattr_all(consolehelper_domain)
|
|
+fs_getattr_all_fs(consolehelper_domain)
|
|
+fs_getattr_all_dirs(consolehelper_domain)
|
|
|
|
-term_list_ptys(consolehelper_type)
|
|
+files_read_config_files(consolehelper_domain)
|
|
|
|
-auth_search_pam_console_data(consolehelper_type)
|
|
-auth_read_pam_pid(consolehelper_type)
|
|
+term_list_ptys(consolehelper_domain)
|
|
|
|
-miscfiles_read_localization(consolehelper_type)
|
|
-miscfiles_read_fonts(consolehelper_type)
|
|
+auth_search_pam_console_data(consolehelper_domain)
|
|
+auth_read_pam_pid(consolehelper_domain)
|
|
|
|
-userhelper_exec(consolehelper_type)
|
|
+init_read_utmp(consolehelper_domain)
|
|
+init_telinit(consolehelper_domain)
|
|
|
|
-userdom_use_user_terminals(consolehelper_type)
|
|
+miscfiles_read_fonts(consolehelper_domain)
|
|
|
|
-# might want to make this consolehelper_tmp_t
|
|
-userdom_manage_user_tmp_dirs(consolehelper_type)
|
|
-userdom_manage_user_tmp_files(consolehelper_type)
|
|
-userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
|
|
+userhelper_exec(consolehelper_domain)
|
|
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_search_nfs(consolehelper_type)
|
|
-')
|
|
+userdom_use_user_ptys(consolehelper_domain)
|
|
+userdom_use_user_ttys(consolehelper_domain)
|
|
+userdom_read_user_home_content_files(consolehelper_domain)
|
|
+userdom_search_admin_dir(consolehelper_domain)
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_search_cifs(consolehelper_type)
|
|
+optional_policy(`
|
|
+ dbus_session_bus_client(consolehelper_domain)
|
|
+ optional_policy(`
|
|
+ devicekit_dbus_chat_disk(consolehelper_domain)
|
|
+ ')
|
|
')
|
|
|
|
optional_policy(`
|
|
- shutdown_run(consolehelper_type, consolehelper_roles)
|
|
- shutdown_signal(consolehelper_type)
|
|
+ gnome_read_gconf_home_files(consolehelper_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
- xserver_domtrans_xauth(consolehelper_type)
|
|
- xserver_read_xdm_pid(consolehelper_type)
|
|
- xserver_stream_connect(consolehelper_type)
|
|
+ xserver_read_home_fonts(consolehelper_domain)
|
|
+ xserver_stream_connect(consolehelper_domain)
|
|
+ xserver_admin_home_dir_filetrans_xauth(consolehelper_domain)
|
|
+ xserver_manage_user_xauth(consolehelper_domain)
|
|
')
|
|
|
|
-########################################
|
|
-#
|
|
-# Common userhelper domain local policy
|
|
-#
|
|
-
|
|
-allow userhelper_type self:capability { setuid setgid net_bind_service dac_override chown sys_tty_config };
|
|
-allow userhelper_type self:process ~{ ptrace setcurrent setfscreate setrlimit execmem execstack execheap };
|
|
-allow userhelper_type self:fd use;
|
|
-allow userhelper_type self:fifo_file rw_fifo_file_perms;
|
|
-allow userhelper_type self:shm create_shm_perms;
|
|
-allow userhelper_type self:sem create_sem_perms;
|
|
-allow userhelper_type self:msgq create_msgq_perms;
|
|
-allow userhelper_type self:msg { send receive };
|
|
-allow userhelper_type self:unix_dgram_socket sendto;
|
|
-allow userhelper_type self:unix_stream_socket { accept connectto listen };
|
|
-
|
|
-dontaudit userhelper_type userhelper_conf_t:file audit_access;
|
|
-read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t)
|
|
-
|
|
-can_exec(userhelper_type, userhelper_exec_t)
|
|
-
|
|
-kernel_read_all_sysctls(userhelper_type)
|
|
-kernel_getattr_debugfs(userhelper_type)
|
|
-kernel_read_system_state(userhelper_type)
|
|
-
|
|
-corecmd_exec_shell(userhelper_type)
|
|
-
|
|
-domain_use_interactive_fds(userhelper_type)
|
|
-domain_sigchld_interactive_fds(userhelper_type)
|
|
-
|
|
-dev_read_urand(userhelper_type)
|
|
-dev_list_all_dev_nodes(userhelper_type)
|
|
-
|
|
-files_list_var_lib(userhelper_type)
|
|
-files_read_var_files(userhelper_type)
|
|
-files_read_var_symlinks(userhelper_type)
|
|
-files_search_home(userhelper_type)
|
|
-
|
|
-fs_getattr_all_fs(userhelper_type)
|
|
-fs_search_auto_mountpoints(userhelper_type)
|
|
-
|
|
-selinux_get_fs_mount(userhelper_type)
|
|
-selinux_validate_context(userhelper_type)
|
|
-selinux_compute_access_vector(userhelper_type)
|
|
-selinux_compute_create_context(userhelper_type)
|
|
-selinux_compute_relabel_context(userhelper_type)
|
|
-selinux_compute_user_contexts(userhelper_type)
|
|
-
|
|
-term_list_ptys(userhelper_type)
|
|
-term_relabel_all_ttys(userhelper_type)
|
|
-term_relabel_all_ptys(userhelper_type)
|
|
-term_use_all_ttys(userhelper_type)
|
|
-term_use_all_ptys(userhelper_type)
|
|
-
|
|
-auth_manage_pam_pid(userhelper_type)
|
|
-auth_manage_var_auth(userhelper_type)
|
|
-auth_search_pam_console_data(userhelper_type)
|
|
-
|
|
-init_use_fds(userhelper_type)
|
|
-init_manage_utmp(userhelper_type)
|
|
-init_pid_filetrans_utmp(userhelper_type)
|
|
-
|
|
-logging_send_syslog_msg(userhelper_type)
|
|
-
|
|
-miscfiles_read_localization(userhelper_type)
|
|
-
|
|
-seutil_read_config(userhelper_type)
|
|
-seutil_read_default_contexts(userhelper_type)
|
|
+tunable_policy(`use_nfs_home_dirs',`
|
|
+ files_search_mnt(consolehelper_domain)
|
|
+ fs_search_nfs(consolehelper_domain)
|
|
+')
|
|
|
|
-optional_policy(`
|
|
- rpm_domtrans(userhelper_type)
|
|
+tunable_policy(`use_samba_home_dirs',`
|
|
+ files_search_mnt(consolehelper_domain)
|
|
+ fs_search_cifs(consolehelper_domain)
|
|
')
|
|
diff --git a/usernetctl.if b/usernetctl.if
|
|
index 7deec55..c542887 100644
|
|
--- a/usernetctl.if
|
|
+++ b/usernetctl.if
|
|
@@ -39,6 +39,7 @@ interface(`usernetctl_domtrans',`
|
|
#
|
|
interface(`usernetctl_run',`
|
|
gen_require(`
|
|
+ type usernetctl_t;
|
|
attribute_role usernetctl_roles;
|
|
')
|
|
|
|
diff --git a/usernetctl.te b/usernetctl.te
|
|
index f973af8..de458c2 100644
|
|
--- a/usernetctl.te
|
|
+++ b/usernetctl.te
|
|
@@ -6,12 +6,12 @@ policy_module(usernetctl, 1.7.0)
|
|
#
|
|
|
|
attribute_role usernetctl_roles;
|
|
+roleattribute system_r usernetctl_roles;
|
|
|
|
type usernetctl_t;
|
|
type usernetctl_exec_t;
|
|
application_domain(usernetctl_t, usernetctl_exec_t)
|
|
domain_interactive_fd(usernetctl_t)
|
|
-role usernetctl_roles types usernetctl_t;
|
|
|
|
########################################
|
|
#
|
|
@@ -40,7 +40,6 @@ files_exec_etc_files(usernetctl_t)
|
|
files_read_etc_runtime_files(usernetctl_t)
|
|
files_list_pids(usernetctl_t)
|
|
files_list_home(usernetctl_t)
|
|
-files_read_usr_files(usernetctl_t)
|
|
|
|
fs_search_auto_mountpoints(usernetctl_t)
|
|
|
|
@@ -48,18 +47,14 @@ auth_use_nsswitch(usernetctl_t)
|
|
|
|
logging_send_syslog_msg(usernetctl_t)
|
|
|
|
-miscfiles_read_localization(usernetctl_t)
|
|
-
|
|
seutil_read_config(usernetctl_t)
|
|
|
|
+sysnet_read_config(usernetctl_t)
|
|
+
|
|
sysnet_run_ifconfig(usernetctl_t, usernetctl_roles)
|
|
sysnet_run_dhcpc(usernetctl_t, usernetctl_roles)
|
|
|
|
-userdom_use_user_terminals(usernetctl_t)
|
|
-
|
|
-optional_policy(`
|
|
- consoletype_run(usernetctl_t, usernetctl_roles)
|
|
-')
|
|
+userdom_use_inherited_user_terminals(usernetctl_t)
|
|
|
|
optional_policy(`
|
|
hostname_exec(usernetctl_t)
|
|
@@ -74,5 +69,9 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ nis_use_ypbind(usernetctl_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
ppp_run(usernetctl_t, usernetctl_roles)
|
|
')
|
|
diff --git a/uucp.if b/uucp.if
|
|
index af9acc0..cdaf82e 100644
|
|
--- a/uucp.if
|
|
+++ b/uucp.if
|
|
@@ -90,11 +90,6 @@ interface(`uucp_domtrans_uux',`
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`uucp_admin',`
|
|
@@ -104,14 +99,13 @@ interface(`uucp_admin',`
|
|
type uucpd_var_run_t, uucpd_initrc_exec_t;
|
|
')
|
|
|
|
- init_labeled_script_domtrans($1, uucpd_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 uucpd_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- allow $1 uucpd_t:process { ptrace signal_perms };
|
|
+ allow $1 uucpd_t:process signal_perms;
|
|
ps_process_pattern($1, uucpd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 uucpd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
logging_list_logs($1)
|
|
admin_pattern($1, uucpd_log_t)
|
|
|
|
diff --git a/uucp.te b/uucp.te
|
|
index 849f607..d7c8ed8 100644
|
|
--- a/uucp.te
|
|
+++ b/uucp.te
|
|
@@ -31,7 +31,7 @@ type uucpd_ro_t;
|
|
files_type(uucpd_ro_t)
|
|
|
|
type uucpd_spool_t;
|
|
-files_type(uucpd_spool_t)
|
|
+files_spool_file(uucpd_spool_t)
|
|
|
|
type uucpd_log_t;
|
|
logging_log_file(uucpd_log_t)
|
|
@@ -84,15 +84,19 @@ kernel_read_kernel_sysctls(uucpd_t)
|
|
kernel_read_system_state(uucpd_t)
|
|
kernel_read_network_state(uucpd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(uucpd_t)
|
|
corenet_all_recvfrom_netlabel(uucpd_t)
|
|
corenet_tcp_sendrecv_generic_if(uucpd_t)
|
|
corenet_tcp_sendrecv_generic_node(uucpd_t)
|
|
+corenet_udp_sendrecv_generic_node(uucpd_t)
|
|
+corenet_tcp_sendrecv_all_ports(uucpd_t)
|
|
+corenet_udp_sendrecv_all_ports(uucpd_t)
|
|
|
|
corenet_sendrecv_ssh_client_packets(uucpd_t)
|
|
corenet_tcp_connect_ssh_port(uucpd_t)
|
|
corenet_tcp_sendrecv_ssh_port(uucpd_t)
|
|
|
|
+corenet_tcp_connect_uucpd_port(uucpd_t)
|
|
+
|
|
corecmd_exec_bin(uucpd_t)
|
|
corecmd_exec_shell(uucpd_t)
|
|
|
|
@@ -110,7 +114,7 @@ auth_use_nsswitch(uucpd_t)
|
|
|
|
logging_send_syslog_msg(uucpd_t)
|
|
|
|
-miscfiles_read_localization(uucpd_t)
|
|
+mta_send_mail(uucpd_t)
|
|
|
|
optional_policy(`
|
|
cron_system_entry(uucpd_t, uucpd_exec_t)
|
|
@@ -125,10 +129,6 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- mta_send_mail(uucpd_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
ssh_exec(uucpd_t)
|
|
')
|
|
|
|
@@ -160,10 +160,15 @@ auth_use_nsswitch(uux_t)
|
|
logging_search_logs(uux_t)
|
|
logging_send_syslog_msg(uux_t)
|
|
|
|
-miscfiles_read_localization(uux_t)
|
|
-
|
|
optional_policy(`
|
|
mta_send_mail(uux_t)
|
|
mta_read_queue(uux_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
sendmail_dontaudit_rw_unix_stream_sockets(uux_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ postfix_rw_inherited_master_pipes(uux_t)
|
|
+')
|
|
diff --git a/uuidd.if b/uuidd.if
|
|
index 6e48653..6abf74a 100644
|
|
--- a/uuidd.if
|
|
+++ b/uuidd.if
|
|
@@ -148,11 +148,12 @@ interface(`uuidd_read_pid_files',`
|
|
#
|
|
interface(`uuidd_stream_connect_manager',`
|
|
gen_require(`
|
|
- type uuidd_t, uuidd_var_run_t;
|
|
+ type uuidd_t, uuidd_var_run_t, uuidd_var_lib_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
stream_connect_pattern($1, uuidd_var_run_t, uuidd_var_run_t, uuidd_t)
|
|
+ stream_connect_pattern($1, uuidd_var_lib_t, uuidd_var_lib_t, uuidd_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -180,6 +181,9 @@ interface(`uuidd_admin',`
|
|
|
|
allow $1 uuidd_t:process signal_perms;
|
|
ps_process_pattern($1, uuidd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 uuidd_t:process ptrace;
|
|
+ ')
|
|
|
|
uuidd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/uuidd.te b/uuidd.te
|
|
index f8e52fc..b283c25 100644
|
|
--- a/uuidd.te
|
|
+++ b/uuidd.te
|
|
@@ -42,6 +42,4 @@ dev_read_urand(uuidd_t)
|
|
|
|
domain_use_interactive_fds(uuidd_t)
|
|
|
|
-files_read_etc_files(uuidd_t)
|
|
|
|
-miscfiles_read_localization(uuidd_t)
|
|
diff --git a/uwimap.te b/uwimap.te
|
|
index acdc78a..7a18090 100644
|
|
--- a/uwimap.te
|
|
+++ b/uwimap.te
|
|
@@ -37,7 +37,6 @@ kernel_read_kernel_sysctls(imapd_t)
|
|
kernel_list_proc(imapd_t)
|
|
kernel_read_proc_symlinks(imapd_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(imapd_t)
|
|
corenet_all_recvfrom_netlabel(imapd_t)
|
|
corenet_tcp_sendrecv_generic_if(imapd_t)
|
|
corenet_tcp_sendrecv_generic_node(imapd_t)
|
|
@@ -56,8 +55,6 @@ dev_read_urand(imapd_t)
|
|
|
|
domain_use_interactive_fds(imapd_t)
|
|
|
|
-files_read_etc_files(imapd_t)
|
|
-
|
|
fs_getattr_all_fs(imapd_t)
|
|
fs_search_auto_mountpoints(imapd_t)
|
|
|
|
@@ -65,8 +62,6 @@ auth_domtrans_chk_passwd(imapd_t)
|
|
|
|
logging_send_syslog_msg(imapd_t)
|
|
|
|
-miscfiles_read_localization(imapd_t)
|
|
-
|
|
sysnet_dns_name_resolve(imapd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(imapd_t)
|
|
diff --git a/varnishd.if b/varnishd.if
|
|
index 1c35171..2cba4df 100644
|
|
--- a/varnishd.if
|
|
+++ b/varnishd.if
|
|
@@ -153,12 +153,16 @@ interface(`varnishd_manage_log',`
|
|
#
|
|
interface(`varnishd_admin_varnishlog',`
|
|
gen_require(`
|
|
+ type varnishd_t;
|
|
type varnishlog_t, varnishlog_initrc_exec_t, varnishlog_log_t;
|
|
type varnishlog_var_run_t;
|
|
')
|
|
|
|
- allow $1 varnishlog_t:process { ptrace signal_perms };
|
|
+ allow $1 varnishlog_t:process signal_perms;
|
|
ps_process_pattern($1, varnishlog_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 varnishd_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, varnishlog_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
@@ -196,9 +200,13 @@ interface(`varnishd_admin',`
|
|
type varnishd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 varnishd_t:process { ptrace signal_perms };
|
|
+ allow $1 varnishd_t:process signal_perms;
|
|
ps_process_pattern($1, varnishd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 varnishd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, varnishd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 varnishd_initrc_exec_t system_r;
|
|
diff --git a/varnishd.te b/varnishd.te
|
|
index 9d4d8cb..f50c3ff 100644
|
|
--- a/varnishd.te
|
|
+++ b/varnishd.te
|
|
@@ -21,7 +21,7 @@ type varnishd_initrc_exec_t;
|
|
init_script_file(varnishd_initrc_exec_t)
|
|
|
|
type varnishd_etc_t;
|
|
-files_type(varnishd_etc_t)
|
|
+files_config_file(varnishd_etc_t)
|
|
|
|
type varnishd_tmp_t;
|
|
files_tmp_file(varnishd_tmp_t)
|
|
@@ -43,7 +43,7 @@ type varnishlog_var_run_t;
|
|
files_pid_file(varnishlog_var_run_t)
|
|
|
|
type varnishlog_log_t;
|
|
-files_type(varnishlog_log_t)
|
|
+logging_log_file(varnishlog_log_t)
|
|
|
|
########################################
|
|
#
|
|
@@ -52,7 +52,7 @@ files_type(varnishlog_log_t)
|
|
|
|
allow varnishd_t self:capability { kill dac_override ipc_lock setuid setgid };
|
|
dontaudit varnishd_t self:capability sys_tty_config;
|
|
-allow varnishd_t self:process signal;
|
|
+allow varnishd_t self:process { execmem signal };
|
|
allow varnishd_t self:fifo_file rw_fifo_file_perms;
|
|
allow varnishd_t self:tcp_socket { accept listen };
|
|
|
|
@@ -103,7 +103,6 @@ corenet_tcp_sendrecv_varnishd_port(varnishd_t)
|
|
|
|
dev_read_urand(varnishd_t)
|
|
|
|
-files_read_usr_files(varnishd_t)
|
|
|
|
fs_getattr_all_fs(varnishd_t)
|
|
|
|
@@ -111,7 +110,7 @@ auth_use_nsswitch(varnishd_t)
|
|
|
|
logging_send_syslog_msg(varnishd_t)
|
|
|
|
-miscfiles_read_localization(varnishd_t)
|
|
+sysnet_read_config(varnishd_t)
|
|
|
|
tunable_policy(`varnishd_connect_any',`
|
|
corenet_sendrecv_all_client_packets(varnishd_t)
|
|
diff --git a/vbetool.te b/vbetool.te
|
|
index 2a61f75..02a87c0 100644
|
|
--- a/vbetool.te
|
|
+++ b/vbetool.te
|
|
@@ -27,6 +27,7 @@ role vbetool_roles types vbetool_t;
|
|
#
|
|
|
|
allow vbetool_t self:capability { dac_override sys_tty_config sys_admin };
|
|
+allow vbetool_t self:capability2 compromise_kernel;
|
|
allow vbetool_t self:process execmem;
|
|
|
|
dev_wx_raw_memory(vbetool_t)
|
|
@@ -43,7 +44,6 @@ mls_file_write_all_levels(vbetool_t)
|
|
|
|
term_use_unallocated_ttys(vbetool_t)
|
|
|
|
-miscfiles_read_localization(vbetool_t)
|
|
|
|
tunable_policy(`vbetool_mmap_zero_ignore',`
|
|
dontaudit vbetool_t self:memprotect mmap_zero;
|
|
diff --git a/vdagent.if b/vdagent.if
|
|
index 31c752e..ef52235 100644
|
|
--- a/vdagent.if
|
|
+++ b/vdagent.if
|
|
@@ -24,15 +24,15 @@ interface(`vdagent_domtrans',`
|
|
## Get attributes of vdagent executable files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`vdagent_getattr_exec_files',`
|
|
- gen_require(`
|
|
- type vdagent_exec_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type vdagent_exec_t;
|
|
+ ')
|
|
|
|
allow $1 vdagent_exec_t:file getattr_file_perms;
|
|
')
|
|
@@ -42,18 +42,18 @@ interface(`vdagent_getattr_exec_files',`
|
|
## Get attributes of vdagent log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`vdagent_getattr_log',`
|
|
- gen_require(`
|
|
- type vdagent_log_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type vdagent_log_t;
|
|
+ ')
|
|
|
|
- logging_search_logs($1)
|
|
- allow $1 vdagent_log_t:file getattr_file_perms;
|
|
+ logging_search_logs($1)
|
|
+ allow $1 vdagent_log_t:file getattr_file_perms;
|
|
')
|
|
|
|
########################################
|
|
@@ -81,18 +81,18 @@ interface(`vdagent_read_pid_files',`
|
|
## domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`vdagent_stream_connect',`
|
|
- gen_require(`
|
|
- type vdagent_var_run_t, vdagent_t;
|
|
- ')
|
|
+ gen_require(`
|
|
+ type vdagent_var_run_t, vdagent_t;
|
|
+ ')
|
|
|
|
- files_search_pids($1)
|
|
- stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, vdagent_var_run_t, vdagent_var_run_t, vdagent_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -110,7 +110,6 @@ interface(`vdagent_stream_connect',`
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`vdagent_admin',`
|
|
gen_require(`
|
|
@@ -120,6 +119,9 @@ interface(`vdagent_admin',`
|
|
|
|
allow $1 vdagent_t:process signal_perms;
|
|
ps_process_pattern($1, vdagent_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 vdagent_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/vdagent.te b/vdagent.te
|
|
index 87da8a2..9148a0d 100644
|
|
--- a/vdagent.te
|
|
+++ b/vdagent.te
|
|
@@ -25,6 +25,7 @@ logging_log_file(vdagent_log_t)
|
|
|
|
dontaudit vdagent_t self:capability sys_admin;
|
|
allow vdagent_t self:process signal;
|
|
+
|
|
allow vdagent_t self:fifo_file rw_fifo_file_perms;
|
|
allow vdagent_t self:unix_stream_socket { accept listen };
|
|
|
|
@@ -39,20 +40,21 @@ create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
|
|
setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
|
|
logging_log_filetrans(vdagent_t, vdagent_log_t, file)
|
|
|
|
+kernel_request_load_module(vdagent_t)
|
|
+
|
|
dev_rw_input_dev(vdagent_t)
|
|
dev_rw_mtrr(vdagent_t)
|
|
dev_read_sysfs(vdagent_t)
|
|
dev_dontaudit_write_mtrr(vdagent_t)
|
|
|
|
-files_read_etc_files(vdagent_t)
|
|
-
|
|
term_use_virtio_console(vdagent_t)
|
|
|
|
init_read_state(vdagent_t)
|
|
|
|
-logging_send_syslog_msg(vdagent_t)
|
|
+systemd_read_logind_sessions_files(vdagent_t)
|
|
+systemd_login_read_pid_files(vdagent_t)
|
|
|
|
-miscfiles_read_localization(vdagent_t)
|
|
+logging_send_syslog_msg(vdagent_t)
|
|
|
|
userdom_read_all_users_state(vdagent_t)
|
|
|
|
diff --git a/vhostmd.if b/vhostmd.if
|
|
index 22edd58..c3a5364 100644
|
|
--- a/vhostmd.if
|
|
+++ b/vhostmd.if
|
|
@@ -216,9 +216,13 @@ interface(`vhostmd_admin',`
|
|
type vhostmd_tmpfs_t;
|
|
')
|
|
|
|
- allow $1 vhostmd_t:process { ptrace signal_perms };
|
|
+ allow $1 vhostmd_t:process signal_perms;
|
|
ps_process_pattern($1, vhostmd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 vhostmd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
vhostmd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 vhostmd_initrc_exec_t system_r;
|
|
diff --git a/vhostmd.te b/vhostmd.te
|
|
index 3d11c6a..b19a117 100644
|
|
--- a/vhostmd.te
|
|
+++ b/vhostmd.te
|
|
@@ -58,14 +58,11 @@ dev_read_urand(vhostmd_t)
|
|
dev_read_sysfs(vhostmd_t)
|
|
|
|
files_list_tmp(vhostmd_t)
|
|
-files_read_usr_files(vhostmd_t)
|
|
|
|
auth_use_nsswitch(vhostmd_t)
|
|
|
|
logging_send_syslog_msg(vhostmd_t)
|
|
|
|
-miscfiles_read_localization(vhostmd_t)
|
|
-
|
|
optional_policy(`
|
|
hostname_exec(vhostmd_t)
|
|
')
|
|
@@ -77,6 +74,7 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
virt_stream_connect(vhostmd_t)
|
|
+ virt_write_content(vhostmd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
diff --git a/virt.fc b/virt.fc
|
|
index a4f20bc..9bad8b9 100644
|
|
--- a/virt.fc
|
|
+++ b/virt.fc
|
|
@@ -1,51 +1,92 @@
|
|
-HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
|
-HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
|
|
-HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
|
-HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
|
-HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
|
+HOME_DIR/\.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
|
+HOME_DIR/\.libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
|
|
+HOME_DIR/\.virtinst(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
|
+HOME_DIR/\.cache/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
|
+HOME_DIR/\.cache/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
|
+HOME_DIR/\.cache/gnome-boxes(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
|
+HOME_DIR/\.cache/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
|
|
+HOME_DIR/\.config/libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
|
+HOME_DIR/\.config/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
|
|
+HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
|
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
|
+HOME_DIR/\.local/share/gnome-boxes/images(/.*)? gen_context(system_u:object_r:svirt_home_t,s0)
|
|
|
|
-/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
|
|
+/etc/libvirt -d gen_context(system_u:object_r:virt_etc_t,s0)
|
|
/etc/libvirt/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
|
|
/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
|
-/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
|
+/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
|
+/etc/rc\.d/init\.d/libvirtd -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
|
|
+/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
|
|
+/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
|
|
+/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
|
+/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
|
|
+/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
|
|
+/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
|
|
|
|
-/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
|
|
-/etc/xen/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
|
|
-/etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
|
-/etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
|
|
-
|
|
-/usr/libexec/libvirt_lxc -- gen_context(system_u:object_r:virtd_lxc_exec_t,s0)
|
|
-/usr/libexec/qemu-bridge-helper gen_context(system_u:object_r:virt_bridgehelper_exec_t,s0)
|
|
-
|
|
-/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
|
|
-/usr/bin/virt-sandbox-service.* -- gen_context(system_u:object_r:virsh_exec_t,s0)
|
|
-
|
|
-/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
|
-/usr/sbin/fence_virtd -- gen_context(system_u:object_r:virsh_exec_t,s0)
|
|
/usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0)
|
|
/usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
|
+/usr/sbin/virtlockd -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
|
+/usr/bin/virsh -- gen_context(system_u:object_r:virsh_exec_t,s0)
|
|
+/usr/sbin/condor_vm-gahp -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
|
+/usr/sbin/xl -- gen_context(system_u:object_r:virsh_exec_t,s0)
|
|
+/usr/sbin/xm -- gen_context(system_u:object_r:virsh_exec_t,s0)
|
|
|
|
/var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
|
|
|
|
-/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
|
-/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
|
-/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
|
-/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
|
-/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
|
|
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
|
+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
|
+/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
|
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
|
+/var/lib/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
|
|
+
|
|
+/var/lock/xl -- gen_context(system_u:object_r:virt_log_t,s0)
|
|
+/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
|
+/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
|
+/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
|
+/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
|
|
+/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
|
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:qemu_var_run_t,s0-mls_systemhigh)
|
|
+/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
|
|
+/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virt_lxc_var_run_t,s0)
|
|
+/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
|
|
|
-/var/log/log(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
|
-/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
|
-/var/log/vdsm(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
|
|
+/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
|
|
|
-/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
|
+# support for AEOLUS project
|
|
+/usr/bin/imagefactory -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
|
+/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
|
+/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0)
|
|
+/var/lib/imagefactory/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
|
|
+/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
|
|
+/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
|
+/var/lib/vdsm(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
|
|
|
|
-/var/run/libguestfs(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
|
-/var/run/libvirtd\.pid -- gen_context(system_u:object_r:virt_var_run_t,s0)
|
|
-/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
|
-/var/run/libvirt/lxc(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
|
|
-/var/run/libvirt-sandbox(/.*)? gen_context(system_u:object_r:virtd_lxc_var_run_t,s0)
|
|
-/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0-mls_systemhigh)
|
|
-/var/run/user/[^/]*/libguestfs(/.*)? gen_context(system_u:object_r:virt_home_t,s0)
|
|
-/var/run/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)
|
|
+# add support vios-proxy-*
|
|
+/usr/bin/vios-proxy-host -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
|
+/usr/bin/vios-proxy-guest -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
|
+
|
|
+# support for nova-stack
|
|
+/usr/bin/nova-compute -- gen_context(system_u:object_r:virtd_exec_t,s0)
|
|
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
|
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
|
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
|
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
|
|
+
|
|
+/etc/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
|
|
+/usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
|
|
+/var/run/qemu-ga/fsfreeze-hook.d(/.*)? gen_context(system_u:object_r:virt_qemu_ga_unconfined_exec_t,s0)
|
|
+
|
|
+/usr/libexec/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/virt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/libvirt.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
|
|
+/usr/lib/systemd/system/.*xen.*\.service -- gen_context(system_u:object_r:virtd_unit_file_t,s0)
|
|
+
|
|
+/usr/bin/qemu-ga -- gen_context(system_u:object_r:virt_qemu_ga_exec_t,s0)
|
|
+
|
|
+/var/run/qemu-ga\.pid -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
|
|
+/var/run/qga\.state -- gen_context(system_u:object_r:virt_qemu_ga_var_run_t,s0)
|
|
+
|
|
+/var/log/qemu-ga\.log -- gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
|
+/var/log/qemu-ga(/.*)? gen_context(system_u:object_r:virt_qemu_ga_log_t,s0)
|
|
diff --git a/virt.if b/virt.if
|
|
index facdee8..73549fd 100644
|
|
--- a/virt.if
|
|
+++ b/virt.if
|
|
@@ -1,120 +1,51 @@
|
|
-## <summary>Libvirt virtualization API.</summary>
|
|
+## <summary>Libvirt virtualization API</summary>
|
|
|
|
-#######################################
|
|
+########################################
|
|
## <summary>
|
|
-## The template to define a virt domain.
|
|
+## Creates types and rules for a basic
|
|
+## qemu process domain.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## Prefix for the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`virt_domain_template',`
|
|
gen_require(`
|
|
- attribute_role virt_domain_roles;
|
|
- attribute virt_image_type, virt_domain, virt_tmpfs_type;
|
|
- attribute virt_ptynode, virt_tmp_type;
|
|
+ attribute virt_image_type, virt_domain;
|
|
+ attribute virt_tmpfs_type;
|
|
+ attribute virt_ptynode;
|
|
+ type qemu_exec_t;
|
|
')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
type $1_t, virt_domain;
|
|
- application_type($1_t)
|
|
- qemu_entry_type($1_t)
|
|
+ application_domain($1_t, qemu_exec_t)
|
|
domain_user_exemption_target($1_t)
|
|
mls_rangetrans_target($1_t)
|
|
mcs_constrained($1_t)
|
|
- role virt_domain_roles types $1_t;
|
|
+ role system_r types $1_t;
|
|
|
|
type $1_devpts_t, virt_ptynode;
|
|
term_pty($1_devpts_t)
|
|
|
|
- type $1_tmp_t, virt_tmp_type;
|
|
- files_tmp_file($1_tmp_t)
|
|
-
|
|
- type $1_tmpfs_t, virt_tmpfs_type;
|
|
- files_tmpfs_file($1_tmpfs_t)
|
|
+ kernel_read_system_state($1_t)
|
|
|
|
- optional_policy(`
|
|
- pulseaudio_tmpfs_content($1_tmpfs_t)
|
|
- ')
|
|
+ auth_read_passwd($1_t)
|
|
|
|
- type $1_image_t, virt_image_type;
|
|
- files_type($1_image_t)
|
|
- dev_node($1_image_t)
|
|
- dev_associate_sysfs($1_image_t)
|
|
+ logging_send_syslog_msg($1_t)
|
|
|
|
- ########################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
-
|
|
- allow $1_t $1_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms };
|
|
+ allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
|
|
term_create_pty($1_t, $1_devpts_t)
|
|
-
|
|
- manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
|
|
- manage_files_pattern($1_t, $1_image_t, $1_image_t)
|
|
- manage_fifo_files_pattern($1_t, $1_image_t, $1_image_t)
|
|
- read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
|
|
- manage_sock_files_pattern($1_t, $1_image_t, $1_image_t)
|
|
- rw_chr_files_pattern($1_t, $1_image_t, $1_image_t)
|
|
- rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
|
|
- fs_hugetlbfs_filetrans($1_t, $1_image_t, file)
|
|
-
|
|
- manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
|
- manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
|
- manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
|
|
- files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
|
|
-
|
|
- manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
|
- manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
|
- manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
|
|
- fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
|
|
-
|
|
- optional_policy(`
|
|
- pulseaudio_run($1_t, virt_domain_roles)
|
|
- ')
|
|
-
|
|
- optional_policy(`
|
|
- xserver_rw_shm($1_t)
|
|
- ')
|
|
-')
|
|
-
|
|
-#######################################
|
|
-## <summary>
|
|
-## The template to define a virt lxc domain.
|
|
-## </summary>
|
|
-## <param name="domain_prefix">
|
|
-## <summary>
|
|
-## Domain prefix to be used.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-template(`virt_lxc_domain_template',`
|
|
- gen_require(`
|
|
- attribute_role svirt_lxc_domain_roles;
|
|
- attribute svirt_lxc_domain;
|
|
- ')
|
|
-
|
|
- type $1_t, svirt_lxc_domain;
|
|
- domain_type($1_t)
|
|
- domain_user_exemption_target($1_t)
|
|
- mls_rangetrans_target($1_t)
|
|
- mcs_constrained($1_t)
|
|
- role svirt_lxc_domain_roles types $1_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Make the specified type virt image type.
|
|
+## Make the specified type usable as a virt image
|
|
## </summary>
|
|
## <param name="type">
|
|
## <summary>
|
|
-## Type to be used as a virtual image.
|
|
+## Type to be used as a virtual image
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
@@ -125,31 +56,32 @@ interface(`virt_image',`
|
|
|
|
typeattribute $1 virt_image_type;
|
|
files_type($1)
|
|
+
|
|
+ # virt images can be assigned to blk devices
|
|
dev_node($1)
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Execute a domain transition to run virtd.
|
|
+## Getattr on virt executable.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_domtrans',`
|
|
- gen_require(`
|
|
- type virtd_t, virtd_exec_t;
|
|
- ')
|
|
+interface(`virt_getattr_exec',`
|
|
+ gen_require(`
|
|
+ type virtd_exec_t;
|
|
+ ')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, virtd_exec_t, virtd_t)
|
|
+ allow $1 virtd_exec_t:file getattr;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to run virt qmf.
|
|
+## Execute a domain transition to run virt.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -157,162 +89,71 @@ interface(`virt_domtrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_domtrans_qmf',`
|
|
+interface(`virt_domtrans',`
|
|
gen_require(`
|
|
- type virt_qmf_t, virt_qmf_exec_t;
|
|
+ type virtd_t, virtd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
|
|
+ domtrans_pattern($1, virtd_exec_t, virtd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to
|
|
-## run virt bridgehelper.
|
|
+## Execute virtd in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed to transition.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_domtrans_bridgehelper',`
|
|
+interface(`virt_exec',`
|
|
gen_require(`
|
|
- type virt_bridgehelper_t, virt_bridgehelper_exec_t;
|
|
+ type virtd_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
- domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
|
|
+ can_exec($1, virtd_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute bridgehelper in the bridgehelper
|
|
-## domain, and allow the specified role
|
|
-## the bridgehelper domain.
|
|
+## Transition to virt_qmf.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`virt_run_bridgehelper',`
|
|
- gen_require(`
|
|
- attribute_role virt_bridgehelper_roles;
|
|
- ')
|
|
-
|
|
- virt_domtrans_bridgehelper($1)
|
|
- roleattribute $2 virt_bridgehelper_roles;
|
|
-')
|
|
-
|
|
-########################################
|
|
## <summary>
|
|
-## Execute virt domain in the their
|
|
-## domain, and allow the specified
|
|
-## role that virt domain.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`virt_run_virt_domain',`
|
|
- gen_require(`
|
|
- attribute virt_domain;
|
|
- attribute_role virt_domain_roles;
|
|
- ')
|
|
-
|
|
- allow $1 virt_domain:process { signal transition };
|
|
- roleattribute $2 virt_domain_roles;
|
|
-
|
|
- allow virt_domain $1:fd use;
|
|
- allow virt_domain $1:fifo_file rw_fifo_file_perms;
|
|
- allow virt_domain $1:process sigchld;
|
|
-')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Send generic signals to all virt domains.
|
|
## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_signal_all_virt_domains',`
|
|
+interface(`virt_domtrans_qmf',`
|
|
gen_require(`
|
|
- attribute virt_domain;
|
|
+ type virt_qmf_t, virt_qmf_exec_t;
|
|
')
|
|
|
|
- allow $1 virt_domain:process signal;
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, virt_qmf_exec_t, virt_qmf_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send kill signals to all virt domains.
|
|
+## Transition to virt_bridgehelper.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`virt_kill_all_virt_domains',`
|
|
- gen_require(`
|
|
- attribute virt_domain;
|
|
- ')
|
|
-
|
|
- allow $1 virt_domain:process sigkill;
|
|
-')
|
|
-
|
|
-########################################
|
|
## <summary>
|
|
-## Execute svirt lxc domains in their
|
|
-## domain, and allow the specified
|
|
-## role that svirt lxc domain.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed to transition.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
## </param>
|
|
-#
|
|
-interface(`virt_run_svirt_lxc_domain',`
|
|
+interface(`virt_domtrans_bridgehelper',`
|
|
gen_require(`
|
|
- attribute svirt_lxc_domain;
|
|
- attribute_role svirt_lxc_domain_roles;
|
|
+ type virt_bridgehelper_t, virt_bridgehelper_exec_t;
|
|
')
|
|
|
|
- allow $1 svirt_lxc_domain:process { signal transition };
|
|
- roleattribute $2 svirt_lxc_domain_roles;
|
|
-
|
|
- allow svirt_lxc_domain $1:fd use;
|
|
- allow svirt_lxc_domain $1:fifo_file rw_fifo_file_perms;
|
|
- allow svirt_lxc_domain $1:process sigchld;
|
|
+ domtrans_pattern($1, virt_bridgehelper_exec_t, virt_bridgehelper_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Get attributes of virtd executable files.
|
|
+## Connect to virt over a unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -320,18 +161,18 @@ interface(`virt_run_svirt_lxc_domain',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_getattr_virtd_exec_files',`
|
|
+interface(`virt_stream_connect',`
|
|
gen_require(`
|
|
- type virtd_exec_t;
|
|
+ type virtd_t, virt_var_run_t;
|
|
')
|
|
|
|
- allow $1 virtd_exec_t:file getattr_file_perms;
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Connect to virt with a unix
|
|
-## domain stream socket.
|
|
+## Connect to svirt process over a unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -339,18 +180,17 @@ interface(`virt_getattr_virtd_exec_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_stream_connect',`
|
|
+interface(`virt_stream_connect_svirt',`
|
|
gen_require(`
|
|
- type virtd_t, virt_var_run_t;
|
|
+ type svirt_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- stream_connect_pattern($1, virt_var_run_t, virt_var_run_t, virtd_t)
|
|
+ allow $1 svirt_t:unix_stream_socket connectto;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Attach to virt tun devices.
|
|
+## Allow domain to attach to virt TUN devices
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -369,7 +209,7 @@ interface(`virt_attach_tun_iface',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read virt configuration content.
|
|
+## Read virt config files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -383,7 +223,6 @@ interface(`virt_read_config',`
|
|
')
|
|
|
|
files_search_etc($1)
|
|
- allow $1 { virt_etc_t virt_etc_rw_t }:dir list_dir_perms;
|
|
read_files_pattern($1, virt_etc_t, virt_etc_t)
|
|
read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
|
|
read_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
|
|
@@ -391,8 +230,7 @@ interface(`virt_read_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## virt configuration content.
|
|
+## manage virt config files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -406,7 +244,6 @@ interface(`virt_manage_config',`
|
|
')
|
|
|
|
files_search_etc($1)
|
|
- allow $1 { virt_etc_t virt_etc_rw_t }:dir manage_dir_perms;
|
|
manage_files_pattern($1, virt_etc_t, virt_etc_t)
|
|
manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
|
|
manage_lnk_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t)
|
|
@@ -414,8 +251,7 @@ interface(`virt_manage_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## virt image files.
|
|
+## Allow domain to manage virt image files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -450,8 +286,7 @@ interface(`virt_read_content',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## virt content.
|
|
+## Allow domain to write virt image files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -459,35 +294,17 @@ interface(`virt_read_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_manage_virt_content',`
|
|
+interface(`virt_write_content',`
|
|
gen_require(`
|
|
type virt_content_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 virt_content_t:dir manage_dir_perms;
|
|
- allow $1 virt_content_t:file manage_file_perms;
|
|
- allow $1 virt_content_t:fifo_file manage_fifo_file_perms;
|
|
- allow $1 virt_content_t:lnk_file manage_lnk_file_perms;
|
|
- allow $1 virt_content_t:sock_file manage_sock_file_perms;
|
|
- allow $1 virt_content_t:blk_file manage_blk_file_perms;
|
|
-
|
|
- tunable_policy(`virt_use_nfs',`
|
|
- fs_manage_nfs_dirs($1)
|
|
- fs_manage_nfs_files($1)
|
|
- fs_manage_nfs_symlinks($1)
|
|
- ')
|
|
-
|
|
- tunable_policy(`virt_use_samba',`
|
|
- fs_manage_cifs_dirs($1)
|
|
- fs_manage_cifs_files($1)
|
|
- fs_manage_cifs_symlinks($1)
|
|
- ')
|
|
+ allow $1 virt_content_t:file write_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Relabel virt content.
|
|
+## Read virt PID symlinks files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -495,53 +312,37 @@ interface(`virt_manage_virt_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_relabel_virt_content',`
|
|
+interface(`virt_read_pid_symlinks',`
|
|
gen_require(`
|
|
- type virt_content_t;
|
|
+ type virt_var_run_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 virt_content_t:dir relabel_dir_perms;
|
|
- allow $1 virt_content_t:file relabel_file_perms;
|
|
- allow $1 virt_content_t:fifo_file relabel_fifo_file_perms;
|
|
- allow $1 virt_content_t:lnk_file relabel_lnk_file_perms;
|
|
- allow $1 virt_content_t:sock_file relabel_sock_file_perms;
|
|
- allow $1 virt_content_t:blk_file relabel_blk_file_perms;
|
|
+ files_search_pids($1)
|
|
+ read_lnk_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified objects in user home
|
|
-## directories with the virt content type.
|
|
+## Read virt PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
#
|
|
-interface(`virt_home_filetrans_virt_content',`
|
|
+interface(`virt_read_pid_files',`
|
|
gen_require(`
|
|
- type virt_content_t;
|
|
+ type virt_var_run_t;
|
|
')
|
|
|
|
- virt_home_filetrans($1, virt_content_t, $2, $3)
|
|
+ files_search_pids($1)
|
|
+ read_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## svirt home content.
|
|
+## Manage virt pid directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -549,34 +350,21 @@ interface(`virt_home_filetrans_virt_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_manage_svirt_home_content',`
|
|
+interface(`virt_manage_pid_dirs',`
|
|
gen_require(`
|
|
- type svirt_home_t;
|
|
- ')
|
|
-
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 svirt_home_t:dir manage_dir_perms;
|
|
- allow $1 svirt_home_t:file manage_file_perms;
|
|
- allow $1 svirt_home_t:fifo_file manage_fifo_file_perms;
|
|
- allow $1 svirt_home_t:lnk_file manage_lnk_file_perms;
|
|
- allow $1 svirt_home_t:sock_file manage_sock_file_perms;
|
|
-
|
|
- tunable_policy(`virt_use_nfs',`
|
|
- fs_manage_nfs_dirs($1)
|
|
- fs_manage_nfs_files($1)
|
|
- fs_manage_nfs_symlinks($1)
|
|
+ type virt_var_run_t;
|
|
+ type virt_lxc_var_run_t;
|
|
')
|
|
|
|
- tunable_policy(`virt_use_samba',`
|
|
- fs_manage_cifs_dirs($1)
|
|
- fs_manage_cifs_files($1)
|
|
- fs_manage_cifs_symlinks($1)
|
|
- ')
|
|
+ files_search_pids($1)
|
|
+ manage_dirs_pattern($1, virt_var_run_t, virt_var_run_t)
|
|
+ manage_dirs_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
|
+ virt_filetrans_named_content($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Relabel svirt home content.
|
|
+## Manage virt pid files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -584,32 +372,36 @@ interface(`virt_manage_svirt_home_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_relabel_svirt_home_content',`
|
|
+interface(`virt_manage_pid_files',`
|
|
gen_require(`
|
|
- type svirt_home_t;
|
|
+ type virt_var_run_t;
|
|
+ type virt_lxc_var_run_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 svirt_home_t:dir relabel_dir_perms;
|
|
- allow $1 svirt_home_t:file relabel_file_perms;
|
|
- allow $1 svirt_home_t:fifo_file relabel_fifo_file_perms;
|
|
- allow $1 svirt_home_t:lnk_file relabel_lnk_file_perms;
|
|
- allow $1 svirt_home_t:sock_file relabel_sock_file_perms;
|
|
+ files_search_pids($1)
|
|
+ manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
|
+ manage_files_pattern($1, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified objects in user home
|
|
-## directories with the svirt home type.
|
|
+## Create objects in the pid directory
|
|
+## with a private type with a type transition.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
+## <param name="file">
|
|
+## <summary>
|
|
+## Type to which the created node will be transitioned.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="class">
|
|
## <summary>
|
|
-## Class of the object being created.
|
|
+## Object class(es) (single or set including {}) for which this
|
|
+## the transition will occur.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="name" optional="true">
|
|
@@ -618,54 +410,36 @@ interface(`virt_relabel_svirt_home_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_home_filetrans_svirt_home',`
|
|
+interface(`virt_pid_filetrans',`
|
|
gen_require(`
|
|
- type svirt_home_t;
|
|
+ type virt_var_run_t;
|
|
')
|
|
|
|
- virt_home_filetrans($1, svirt_home_t, $2, $3)
|
|
+ filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified objects in generic
|
|
-## virt home directories with private
|
|
-## home type.
|
|
+## Search virt lib directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="private_type">
|
|
-## <summary>
|
|
-## Private file type.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
#
|
|
-interface(`virt_home_filetrans',`
|
|
+interface(`virt_search_lib',`
|
|
gen_require(`
|
|
- type virt_home_t;
|
|
+ type virt_var_lib_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- filetrans_pattern($1, virt_home_t, $2, $3, $4)
|
|
+ allow $1 virt_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## virt home files.
|
|
+## Read virt lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -673,54 +447,38 @@ interface(`virt_home_filetrans',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_manage_home_files',`
|
|
+interface(`virt_read_lib_files',`
|
|
gen_require(`
|
|
- type virt_home_t;
|
|
+ type virt_var_lib_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- manage_files_pattern($1, virt_home_t, virt_home_t)
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
|
|
+ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## virt home content.
|
|
+## Dontaudit inherited read virt lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_manage_generic_virt_home_content',`
|
|
+interface(`virt_dontaudit_read_lib_files',`
|
|
gen_require(`
|
|
- type virt_home_t;
|
|
- ')
|
|
-
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 virt_home_t:dir manage_dir_perms;
|
|
- allow $1 virt_home_t:file manage_file_perms;
|
|
- allow $1 virt_home_t:fifo_file manage_fifo_file_perms;
|
|
- allow $1 virt_home_t:lnk_file manage_lnk_file_perms;
|
|
- allow $1 virt_home_t:sock_file manage_sock_file_perms;
|
|
-
|
|
- tunable_policy(`virt_use_nfs',`
|
|
- fs_manage_nfs_dirs($1)
|
|
- fs_manage_nfs_files($1)
|
|
- fs_manage_nfs_symlinks($1)
|
|
+ type virt_var_lib_t;
|
|
')
|
|
|
|
- tunable_policy(`virt_use_samba',`
|
|
- fs_manage_cifs_dirs($1)
|
|
- fs_manage_cifs_files($1)
|
|
- fs_manage_cifs_symlinks($1)
|
|
- ')
|
|
+ dontaudit $1 virt_var_lib_t:file read_inherited_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Relabel virt home content.
|
|
+## Create, read, write, and delete
|
|
+## virt lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -728,52 +486,39 @@ interface(`virt_manage_generic_virt_home_content',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_relabel_generic_virt_home_content',`
|
|
+interface(`virt_manage_lib_files',`
|
|
gen_require(`
|
|
- type virt_home_t;
|
|
+ type virt_var_lib_t;
|
|
')
|
|
|
|
- userdom_search_user_home_dirs($1)
|
|
- allow $1 virt_home_t:dir relabel_dir_perms;
|
|
- allow $1 virt_home_t:file relabel_file_perms;
|
|
- allow $1 virt_home_t:fifo_file relabel_fifo_file_perms;
|
|
- allow $1 virt_home_t:lnk_file relabel_lnk_file_perms;
|
|
- allow $1 virt_home_t:sock_file relabel_sock_file_perms;
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create specified objects in user home
|
|
-## directories with the generic virt
|
|
-## home type.
|
|
+## Allow the specified domain to read virt's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object_class">
|
|
-## <summary>
|
|
-## Class of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="name" optional="true">
|
|
-## <summary>
|
|
-## The name of the object being created.
|
|
-## </summary>
|
|
-## </param>
|
|
+## <rolecap/>
|
|
#
|
|
-interface(`virt_home_filetrans_virt_home',`
|
|
+interface(`virt_read_log',`
|
|
gen_require(`
|
|
- type virt_home_t;
|
|
+ type virt_log_t;
|
|
')
|
|
|
|
- userdom_user_home_dir_filetrans($1, virt_home_t, $2, $3)
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, virt_log_t, virt_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read virt pid files.
|
|
+## Allow the specified domain to append
|
|
+## virt log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -781,19 +526,18 @@ interface(`virt_home_filetrans_virt_home',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_read_pid_files',`
|
|
+interface(`virt_append_log',`
|
|
gen_require(`
|
|
- type virt_var_run_t;
|
|
+ type virt_log_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- read_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, virt_log_t, virt_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## virt pid files.
|
|
+## Allow domain to manage virt log files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -801,18 +545,19 @@ interface(`virt_read_pid_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_manage_pid_files',`
|
|
+interface(`virt_manage_log',`
|
|
gen_require(`
|
|
- type virt_var_run_t;
|
|
+ type virt_log_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
|
|
+ manage_dirs_pattern($1, virt_log_t, virt_log_t)
|
|
+ manage_files_pattern($1, virt_log_t, virt_log_t)
|
|
+ manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search virt lib directories.
|
|
+## Allow domain to search virt image direcories
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -820,18 +565,18 @@ interface(`virt_manage_pid_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_search_lib',`
|
|
+interface(`virt_search_images',`
|
|
gen_require(`
|
|
- type virt_var_lib_t;
|
|
+ attribute virt_image_type;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
- allow $1 virt_var_lib_t:dir search_dir_perms;
|
|
+ virt_search_lib($1)
|
|
+ allow $1 virt_image_type:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read virt lib files.
|
|
+## Allow domain to read virt image files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -839,20 +584,73 @@ interface(`virt_search_lib',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_read_lib_files',`
|
|
+interface(`virt_read_images',`
|
|
gen_require(`
|
|
type virt_var_lib_t;
|
|
+ attribute virt_image_type;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
- read_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
|
|
- read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
|
|
+ virt_search_lib($1)
|
|
+ allow $1 virt_image_type:dir list_dir_perms;
|
|
+ list_dirs_pattern($1, virt_image_type, virt_image_type)
|
|
+ read_files_pattern($1, virt_image_type, virt_image_type)
|
|
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
|
|
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
|
|
+ read_chr_files_pattern($1, virt_image_type, virt_image_type)
|
|
+
|
|
+ tunable_policy(`virt_use_nfs',`
|
|
+ fs_list_nfs($1)
|
|
+ fs_read_nfs_files($1)
|
|
+ fs_read_nfs_symlinks($1)
|
|
+ ')
|
|
+
|
|
+ tunable_policy(`virt_use_samba',`
|
|
+ fs_list_cifs($1)
|
|
+ fs_read_cifs_files($1)
|
|
+ fs_read_cifs_symlinks($1)
|
|
+ ')
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow domain to read virt blk image files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`virt_read_blk_images',`
|
|
+ gen_require(`
|
|
+ attribute virt_image_type;
|
|
+ ')
|
|
+
|
|
+ read_blk_files_pattern($1, virt_image_type, virt_image_type)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow domain to read/write virt image chr files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`virt_rw_chr_files',`
|
|
+ gen_require(`
|
|
+ attribute virt_image_type;
|
|
+ ')
|
|
+
|
|
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Create, read, write, and delete
|
|
-## virt lib files.
|
|
+## svirt cache files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -860,94 +658,189 @@ interface(`virt_read_lib_files',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_manage_lib_files',`
|
|
+interface(`virt_manage_cache',`
|
|
gen_require(`
|
|
- type virt_var_lib_t;
|
|
+ type virt_cache_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
- manage_files_pattern($1, virt_var_lib_t, virt_var_lib_t)
|
|
+ files_search_var($1)
|
|
+ manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
|
|
+ manage_files_pattern($1, virt_cache_t, virt_cache_t)
|
|
+ manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create objects in virt pid
|
|
-## directories with a private type.
|
|
+## Allow domain to manage virt image files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="private type">
|
|
+#
|
|
+interface(`virt_manage_images',`
|
|
+ gen_require(`
|
|
+ type virt_var_lib_t;
|
|
+ attribute virt_image_type;
|
|
+ ')
|
|
+
|
|
+ virt_search_lib($1)
|
|
+ allow $1 virt_image_type:dir list_dir_perms;
|
|
+ manage_dirs_pattern($1, virt_image_type, virt_image_type)
|
|
+ manage_files_pattern($1, virt_image_type, virt_image_type)
|
|
+ read_lnk_files_pattern($1, virt_image_type, virt_image_type)
|
|
+ rw_blk_files_pattern($1, virt_image_type, virt_image_type)
|
|
+ rw_chr_files_pattern($1, virt_image_type, virt_image_type)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Allow domain to manage virt image files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`virt_manage_default_image_type',`
|
|
+ gen_require(`
|
|
+ type virt_var_lib_t;
|
|
+ type virt_image_t;
|
|
+ ')
|
|
+
|
|
+ virt_search_lib($1)
|
|
+ manage_dirs_pattern($1, virt_image_t, virt_image_t)
|
|
+ manage_files_pattern($1, virt_image_t, virt_image_t)
|
|
+ read_lnk_files_pattern($1, virt_image_t, virt_image_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute virt server in the virt domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## The type of the object to be created.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="object">
|
|
+#
|
|
+interface(`virt_systemctl',`
|
|
+ gen_require(`
|
|
+ type virtd_unit_file_t;
|
|
+ type virtd_t;
|
|
+ ')
|
|
+
|
|
+ systemd_exec_systemctl($1)
|
|
+ allow $1 virtd_unit_file_t:file read_file_perms;
|
|
+ allow $1 virtd_unit_file_t:service manage_service_perms;
|
|
+
|
|
+ ps_process_pattern($1, virtd_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Ptrace the svirt domain
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## The object class of the object being created.
|
|
+## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="name" optional="true">
|
|
+#
|
|
+interface(`virt_ptrace',`
|
|
+ gen_require(`
|
|
+ attribute virt_domain;
|
|
+ ')
|
|
+
|
|
+ allow $1 virt_domain:process ptrace;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
+## Connect to virt over a unix domain stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
## <summary>
|
|
-## The name of the object being created.
|
|
+## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <infoflow type="write" weight="10"/>
|
|
#
|
|
-interface(`virt_pid_filetrans',`
|
|
+interface(`virt_stream_connect_sandbox',`
|
|
gen_require(`
|
|
- type virt_var_run_t;
|
|
+ attribute svirt_sandbox_domain;
|
|
+ type svirt_sandbox_file_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
- filetrans_pattern($1, virt_var_run_t, $2, $3, $4)
|
|
+ stream_connect_pattern($1, svirt_sandbox_file_t, svirt_sandbox_file_t, svirt_sandbox_domain)
|
|
+ ps_process_pattern(svirt_sandbox_domain, $1)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read virt log files.
|
|
+## Execute qemu in the svirt domain, and
|
|
+## allow the specified role the svirt domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the sandbox domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
-interface(`virt_read_log',`
|
|
+interface(`virt_transition_svirt',`
|
|
gen_require(`
|
|
- type virt_log_t;
|
|
+ attribute virt_domain;
|
|
+ type virt_bridgehelper_t;
|
|
+ type svirt_image_t;
|
|
+ type svirt_socket_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
- read_files_pattern($1, virt_log_t, virt_log_t)
|
|
+ allow $1 virt_domain:process transition;
|
|
+ role $2 types virt_domain;
|
|
+ role $2 types virt_bridgehelper_t;
|
|
+ role $2 types svirt_socket_t;
|
|
+
|
|
+ allow $1 virt_domain:process { sigkill sigstop signull signal };
|
|
+ allow $1 svirt_image_t:file { relabelfrom relabelto };
|
|
+ allow $1 svirt_image_t:fifo_file { read_fifo_file_perms relabelto };
|
|
+ allow $1 svirt_image_t:sock_file { create_sock_file_perms relabelto };
|
|
+ allow $1 svirt_socket_t:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+ optional_policy(`
|
|
+ ptchown_run(virt_domain, $2)
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Append virt log files.
|
|
+## Do not audit attempts to write virt daemon unnamed pipes.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_append_log',`
|
|
+interface(`virt_dontaudit_write_pipes',`
|
|
gen_require(`
|
|
- type virt_log_t;
|
|
+ type virtd_t;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
- append_files_pattern($1, virt_log_t, virt_log_t)
|
|
+ dontaudit $1 virtd_t:fd use;
|
|
+ dontaudit $1 virtd_t:fifo_file write_fifo_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## virt log files.
|
|
+## Send a sigkill to virtual machines
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -955,20 +848,17 @@ interface(`virt_append_log',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_manage_log',`
|
|
+interface(`virt_kill_svirt',`
|
|
gen_require(`
|
|
- type virt_log_t;
|
|
+ attribute virt_domain;
|
|
')
|
|
|
|
- logging_search_logs($1)
|
|
- manage_dirs_pattern($1, virt_log_t, virt_log_t)
|
|
- manage_files_pattern($1, virt_log_t, virt_log_t)
|
|
- manage_lnk_files_pattern($1, virt_log_t, virt_log_t)
|
|
+ allow $1 virt_domain:process sigkill;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Search virt image directories.
|
|
+## Send a sigkill to virtd daemon.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -976,18 +866,17 @@ interface(`virt_manage_log',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_search_images',`
|
|
+interface(`virt_kill',`
|
|
gen_require(`
|
|
- attribute virt_image_type;
|
|
+ type virtd_t;
|
|
')
|
|
|
|
- virt_search_lib($1)
|
|
- allow $1 virt_image_type:dir search_dir_perms;
|
|
+ allow $1 virtd_t:process sigkill;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read virt image files.
|
|
+## Send a signal to virtual machines
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -995,73 +884,75 @@ interface(`virt_search_images',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_read_images',`
|
|
+interface(`virt_signal_svirt',`
|
|
gen_require(`
|
|
- type virt_var_lib_t;
|
|
- attribute virt_image_type;
|
|
+ attribute virt_domain;
|
|
')
|
|
|
|
- virt_search_lib($1)
|
|
- allow $1 virt_image_type:dir list_dir_perms;
|
|
- list_dirs_pattern($1, virt_image_type, virt_image_type)
|
|
- read_files_pattern($1, virt_image_type, virt_image_type)
|
|
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
|
|
- read_blk_files_pattern($1, virt_image_type, virt_image_type)
|
|
+ allow $1 virt_domain:process signal;
|
|
+')
|
|
|
|
- tunable_policy(`virt_use_nfs',`
|
|
- fs_list_nfs($1)
|
|
- fs_read_nfs_files($1)
|
|
- fs_read_nfs_symlinks($1)
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage virt home files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`virt_manage_home_files',`
|
|
+ gen_require(`
|
|
+ type virt_home_t;
|
|
')
|
|
|
|
- tunable_policy(`virt_use_samba',`
|
|
- fs_list_cifs($1)
|
|
- fs_read_cifs_files($1)
|
|
- fs_read_cifs_symlinks($1)
|
|
- ')
|
|
+ userdom_search_user_home_dirs($1)
|
|
+ manage_files_pattern($1, virt_home_t, virt_home_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write all virt image
|
|
-## character files.
|
|
+## allow domain to read
|
|
+## virt tmpfs files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_rw_all_image_chr_files',`
|
|
+interface(`virt_read_tmpfs_files',`
|
|
gen_require(`
|
|
- attribute virt_image_type;
|
|
+ attribute virt_tmpfs_type;
|
|
')
|
|
|
|
- virt_search_lib($1)
|
|
- allow $1 virt_image_type:dir list_dir_perms;
|
|
- rw_chr_files_pattern($1, virt_image_type, virt_image_type)
|
|
+ allow $1 virt_tmpfs_type:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## svirt cache files.
|
|
+## allow domain to manage
|
|
+## virt tmpfs files
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
-## Domain allowed access.
|
|
+## Domain allowed access
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_manage_svirt_cache',`
|
|
- refpolicywarn(`$0($*) has been deprecated, use virt_manage_virt_cache() instead.')
|
|
- virt_manage_virt_cache($1)
|
|
+interface(`virt_manage_tmpfs_files',`
|
|
+ gen_require(`
|
|
+ attribute virt_tmpfs_type;
|
|
+ ')
|
|
+
|
|
+ allow $1 virt_tmpfs_type:file manage_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## virt cache content.
|
|
+## Create .virt directory in the user home directory
|
|
+## with an correct label.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1069,21 +960,28 @@ interface(`virt_manage_svirt_cache',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_manage_virt_cache',`
|
|
+interface(`virt_filetrans_home_content',`
|
|
gen_require(`
|
|
- type virt_cache_t;
|
|
+ type virt_home_t;
|
|
+ type svirt_home_t;
|
|
')
|
|
|
|
- files_search_var($1)
|
|
- manage_dirs_pattern($1, virt_cache_t, virt_cache_t)
|
|
- manage_files_pattern($1, virt_cache_t, virt_cache_t)
|
|
- manage_lnk_files_pattern($1, virt_cache_t, virt_cache_t)
|
|
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".libvirt")
|
|
+ userdom_user_home_dir_filetrans($1, virt_home_t, dir, ".virtinst")
|
|
+ filetrans_pattern($1, virt_home_t, svirt_home_t, dir, "qemu")
|
|
+
|
|
+ optional_policy(`
|
|
+ gnome_config_filetrans($1, virt_home_t, dir, "libvirt")
|
|
+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt")
|
|
+ gnome_cache_filetrans($1, virt_home_t, dir, "libvirt-sandbox")
|
|
+ gnome_cache_filetrans($1, virt_home_t, dir, "gnome-boxes")
|
|
+ gnome_data_filetrans($1, svirt_home_t, dir, "images")
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## virt image files.
|
|
+## Dontaudit attempts to Read virt_image_type devices.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1091,36 +989,148 @@ interface(`virt_manage_virt_cache',`
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`virt_manage_images',`
|
|
+interface(`virt_dontaudit_read_chr_dev',`
|
|
gen_require(`
|
|
- type virt_var_lib_t;
|
|
attribute virt_image_type;
|
|
')
|
|
|
|
- virt_search_lib($1)
|
|
- allow $1 virt_image_type:dir list_dir_perms;
|
|
- manage_dirs_pattern($1, virt_image_type, virt_image_type)
|
|
- manage_files_pattern($1, virt_image_type, virt_image_type)
|
|
- read_lnk_files_pattern($1, virt_image_type, virt_image_type)
|
|
- rw_blk_files_pattern($1, virt_image_type, virt_image_type)
|
|
+ dontaudit $1 virt_image_type:chr_file read_chr_file_perms;
|
|
+')
|
|
|
|
- tunable_policy(`virt_use_nfs',`
|
|
- fs_manage_nfs_dirs($1)
|
|
- fs_manage_nfs_files($1)
|
|
- fs_read_nfs_symlinks($1)
|
|
+########################################
|
|
+## <summary>
|
|
+## Creates types and rules for a basic
|
|
+## virt_lxc process domain.
|
|
+## </summary>
|
|
+## <param name="prefix">
|
|
+## <summary>
|
|
+## Prefix for the domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`virt_sandbox_domain_template',`
|
|
+ gen_require(`
|
|
+ attribute svirt_sandbox_domain;
|
|
')
|
|
|
|
- tunable_policy(`virt_use_samba',`
|
|
- fs_manage_cifs_files($1)
|
|
- fs_manage_cifs_files($1)
|
|
- fs_read_cifs_symlinks($1)
|
|
+ type $1_t, svirt_sandbox_domain;
|
|
+ domain_type($1_t)
|
|
+ domain_user_exemption_target($1_t)
|
|
+ mls_rangetrans_target($1_t)
|
|
+ mcs_constrained($1_t)
|
|
+ role system_r types $1_t;
|
|
+
|
|
+ kernel_read_system_state($1_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Make the specified type usable as a lxc domain
|
|
+## </summary>
|
|
+## <param name="type">
|
|
+## <summary>
|
|
+## Type to be used as a lxc domain
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+template(`virt_sandbox_domain',`
|
|
+ gen_require(`
|
|
+ attribute svirt_sandbox_domain;
|
|
+ ')
|
|
+
|
|
+ typeattribute $1 svirt_sandbox_domain;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute a qemu_exec_t in the callers domain
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`virt_exec_qemu',`
|
|
+ gen_require(`
|
|
+ type qemu_exec_t;
|
|
+ ')
|
|
+
|
|
+ can_exec($1, qemu_exec_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to virt named content
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`virt_filetrans_named_content',`
|
|
+ gen_require(`
|
|
+ type virt_lxc_var_run_t;
|
|
+ type virt_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_pid_filetrans($1, virt_lxc_var_run_t, dir, "libvirt-sandbox")
|
|
+ files_pid_filetrans($1, virt_var_run_t, dir, "libvirt")
|
|
+ files_pid_filetrans($1, virt_var_run_t, dir, "libguestfs")
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute qemu in the svirt domain, and
|
|
+## allow the specified role the svirt domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## The role to be allowed the sandbox domain.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`virt_transition_svirt_sandbox',`
|
|
+ gen_require(`
|
|
+ attribute svirt_sandbox_domain;
|
|
+ ')
|
|
+
|
|
+ allow $1 svirt_sandbox_domain:process transition;
|
|
+ role $2 types svirt_sandbox_domain;
|
|
+ allow $1 svirt_sandbox_domain:unix_dgram_socket sendto;
|
|
+
|
|
+ allow svirt_sandbox_domain $1:process sigchld;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read and write to svirt_image devices.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`virt_rw_svirt_dev',`
|
|
+ gen_require(`
|
|
+ type svirt_image_t;
|
|
')
|
|
+
|
|
+ allow $1 svirt_image_t:chr_file rw_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an virt environment.
|
|
+## All of the rules required to administrate
|
|
+## an virt environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -1136,50 +1146,36 @@ interface(`virt_manage_images',`
|
|
#
|
|
interface(`virt_admin',`
|
|
gen_require(`
|
|
- attribute virt_domain, virt_image_type, virt_tmpfs_type;
|
|
- attribute virt_ptynode, svirt_lxc_domain, virt_tmp_type;
|
|
- type virtd_t, virtd_initrc_exec_t, virtd_lxc_t;
|
|
- type virsh_t, virtd_lxc_var_run_t, svirt_lxc_file_t;
|
|
- type virt_bridgehelper_t, virt_qmf_t, virt_var_lib_t;
|
|
- type virt_var_run_t, virt_tmp_t, virt_log_t;
|
|
- type virt_lock_t, svirt_var_run_t, virt_etc_rw_t;
|
|
- type virt_etc_t, svirt_cache_t, virtd_keytab_t;
|
|
+ attribute virt_domain;
|
|
+ attribute virt_system_domain;
|
|
+ attribute svirt_file_type;
|
|
+ attribute virt_file_type;
|
|
+ type virtd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 { virt_domain svirt_lxc_domain virtd_t }:process { ptrace signal_perms };
|
|
- allow $1 { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { virt_domain svirt_lxc_domain virtd_t })
|
|
- ps_process_pattern($1, { virtd_lxc_t virsh_t virt_bridgehelper_t virt_qmf_t })
|
|
+ allow $1 virt_system_domain:process signal_perms;
|
|
+ allow $1 virt_domain:process signal_perms;
|
|
+ ps_process_pattern($1, virt_system_domain)
|
|
+ ps_process_pattern($1, virt_domain)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 virt_system_domain:process ptrace;
|
|
+ allow $1 virt_domain:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, virtd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 virtd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
- fs_search_tmpfs($1)
|
|
- admin_pattern($1, virt_tmpfs_type)
|
|
-
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, { virt_tmp_type virt_tmp_t })
|
|
-
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, { virt_etc_t virt_etc_rw_t virtd_keytab_t })
|
|
-
|
|
- logging_search_logs($1)
|
|
- admin_pattern($1, virt_log_t)
|
|
+ allow $1 virt_domain:process signal_perms;
|
|
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, { virt_var_run_t virtd_lxc_var_run_t svirt_var_run_t })
|
|
-
|
|
- files_search_var($1)
|
|
- admin_pattern($1, svirt_cache_t)
|
|
-
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, { virt_image_type virt_var_lib_t svirt_lxc_file_t })
|
|
+ admin_pattern($1, virt_file_type)
|
|
+ admin_pattern($1, svirt_file_type)
|
|
|
|
- files_search_locks($1)
|
|
- admin_pattern($1, virt_lock_t)
|
|
+ virt_systemctl($1)
|
|
+ allow $1 virtd_unit_file_t:service all_service_perms;
|
|
|
|
- dev_list_all_dev_nodes($1)
|
|
- allow $1 virt_ptynode:chr_file rw_term_perms;
|
|
+ virt_stream_connect_sandbox($1)
|
|
+ virt_stream_connect_svirt($1)
|
|
+ virt_stream_connect($1)
|
|
')
|
|
diff --git a/virt.te b/virt.te
|
|
index f03dcf5..007e3ca 100644
|
|
--- a/virt.te
|
|
+++ b/virt.te
|
|
@@ -1,150 +1,176 @@
|
|
-policy_module(virt, 1.7.4)
|
|
+policy_module(virt, 1.5.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
+gen_require(`
|
|
+ class passwd rootok;
|
|
+ class passwd passwd;
|
|
+ ')
|
|
+
|
|
+attribute virsh_transition_domain;
|
|
+attribute virt_ptynode;
|
|
+attribute virt_system_domain;
|
|
+attribute virt_domain;
|
|
+attribute virt_image_type;
|
|
+attribute virt_tmpfs_type;
|
|
+attribute svirt_file_type;
|
|
+attribute virt_file_type;
|
|
+attribute sandbox_net_domain;
|
|
+
|
|
+type svirt_tmp_t, svirt_file_type;
|
|
+files_tmp_file(svirt_tmp_t)
|
|
+
|
|
+type svirt_tmpfs_t, virt_tmpfs_type, svirt_file_type;
|
|
+files_tmpfs_file(svirt_tmpfs_t)
|
|
+
|
|
+type svirt_image_t, virt_image_type, svirt_file_type;
|
|
+files_type(svirt_image_t)
|
|
+dev_node(svirt_image_t)
|
|
+dev_associate_sysfs(svirt_image_t)
|
|
+
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether confined virtual guests
|
|
-## can use serial/parallel communication ports.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow confined virtual guests to use serial/parallel communication ports
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(virt_use_comm, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether confined virtual guests
|
|
-## can use executable memory and can make
|
|
-## their stack executable.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow virtual processes to run as userdomains
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(virt_transition_userdomain, false)
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow confined virtual guests to use executable memory and executable stack
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(virt_use_execmem, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether confined virtual guests
|
|
-## can use fuse file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow confined virtual guests to read fuse files
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(virt_use_fusefs, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether confined virtual guests
|
|
-## can use nfs file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow confined virtual guests to manage nfs files
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(virt_use_nfs, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether confined virtual guests
|
|
-## can use cifs file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow confined virtual guests to manage cifs files
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(virt_use_samba, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether confined virtual guests
|
|
-## can manage device configuration.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow confined virtual guests to interact with the sanlock
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(virt_use_sysfs, false)
|
|
+gen_tunable(virt_use_sanlock, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether confined virtual guests
|
|
-## can use usb devices.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow confined virtual guests to interact with rawip sockets
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(virt_use_usb, false)
|
|
+gen_tunable(virt_use_rawip, false)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether confined virtual guests
|
|
-## can interact with xserver.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow confined virtual guests to interact with the xserver
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(virt_use_xserver, false)
|
|
|
|
-attribute virt_ptynode;
|
|
-attribute virt_domain;
|
|
-attribute virt_image_type;
|
|
-attribute virt_tmp_type;
|
|
-attribute virt_tmpfs_type;
|
|
-
|
|
-attribute svirt_lxc_domain;
|
|
-
|
|
-attribute_role virt_domain_roles;
|
|
-roleattribute system_r virt_domain_roles;
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow confined virtual guests to use usb devices
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(virt_use_usb, true)
|
|
|
|
-attribute_role virt_bridgehelper_roles;
|
|
-roleattribute system_r virt_bridgehelper_roles;
|
|
+virt_domain_template(svirt)
|
|
+role system_r types svirt_t;
|
|
+typealias svirt_t alias qemu_t;
|
|
|
|
-attribute_role svirt_lxc_domain_roles;
|
|
-roleattribute system_r svirt_lxc_domain_roles;
|
|
+virt_domain_template(svirt_tcg)
|
|
+role system_r types svirt_tcg_t;
|
|
|
|
-virt_domain_template(svirt)
|
|
-virt_domain_template(svirt_prot_exec)
|
|
+type qemu_exec_t, virt_file_type;
|
|
|
|
-type virt_cache_t alias svirt_cache_t;
|
|
+type virt_cache_t alias svirt_cache_t, virt_file_type;
|
|
files_type(virt_cache_t)
|
|
|
|
-type virt_etc_t;
|
|
+type virt_etc_t, virt_file_type;
|
|
files_config_file(virt_etc_t)
|
|
|
|
-type virt_etc_rw_t;
|
|
+type virt_etc_rw_t, virt_file_type;
|
|
files_type(virt_etc_rw_t)
|
|
|
|
-type virt_home_t;
|
|
+type virt_home_t, virt_file_type;
|
|
userdom_user_home_content(virt_home_t)
|
|
|
|
-type svirt_home_t;
|
|
+type svirt_home_t, svirt_file_type;
|
|
userdom_user_home_content(svirt_home_t)
|
|
|
|
-type svirt_var_run_t;
|
|
-files_pid_file(svirt_var_run_t)
|
|
-mls_trusted_object(svirt_var_run_t)
|
|
-
|
|
-type virt_image_t; # customizable
|
|
+# virt Image files
|
|
+type virt_image_t, virt_file_type; # customizable
|
|
virt_image(virt_image_t)
|
|
files_mountpoint(virt_image_t)
|
|
|
|
-type virt_content_t; # customizable
|
|
+# virt Image files
|
|
+type virt_content_t, virt_file_type; # customizable
|
|
virt_image(virt_content_t)
|
|
userdom_user_home_content(virt_content_t)
|
|
|
|
-type virt_lock_t;
|
|
-files_lock_file(virt_lock_t)
|
|
+type virt_tmp_t, virt_file_type;
|
|
+files_tmp_file(virt_tmp_t)
|
|
|
|
-type virt_log_t;
|
|
+type virt_log_t, virt_file_type;
|
|
logging_log_file(virt_log_t)
|
|
mls_trusted_object(virt_log_t)
|
|
|
|
-type virt_tmp_t;
|
|
-files_tmp_file(virt_tmp_t)
|
|
+type virt_lock_t, virt_file_type;
|
|
+files_lock_file(virt_lock_t)
|
|
|
|
-type virt_var_run_t;
|
|
+type virt_var_run_t, virt_file_type;
|
|
files_pid_file(virt_var_run_t)
|
|
|
|
-type virt_var_lib_t;
|
|
+type virt_var_lib_t, virt_file_type;
|
|
files_mountpoint(virt_var_lib_t)
|
|
|
|
-type virtd_t;
|
|
-type virtd_exec_t;
|
|
+type virtd_t, virt_system_domain;
|
|
+type virtd_exec_t, virt_file_type;
|
|
init_daemon_domain(virtd_t, virtd_exec_t)
|
|
domain_obj_id_change_exemption(virtd_t)
|
|
domain_subj_id_change_exemption(virtd_t)
|
|
|
|
-type virtd_initrc_exec_t;
|
|
+type virtd_unit_file_t, virt_file_type;
|
|
+systemd_unit_file(virtd_unit_file_t)
|
|
+
|
|
+type virtd_initrc_exec_t, virt_file_type;
|
|
init_script_file(virtd_initrc_exec_t)
|
|
|
|
type virtd_keytab_t;
|
|
files_type(virtd_keytab_t)
|
|
|
|
+type qemu_var_run_t, virt_file_type;
|
|
+typealias qemu_var_run_t alias svirt_var_run_t;
|
|
+files_pid_file(qemu_var_run_t)
|
|
+mls_trusted_object(qemu_var_run_t)
|
|
+
|
|
ifdef(`enable_mcs',`
|
|
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mcs_systemhigh)
|
|
')
|
|
@@ -153,299 +179,144 @@ ifdef(`enable_mls',`
|
|
init_ranged_daemon_domain(virtd_t, virtd_exec_t, s0 - mls_systemhigh)
|
|
')
|
|
|
|
-type virt_qmf_t;
|
|
-type virt_qmf_exec_t;
|
|
+type virt_qmf_t, virt_system_domain;
|
|
+type virt_qmf_exec_t, virt_file_type;
|
|
init_daemon_domain(virt_qmf_t, virt_qmf_exec_t)
|
|
|
|
-type virt_bridgehelper_t;
|
|
-type virt_bridgehelper_exec_t;
|
|
+type virt_bridgehelper_t, virt_system_domain;
|
|
domain_type(virt_bridgehelper_t)
|
|
+
|
|
+type virt_bridgehelper_exec_t, virt_file_type;
|
|
domain_entry_file(virt_bridgehelper_t, virt_bridgehelper_exec_t)
|
|
-role virt_bridgehelper_roles types virt_bridgehelper_t;
|
|
+role system_r types virt_bridgehelper_t;
|
|
|
|
-type virtd_lxc_t;
|
|
-type virtd_lxc_exec_t;
|
|
-init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
|
|
+# policy for qemu_ga
|
|
+type virt_qemu_ga_t, virt_system_domain;
|
|
+type virt_qemu_ga_exec_t, virt_file_type;
|
|
+init_daemon_domain(virt_qemu_ga_t, virt_qemu_ga_exec_t)
|
|
|
|
-type virtd_lxc_var_run_t;
|
|
-files_pid_file(virtd_lxc_var_run_t)
|
|
+type virt_qemu_ga_var_run_t, virt_file_type;
|
|
+files_pid_file(virt_qemu_ga_var_run_t)
|
|
|
|
-type svirt_lxc_file_t;
|
|
-files_mountpoint(svirt_lxc_file_t)
|
|
-fs_noxattr_type(svirt_lxc_file_t)
|
|
-term_pty(svirt_lxc_file_t)
|
|
+type virt_qemu_ga_log_t, virt_file_type;
|
|
+logging_log_file(virt_qemu_ga_log_t)
|
|
|
|
-virt_lxc_domain_template(svirt_lxc_net)
|
|
+type virt_qemu_ga_tmp_t, virt_file_type;
|
|
+files_tmp_file(virt_qemu_ga_tmp_t)
|
|
|
|
-type virsh_t;
|
|
-type virsh_exec_t;
|
|
-init_system_domain(virsh_t, virsh_exec_t)
|
|
+type virt_qemu_ga_data_t, virt_file_type;
|
|
+files_type(virt_qemu_ga_data_t)
|
|
+
|
|
+type virt_qemu_ga_unconfined_exec_t, virt_file_type;
|
|
+application_executable_file(virt_qemu_ga_unconfined_exec_t)
|
|
|
|
########################################
|
|
#
|
|
-# Common virt domain local policy
|
|
+# Declarations
|
|
#
|
|
+attribute svirt_sandbox_domain;
|
|
|
|
-allow virt_domain self:process { signal getsched signull };
|
|
-allow virt_domain self:fifo_file rw_fifo_file_perms;
|
|
-allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
|
-allow virt_domain self:netlink_route_socket r_netlink_socket_perms;
|
|
-allow virt_domain self:shm create_shm_perms;
|
|
-allow virt_domain self:tcp_socket create_stream_socket_perms;
|
|
-allow virt_domain self:unix_stream_socket { accept listen };
|
|
-allow virt_domain self:unix_dgram_socket sendto;
|
|
-
|
|
-allow virt_domain virtd_t:fd use;
|
|
-allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
|
|
-allow virt_domain virtd_t:process sigchld;
|
|
-
|
|
-dontaudit virt_domain virtd_t:unix_stream_socket { read write };
|
|
-
|
|
-manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
|
|
-manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
|
|
-files_var_filetrans(virt_domain, virt_cache_t, { file dir })
|
|
-
|
|
-manage_dirs_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
|
|
-manage_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
|
|
-manage_sock_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
|
|
-manage_lnk_files_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t)
|
|
-files_pid_filetrans(virt_domain, svirt_var_run_t, { dir file })
|
|
-
|
|
-stream_connect_pattern(virt_domain, svirt_var_run_t, svirt_var_run_t, virtd_t)
|
|
-
|
|
-dontaudit virt_domain virt_tmpfs_type:file { read write };
|
|
-
|
|
-append_files_pattern(virt_domain, virt_log_t, virt_log_t)
|
|
-
|
|
-append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
|
|
-
|
|
-kernel_read_system_state(virt_domain)
|
|
-
|
|
-fs_getattr_xattr_fs(virt_domain)
|
|
-
|
|
-corecmd_exec_bin(virt_domain)
|
|
-corecmd_exec_shell(virt_domain)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(virt_domain)
|
|
-corenet_all_recvfrom_netlabel(virt_domain)
|
|
-corenet_tcp_sendrecv_generic_if(virt_domain)
|
|
-corenet_tcp_sendrecv_generic_node(virt_domain)
|
|
-corenet_tcp_bind_generic_node(virt_domain)
|
|
-
|
|
-corenet_sendrecv_vnc_server_packets(virt_domain)
|
|
-corenet_tcp_bind_vnc_port(virt_domain)
|
|
-corenet_tcp_sendrecv_vnc_port(virt_domain)
|
|
-
|
|
-corenet_sendrecv_virt_migration_server_packets(virt_domain)
|
|
-corenet_tcp_bind_virt_migration_port(virt_domain)
|
|
-corenet_sendrecv_virt_migration_client_packets(virt_domain)
|
|
-corenet_tcp_connect_virt_migration_port(virt_domain)
|
|
-corenet_tcp_sendrecv_virt_migration_port(virt_domain)
|
|
-
|
|
-corenet_rw_tun_tap_dev(virt_domain)
|
|
-
|
|
-dev_getattr_fs(virt_domain)
|
|
-dev_list_sysfs(virt_domain)
|
|
-dev_read_generic_symlinks(virt_domain)
|
|
-dev_read_rand(virt_domain)
|
|
-dev_read_sound(virt_domain)
|
|
-dev_read_urand(virt_domain)
|
|
-dev_write_sound(virt_domain)
|
|
-dev_rw_ksm(virt_domain)
|
|
-dev_rw_kvm(virt_domain)
|
|
-dev_rw_qemu(virt_domain)
|
|
-dev_rw_vhost(virt_domain)
|
|
-
|
|
-domain_use_interactive_fds(virt_domain)
|
|
-
|
|
-files_read_etc_files(virt_domain)
|
|
-files_read_mnt_symlinks(virt_domain)
|
|
-files_read_usr_files(virt_domain)
|
|
-files_read_var_files(virt_domain)
|
|
-files_search_all(virt_domain)
|
|
-
|
|
-fs_getattr_all_fs(virt_domain)
|
|
-fs_rw_anon_inodefs_files(virt_domain)
|
|
-fs_rw_tmpfs_files(virt_domain)
|
|
-fs_getattr_hugetlbfs(virt_domain)
|
|
-
|
|
-# fs_rw_inherited_nfs_files(virt_domain)
|
|
-# fs_rw_inherited_cifs_files(virt_domain)
|
|
-# fs_rw_inherited_noxattr_fs_files(virt_domain)
|
|
-
|
|
-storage_raw_write_removable_device(virt_domain)
|
|
-storage_raw_read_removable_device(virt_domain)
|
|
-
|
|
-term_use_all_terms(virt_domain)
|
|
-term_getattr_pty_fs(virt_domain)
|
|
-term_use_generic_ptys(virt_domain)
|
|
-term_use_ptmx(virt_domain)
|
|
-
|
|
-logging_send_syslog_msg(virt_domain)
|
|
-
|
|
-miscfiles_read_localization(virt_domain)
|
|
-miscfiles_read_public_files(virt_domain)
|
|
-
|
|
-sysnet_read_config(virt_domain)
|
|
-
|
|
-userdom_search_user_home_dirs(virt_domain)
|
|
-userdom_read_all_users_state(virt_domain)
|
|
-
|
|
-virt_run_bridgehelper(virt_domain, virt_domain_roles)
|
|
-virt_read_config(virt_domain)
|
|
-virt_read_lib_files(virt_domain)
|
|
-virt_read_content(virt_domain)
|
|
-virt_stream_connect(virt_domain)
|
|
-
|
|
-qemu_exec(virt_domain)
|
|
-
|
|
-tunable_policy(`virt_use_execmem',`
|
|
- allow virt_domain self:process { execmem execstack };
|
|
-')
|
|
-
|
|
-tunable_policy(`virt_use_comm',`
|
|
- term_use_unallocated_ttys(virt_domain)
|
|
- dev_rw_printer(virt_domain)
|
|
-')
|
|
-
|
|
-tunable_policy(`virt_use_fusefs',`
|
|
- fs_manage_fusefs_dirs(virt_domain)
|
|
- fs_manage_fusefs_files(virt_domain)
|
|
- fs_read_fusefs_symlinks(virt_domain)
|
|
-')
|
|
-
|
|
-tunable_policy(`virt_use_nfs',`
|
|
- fs_manage_nfs_dirs(virt_domain)
|
|
- fs_manage_nfs_files(virt_domain)
|
|
- fs_manage_nfs_named_sockets(virt_domain)
|
|
- fs_read_nfs_symlinks(virt_domain)
|
|
-')
|
|
+type virtd_lxc_t, virt_system_domain;
|
|
+type virtd_lxc_exec_t, virt_file_type;
|
|
+init_system_domain(virtd_lxc_t, virtd_lxc_exec_t)
|
|
|
|
-tunable_policy(`virt_use_samba',`
|
|
- fs_manage_cifs_dirs(virt_domain)
|
|
- fs_manage_cifs_files(virt_domain)
|
|
- fs_manage_cifs_named_sockets(virt_domain)
|
|
- fs_read_cifs_symlinks(virt_domain)
|
|
-')
|
|
+type virt_lxc_var_run_t, virt_file_type;
|
|
+files_pid_file(virt_lxc_var_run_t)
|
|
+typealias virt_lxc_var_run_t alias virtd_lxc_var_run_t;
|
|
|
|
-tunable_policy(`virt_use_sysfs',`
|
|
- dev_rw_sysfs(virt_domain)
|
|
-')
|
|
+# virt lxc container files
|
|
+type svirt_sandbox_file_t alias svirt_lxc_file_t, svirt_file_type;
|
|
+files_mountpoint(svirt_sandbox_file_t)
|
|
|
|
-tunable_policy(`virt_use_usb',`
|
|
- dev_rw_usbfs(virt_domain)
|
|
- dev_read_sysfs(virt_domain)
|
|
- fs_getattr_dos_fs(virt_domain)
|
|
- fs_manage_dos_dirs(virt_domain)
|
|
- fs_manage_dos_files(virt_domain)
|
|
-')
|
|
+########################################
|
|
+#
|
|
+# svirt local policy
|
|
+#
|
|
|
|
-optional_policy(`
|
|
- tunable_policy(`virt_use_xserver',`
|
|
- xserver_read_xdm_pid(virt_domain)
|
|
- xserver_stream_connect(virt_domain)
|
|
- ')
|
|
-')
|
|
+# it was a part of auth_use_nsswitch
|
|
+allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
-optional_policy(`
|
|
- dbus_read_lib_files(virt_domain)
|
|
-')
|
|
+corenet_udp_sendrecv_generic_if(svirt_t)
|
|
+corenet_udp_sendrecv_generic_node(svirt_t)
|
|
+corenet_udp_sendrecv_all_ports(svirt_t)
|
|
+corenet_udp_bind_generic_node(svirt_t)
|
|
+corenet_udp_bind_all_ports(svirt_t)
|
|
+corenet_tcp_bind_all_ports(svirt_t)
|
|
+corenet_tcp_connect_all_ports(svirt_t)
|
|
|
|
-optional_policy(`
|
|
- nscd_use(virt_domain)
|
|
-')
|
|
+miscfiles_read_generic_certs(svirt_t)
|
|
|
|
optional_policy(`
|
|
- samba_domtrans_smbd(virt_domain)
|
|
+ nscd_dontaudit_write_sock_file(svirt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- xen_rw_image_files(virt_domain)
|
|
+ sssd_dontaudit_stream_connect(svirt_t)
|
|
+ sssd_dontaudit_read_lib(svirt_t)
|
|
+ sssd_dontaudit_read_public_files(svirt_t)
|
|
')
|
|
|
|
-########################################
|
|
+#######################################
|
|
#
|
|
-# svirt local policy
|
|
+# svirt_prot_exec local policy
|
|
#
|
|
|
|
-list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
|
|
-read_files_pattern(svirt_t, virt_content_t, virt_content_t)
|
|
-
|
|
-dontaudit svirt_t virt_content_t:file write_file_perms;
|
|
-dontaudit svirt_t virt_content_t:dir rw_dir_perms;
|
|
-
|
|
-append_files_pattern(svirt_t, virt_home_t, virt_home_t)
|
|
-manage_dirs_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
|
-manage_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
|
-manage_sock_files_pattern(svirt_t, svirt_home_t, svirt_home_t)
|
|
-
|
|
-filetrans_pattern(svirt_t, virt_home_t, svirt_home_t, dir, "qemu")
|
|
-
|
|
-stream_connect_pattern(svirt_t, svirt_home_t, svirt_home_t, virtd_t)
|
|
-
|
|
-corenet_udp_sendrecv_generic_if(svirt_t)
|
|
-corenet_udp_sendrecv_generic_node(svirt_t)
|
|
-corenet_udp_sendrecv_all_ports(svirt_t)
|
|
-corenet_udp_bind_generic_node(svirt_t)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(svirt_t)
|
|
-corenet_all_recvfrom_netlabel(svirt_t)
|
|
-corenet_tcp_sendrecv_generic_if(svirt_t)
|
|
-corenet_udp_sendrecv_generic_if(svirt_t)
|
|
-corenet_tcp_sendrecv_generic_node(svirt_t)
|
|
-corenet_udp_sendrecv_generic_node(svirt_t)
|
|
-corenet_tcp_sendrecv_all_ports(svirt_t)
|
|
-corenet_udp_sendrecv_all_ports(svirt_t)
|
|
-corenet_tcp_bind_generic_node(svirt_t)
|
|
-corenet_udp_bind_generic_node(svirt_t)
|
|
+allow svirt_tcg_t self:process { execmem execstack };
|
|
+allow svirt_tcg_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
-corenet_sendrecv_all_server_packets(svirt_t)
|
|
-corenet_udp_bind_all_ports(svirt_t)
|
|
-corenet_tcp_bind_all_ports(svirt_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(svirt_t)
|
|
-corenet_tcp_connect_all_ports(svirt_t)
|
|
+corenet_udp_sendrecv_generic_if(svirt_tcg_t)
|
|
+corenet_udp_sendrecv_generic_node(svirt_tcg_t)
|
|
+corenet_udp_sendrecv_all_ports(svirt_tcg_t)
|
|
+corenet_udp_bind_generic_node(svirt_tcg_t)
|
|
+corenet_udp_bind_all_ports(svirt_tcg_t)
|
|
+corenet_tcp_bind_all_ports(svirt_tcg_t)
|
|
+corenet_tcp_connect_all_ports(svirt_tcg_t)
|
|
|
|
########################################
|
|
#
|
|
# virtd local policy
|
|
#
|
|
|
|
-allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
|
|
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
|
|
+allow virtd_t self:capability2 compromise_kernel;
|
|
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
|
|
+ifdef(`hide_broken_symptoms',`
|
|
+ # caused by some bogus kernel code
|
|
+ dontaudit virtd_t self:capability { sys_module };
|
|
+')
|
|
+
|
|
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
|
|
-allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
|
|
-allow virtd_t self:tcp_socket { accept listen };
|
|
+allow virtd_t self:unix_stream_socket { connectto create_stream_socket_perms relabelfrom relabelto };
|
|
+allow virtd_t self:tcp_socket create_stream_socket_perms;
|
|
allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
|
|
allow virtd_t self:rawip_socket create_socket_perms;
|
|
allow virtd_t self:packet_socket create_socket_perms;
|
|
allow virtd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
-allow virtd_t self:netlink_route_socket nlmsg_write;
|
|
-
|
|
-allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
|
|
-dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
|
|
-
|
|
-allow virtd_t svirt_lxc_domain:unix_stream_socket { create_stream_socket_perms connectto };
|
|
-allow virtd_t svirt_lxc_domain:process signal_perms;
|
|
-
|
|
-allow virtd_t virtd_lxc_t:process { signal signull sigkill };
|
|
-
|
|
-domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
|
|
+allow virtd_t self:netlink_route_socket create_netlink_socket_perms;
|
|
|
|
manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
|
|
manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
|
|
|
|
manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
|
|
manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
|
|
-filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
|
|
|
|
allow virtd_t virtd_keytab_t:file read_file_perms;
|
|
|
|
-allow virtd_t svirt_var_run_t:file relabel_file_perms;
|
|
-manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
|
|
-manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
|
|
-manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
|
|
-filetrans_pattern(virtd_t, virt_var_run_t, svirt_var_run_t, dir, "qemu")
|
|
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
|
|
+allow virtd_t svirt_sandbox_domain:process { getattr getsched setsched transition signal signull sigkill };
|
|
+allow virt_domain virtd_t:fd use;
|
|
+dontaudit virt_domain virtd_t:unix_stream_socket { read write };
|
|
+allow virtd_t virt_domain:unix_stream_socket { connectto create_stream_socket_perms };
|
|
+
|
|
+can_exec(virtd_t, qemu_exec_t)
|
|
+can_exec(virt_domain, qemu_exec_t)
|
|
+
|
|
+allow virtd_t qemu_var_run_t:file relabel_file_perms;
|
|
+manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
|
|
+manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
|
|
+manage_sock_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
|
|
+stream_connect_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t, virt_domain)
|
|
+filetrans_pattern(virtd_t, virt_var_run_t, qemu_var_run_t, dir, "qemu")
|
|
|
|
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
|
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
|
|
@@ -455,42 +326,29 @@ manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
|
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
|
|
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
|
|
|
|
-manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
|
|
-manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
|
|
-manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
|
|
-manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
|
|
-
|
|
-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".libvirt")
|
|
-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, ".virtinst")
|
|
-userdom_user_home_dir_filetrans(virtd_t, virt_home_t, dir, "VirtualMachines")
|
|
-
|
|
manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
|
manage_chr_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
|
manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
|
manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
|
|
-
|
|
+allow virtd_t virt_image_type:dir setattr;
|
|
allow virtd_t virt_image_type:file relabel_file_perms;
|
|
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
|
|
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
|
|
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
|
|
-
|
|
+allow virtd_t virt_image_type:unix_stream_socket relabel_file_perms;
|
|
allow virtd_t virt_ptynode:chr_file rw_term_perms;
|
|
|
|
manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
|
|
manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
|
|
files_tmp_filetrans(virtd_t, virt_tmp_t, { file dir })
|
|
+can_exec(virtd_t, virt_tmp_t)
|
|
|
|
-# This needs a file context specification
|
|
manage_dirs_pattern(virtd_t, virt_lock_t, virt_lock_t)
|
|
manage_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
|
|
manage_lnk_files_pattern(virtd_t, virt_lock_t, virt_lock_t)
|
|
files_lock_filetrans(virtd_t, virt_lock_t, { dir file lnk_file })
|
|
|
|
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
|
|
-append_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
|
-create_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
|
-read_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
|
-setattr_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
|
+manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
|
|
logging_log_filetrans(virtd_t, virt_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
|
|
@@ -503,16 +361,12 @@ manage_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
|
manage_sock_files_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
|
|
files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
|
|
|
|
-manage_dirs_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
|
-manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
|
-filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
|
+manage_dirs_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
|
+manage_files_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
|
+filetrans_pattern(virtd_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
|
+allow virtd_t virt_lxc_var_run_t:file { relabelfrom relabelto };
|
|
+stream_connect_pattern(virtd_t, virt_lxc_var_run_t, virt_lxc_var_run_t, virtd_lxc_t)
|
|
|
|
-stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t)
|
|
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
|
|
-
|
|
-can_exec(virtd_t, virt_tmp_t)
|
|
-
|
|
-kernel_read_crypto_sysctls(virtd_t)
|
|
kernel_read_system_state(virtd_t)
|
|
kernel_read_network_state(virtd_t)
|
|
kernel_rw_net_sysctls(virtd_t)
|
|
@@ -520,6 +374,7 @@ kernel_read_kernel_sysctls(virtd_t)
|
|
kernel_request_load_module(virtd_t)
|
|
kernel_search_debugfs(virtd_t)
|
|
kernel_setsched(virtd_t)
|
|
+kernel_write_proc_files(virtd_t)
|
|
|
|
corecmd_exec_bin(virtd_t)
|
|
corecmd_exec_shell(virtd_t)
|
|
@@ -527,24 +382,16 @@ corecmd_exec_shell(virtd_t)
|
|
corenet_all_recvfrom_netlabel(virtd_t)
|
|
corenet_tcp_sendrecv_generic_if(virtd_t)
|
|
corenet_tcp_sendrecv_generic_node(virtd_t)
|
|
+corenet_tcp_sendrecv_all_ports(virtd_t)
|
|
corenet_tcp_bind_generic_node(virtd_t)
|
|
-
|
|
-corenet_sendrecv_virt_server_packets(virtd_t)
|
|
corenet_tcp_bind_virt_port(virtd_t)
|
|
-corenet_tcp_sendrecv_virt_port(virtd_t)
|
|
-
|
|
-corenet_sendrecv_vnc_server_packets(virtd_t)
|
|
corenet_tcp_bind_vnc_port(virtd_t)
|
|
-corenet_sendrecv_vnc_client_packets(virtd_t)
|
|
corenet_tcp_connect_vnc_port(virtd_t)
|
|
-corenet_tcp_sendrecv_vnc_port(virtd_t)
|
|
-
|
|
-corenet_sendrecv_soundd_client_packets(virtd_t)
|
|
corenet_tcp_connect_soundd_port(virtd_t)
|
|
-corenet_tcp_sendrecv_soundd_port(virtd_t)
|
|
-
|
|
corenet_rw_tun_tap_dev(virtd_t)
|
|
+corenet_relabel_tun_tap_dev(virtd_t)
|
|
|
|
+dev_rw_vfio_dev(virtd_t)
|
|
dev_rw_sysfs(virtd_t)
|
|
dev_read_urand(virtd_t)
|
|
dev_read_rand(virtd_t)
|
|
@@ -555,22 +402,27 @@ dev_rw_vhost(virtd_t)
|
|
dev_setattr_generic_usb_dev(virtd_t)
|
|
dev_relabel_generic_usb_dev(virtd_t)
|
|
|
|
+# Init script handling
|
|
domain_use_interactive_fds(virtd_t)
|
|
domain_read_all_domains_state(virtd_t)
|
|
+domain_signull_all_domains(virtd_t)
|
|
|
|
-files_read_usr_files(virtd_t)
|
|
files_read_etc_runtime_files(virtd_t)
|
|
files_search_all(virtd_t)
|
|
files_read_kernel_modules(virtd_t)
|
|
files_read_usr_src_files(virtd_t)
|
|
+files_relabelto_system_conf_files(virtd_t)
|
|
+files_relabelfrom_system_conf_files(virtd_t)
|
|
+files_relabelfrom_boot_files(virtd_t)
|
|
+files_relabelto_boot_files(virtd_t)
|
|
+files_manage_boot_files(virtd_t)
|
|
|
|
# Manages /etc/sysconfig/system-config-firewall
|
|
-# files_relabelto_system_conf_files(virtd_t)
|
|
-# files_relabelfrom_system_conf_files(virtd_t)
|
|
-# files_manage_system_conf_files(virtd_t)
|
|
+files_manage_system_conf_files(virtd_t)
|
|
|
|
+fs_read_tmpfs_symlinks(virtd_t)
|
|
fs_list_auto_mountpoints(virtd_t)
|
|
-fs_getattr_all_fs(virtd_t)
|
|
+fs_getattr_xattr_fs(virtd_t)
|
|
fs_rw_anon_inodefs_files(virtd_t)
|
|
fs_list_inotifyfs(virtd_t)
|
|
fs_manage_cgroup_dirs(virtd_t)
|
|
@@ -601,15 +453,18 @@ term_use_ptmx(virtd_t)
|
|
|
|
auth_use_nsswitch(virtd_t)
|
|
|
|
-miscfiles_read_localization(virtd_t)
|
|
+init_dbus_chat(virtd_t)
|
|
+
|
|
miscfiles_read_generic_certs(virtd_t)
|
|
miscfiles_read_hwdata(virtd_t)
|
|
|
|
modutils_read_module_deps(virtd_t)
|
|
+modutils_read_module_config(virtd_t)
|
|
modutils_manage_module_config(virtd_t)
|
|
|
|
logging_send_syslog_msg(virtd_t)
|
|
logging_send_audit_msgs(virtd_t)
|
|
+logging_stream_connect_syslog(virtd_t)
|
|
|
|
selinux_validate_context(virtd_t)
|
|
|
|
@@ -620,18 +475,26 @@ seutil_read_file_contexts(virtd_t)
|
|
sysnet_signull_ifconfig(virtd_t)
|
|
sysnet_signal_ifconfig(virtd_t)
|
|
sysnet_domtrans_ifconfig(virtd_t)
|
|
+sysnet_read_config(virtd_t)
|
|
|
|
-userdom_read_all_users_state(virtd_t)
|
|
-
|
|
-ifdef(`hide_broken_symptoms',`
|
|
- dontaudit virtd_t self:capability { sys_module sys_ptrace };
|
|
-')
|
|
+systemd_dbus_chat_logind(virtd_t)
|
|
+systemd_write_inhibit_pipes(virtd_t)
|
|
|
|
-tunable_policy(`virt_use_fusefs',`
|
|
- fs_manage_fusefs_dirs(virtd_t)
|
|
- fs_manage_fusefs_files(virtd_t)
|
|
- fs_read_fusefs_symlinks(virtd_t)
|
|
-')
|
|
+userdom_list_admin_dir(virtd_t)
|
|
+userdom_getattr_all_users(virtd_t)
|
|
+userdom_list_user_home_content(virtd_t)
|
|
+userdom_read_all_users_state(virtd_t)
|
|
+userdom_read_user_home_content_files(virtd_t)
|
|
+userdom_relabel_user_tmp_files(virtd_t)
|
|
+userdom_setattr_user_tmp_files(virtd_t)
|
|
+userdom_relabel_user_home_files(virtd_t)
|
|
+userdom_setattr_user_home_content_files(virtd_t)
|
|
+manage_dirs_pattern(virtd_t, virt_home_t, virt_home_t)
|
|
+manage_files_pattern(virtd_t, virt_home_t, virt_home_t)
|
|
+manage_sock_files_pattern(virtd_t, virt_home_t, virt_home_t)
|
|
+manage_lnk_files_pattern(virtd_t, virt_home_t, virt_home_t)
|
|
+#userdom_user_home_dir_filetrans(virtd_t, virt_home_t, { dir file })
|
|
+virt_filetrans_home_content(virtd_t)
|
|
|
|
tunable_policy(`virt_use_nfs',`
|
|
fs_manage_nfs_dirs(virtd_t)
|
|
@@ -640,7 +503,7 @@ tunable_policy(`virt_use_nfs',`
|
|
')
|
|
|
|
tunable_policy(`virt_use_samba',`
|
|
- fs_manage_cifs_files(virtd_t)
|
|
+ fs_manage_nfs_files(virtd_t)
|
|
fs_manage_cifs_files(virtd_t)
|
|
fs_read_cifs_symlinks(virtd_t)
|
|
')
|
|
@@ -665,20 +528,12 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- firewalld_dbus_chat(virtd_t)
|
|
- ')
|
|
-
|
|
- optional_policy(`
|
|
hal_dbus_chat(virtd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
networkmanager_dbus_chat(virtd_t)
|
|
')
|
|
-
|
|
- optional_policy(`
|
|
- policykit_dbus_chat(virtd_t)
|
|
- ')
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -691,20 +546,26 @@ optional_policy(`
|
|
dnsmasq_kill(virtd_t)
|
|
dnsmasq_signull(virtd_t)
|
|
dnsmasq_create_pid_dirs(virtd_t)
|
|
- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, dir, "network")
|
|
- dnsmasq_spec_filetrans_pid(virtd_t, virt_var_run_t, file, "dnsmasq.pid")
|
|
+ dnsmasq_filetrans_named_content_fromdir(virtd_t, virt_var_run_t);
|
|
dnsmasq_manage_pid_files(virtd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ firewalld_dbus_chat(virtd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
iptables_domtrans(virtd_t)
|
|
iptables_initrc_domtrans(virtd_t)
|
|
+ iptables_systemctl(virtd_t)
|
|
+
|
|
+ # Manages /etc/sysconfig/system-config-firewall
|
|
iptables_manage_config(virtd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- kerberos_read_keytab(virtd_t)
|
|
- kerberos_use(virtd_t)
|
|
+ kerberos_read_keytab(virtd_t)
|
|
+ kerberos_use(virtd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -712,11 +573,13 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # Run mount in the mount_t domain.
|
|
mount_domtrans(virtd_t)
|
|
mount_signal(virtd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ policykit_dbus_chat(virtd_t)
|
|
policykit_domtrans_auth(virtd_t)
|
|
policykit_domtrans_resolve(virtd_t)
|
|
policykit_read_lib(virtd_t)
|
|
@@ -727,10 +590,18 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ sanlock_stream_connect(virtd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
sasl_connect(virtd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ setrans_manage_pid_files(virtd_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
kernel_read_xen_state(virtd_t)
|
|
kernel_write_xen_state(virtd_t)
|
|
|
|
@@ -746,44 +617,264 @@ optional_policy(`
|
|
udev_read_pid_files(virtd_t)
|
|
')
|
|
|
|
+optional_policy(`
|
|
+ unconfined_domain(virtd_t)
|
|
+')
|
|
+
|
|
########################################
|
|
#
|
|
-# Virsh local policy
|
|
+# virtual domains common policy
|
|
#
|
|
+allow virt_domain self:capability2 compromise_kernel;
|
|
+allow virt_domain self:process { setrlimit signal_perms getsched setsched };
|
|
+allow virt_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow virt_domain self:shm create_shm_perms;
|
|
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
|
|
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
|
|
+allow virt_domain self:tcp_socket create_stream_socket_perms;
|
|
+allow virt_domain self:udp_socket create_socket_perms;
|
|
+allow virt_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
-allow virsh_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
|
|
-allow virsh_t self:process { getcap getsched setsched setcap signal };
|
|
-allow virsh_t self:fifo_file rw_fifo_file_perms;
|
|
-allow virsh_t self:unix_stream_socket { accept connectto listen };
|
|
-allow virsh_t self:tcp_socket { accept listen };
|
|
+list_dirs_pattern(virt_domain, virt_content_t, virt_content_t)
|
|
+read_files_pattern(virt_domain, virt_content_t, virt_content_t)
|
|
+dontaudit virt_domain virt_content_t:file write_file_perms;
|
|
+dontaudit virt_domain virt_content_t:dir write;
|
|
|
|
-manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
|
-manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
|
-manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
|
+kernel_read_net_sysctls(virt_domain)
|
|
|
|
-manage_dirs_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_chr_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_lnk_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_sock_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_fifo_files_pattern(virsh_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
+userdom_search_user_home_content(virt_domain)
|
|
+userdom_read_user_home_content_symlinks(virt_domain)
|
|
+userdom_read_all_users_state(virt_domain)
|
|
+append_files_pattern(virt_domain, virt_home_t, virt_home_t)
|
|
+manage_dirs_pattern(virt_domain, svirt_home_t, svirt_home_t)
|
|
+manage_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
|
|
+manage_sock_files_pattern(virt_domain, svirt_home_t, svirt_home_t)
|
|
+filetrans_pattern(virt_domain, virt_home_t, svirt_home_t, { dir sock_file file })
|
|
+stream_connect_pattern(virt_domain, svirt_home_t, svirt_home_t, virtd_t)
|
|
+
|
|
+manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
|
|
+manage_files_pattern(virt_domain, virt_cache_t, virt_cache_t)
|
|
+files_var_filetrans(virt_domain, virt_cache_t, { file dir })
|
|
|
|
-manage_dirs_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
|
-manage_files_pattern(virsh_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
|
-filetrans_pattern(virsh_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
|
|
+read_lnk_files_pattern(virt_domain, virt_image_t, virt_image_t)
|
|
+
|
|
+manage_dirs_pattern(virt_domain, svirt_image_t, svirt_image_t)
|
|
+manage_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
|
|
+manage_sock_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
|
|
+manage_fifo_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
|
|
+read_lnk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
|
|
+rw_chr_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
|
|
+rw_blk_files_pattern(virt_domain, svirt_image_t, svirt_image_t)
|
|
+fs_hugetlbfs_filetrans(virt_domain, svirt_image_t, file)
|
|
+
|
|
+manage_dirs_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
|
|
+manage_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
|
|
+manage_lnk_files_pattern(virt_domain, svirt_tmp_t, svirt_tmp_t)
|
|
+files_tmp_filetrans(virt_domain, svirt_tmp_t, { file dir lnk_file })
|
|
+userdom_user_tmp_filetrans(virt_domain, svirt_tmp_t, { dir file lnk_file })
|
|
+
|
|
+manage_dirs_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
|
|
+manage_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
|
|
+manage_lnk_files_pattern(virt_domain, svirt_tmpfs_t, svirt_tmpfs_t)
|
|
+fs_tmpfs_filetrans(virt_domain, svirt_tmpfs_t, { dir file lnk_file })
|
|
+
|
|
+manage_dirs_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
|
|
+manage_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
|
|
+manage_sock_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
|
|
+manage_lnk_files_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t)
|
|
+files_pid_filetrans(virt_domain, qemu_var_run_t, { dir file })
|
|
+stream_connect_pattern(virt_domain, qemu_var_run_t, qemu_var_run_t, virtd_t)
|
|
+
|
|
+dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh };
|
|
|
|
-dontaudit virsh_t virt_var_lib_t:file read_file_perms;
|
|
+dontaudit virt_domain virt_tmpfs_type:file { read write };
|
|
|
|
-allow virsh_t svirt_lxc_domain:process transition;
|
|
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
|
|
|
|
-can_exec(virsh_t, virsh_exec_t)
|
|
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
|
|
+
|
|
+corecmd_exec_bin(virt_domain)
|
|
+corecmd_exec_shell(virt_domain)
|
|
+
|
|
+corenet_tcp_sendrecv_generic_if(virt_domain)
|
|
+corenet_tcp_sendrecv_generic_node(virt_domain)
|
|
+corenet_tcp_sendrecv_all_ports(virt_domain)
|
|
+corenet_tcp_bind_generic_node(virt_domain)
|
|
+corenet_tcp_bind_vnc_port(virt_domain)
|
|
+corenet_tcp_bind_virt_migration_port(virt_domain)
|
|
+corenet_tcp_connect_virt_migration_port(virt_domain)
|
|
+corenet_rw_inherited_tun_tap_dev(virt_domain)
|
|
|
|
+dev_list_sysfs(virt_domain)
|
|
+dev_getattr_fs(virt_domain)
|
|
+dev_dontaudit_getattr_all(virt_domain)
|
|
+dev_read_generic_symlinks(virt_domain)
|
|
+dev_read_rand(virt_domain)
|
|
+dev_read_sound(virt_domain)
|
|
+dev_read_urand(virt_domain)
|
|
+dev_write_sound(virt_domain)
|
|
+dev_rw_ksm(virt_domain)
|
|
+dev_rw_vfio_dev(virt_domain)
|
|
+dev_rw_kvm(virt_domain)
|
|
+dev_rw_qemu(virt_domain)
|
|
+dev_rw_inherited_vhost(virt_domain)
|
|
+
|
|
+domain_use_interactive_fds(virt_domain)
|
|
+
|
|
+files_read_mnt_symlinks(virt_domain)
|
|
+files_read_var_files(virt_domain)
|
|
+files_search_all(virt_domain)
|
|
+
|
|
+fs_getattr_xattr_fs(virt_domain)
|
|
+fs_getattr_tmpfs(virt_domain)
|
|
+fs_rw_anon_inodefs_files(virt_domain)
|
|
+fs_rw_inherited_tmpfs_files(virt_domain)
|
|
+fs_getattr_hugetlbfs(virt_domain)
|
|
+fs_rw_inherited_nfs_files(virt_domain)
|
|
+fs_rw_inherited_cifs_files(virt_domain)
|
|
+fs_rw_inherited_noxattr_fs_files(virt_domain)
|
|
+
|
|
+# I think we need these for now.
|
|
+miscfiles_read_public_files(virt_domain)
|
|
+storage_raw_read_removable_device(virt_domain)
|
|
+
|
|
+sysnet_read_config(virt_domain)
|
|
+
|
|
+term_use_all_inherited_terms(virt_domain)
|
|
+term_getattr_pty_fs(virt_domain)
|
|
+term_use_generic_ptys(virt_domain)
|
|
+term_use_ptmx(virt_domain)
|
|
+
|
|
+tunable_policy(`virt_use_execmem',`
|
|
+ allow virt_domain self:process { execmem execstack };
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ alsa_read_rw_config(virt_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ ptchown_domtrans(virt_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ pulseaudio_dontaudit_exec(virt_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ virt_read_config(virt_domain)
|
|
+ virt_read_lib_files(virt_domain)
|
|
+ virt_read_content(virt_domain)
|
|
+ virt_stream_connect(virt_domain)
|
|
+ virt_read_pid_symlinks(virt_domain)
|
|
+ virt_domtrans_bridgehelper(virt_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_rw_shm(virt_domain)
|
|
+')
|
|
+
|
|
+tunable_policy(`virt_use_comm',`
|
|
+ term_use_unallocated_ttys(virt_domain)
|
|
+ dev_rw_printer(virt_domain)
|
|
+')
|
|
+
|
|
+tunable_policy(`virt_use_fusefs',`
|
|
+ fs_manage_fusefs_dirs(virt_domain)
|
|
+ fs_manage_fusefs_files(virt_domain)
|
|
+ fs_read_fusefs_symlinks(virt_domain)
|
|
+ fs_getattr_fusefs(virt_domain)
|
|
+')
|
|
+
|
|
+tunable_policy(`virt_use_nfs',`
|
|
+ fs_manage_nfs_dirs(virt_domain)
|
|
+ fs_manage_nfs_files(virt_domain)
|
|
+ fs_manage_nfs_named_sockets(virt_domain)
|
|
+ fs_read_nfs_symlinks(virt_domain)
|
|
+ fs_getattr_nfs(virt_domain)
|
|
+')
|
|
+
|
|
+tunable_policy(`virt_use_samba',`
|
|
+ fs_manage_cifs_dirs(virt_domain)
|
|
+ fs_manage_cifs_files(virt_domain)
|
|
+ fs_manage_cifs_named_sockets(virt_domain)
|
|
+ fs_read_cifs_symlinks(virt_domain)
|
|
+ fs_getattr_cifs(virt_domain)
|
|
+')
|
|
+
|
|
+tunable_policy(`virt_use_usb',`
|
|
+ dev_rw_usbfs(virt_domain)
|
|
+ dev_read_sysfs(virt_domain)
|
|
+ fs_getattr_dos_fs(virt_domain)
|
|
+ fs_manage_dos_dirs(virt_domain)
|
|
+ fs_manage_dos_files(virt_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`virt_use_sanlock',`
|
|
+ sanlock_stream_connect(virt_domain)
|
|
+ ')
|
|
+')
|
|
+
|
|
+tunable_policy(`virt_use_rawip',`
|
|
+ allow virt_domain self:rawip_socket create_socket_perms;
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`virt_use_xserver',`
|
|
+ xserver_stream_connect(virt_domain)
|
|
+ ')
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# xm local policy
|
|
+#
|
|
+type virsh_t, virt_system_domain;
|
|
+type virsh_exec_t, virt_file_type;
|
|
+init_system_domain(virsh_t, virsh_exec_t)
|
|
+typealias virsh_t alias xm_t;
|
|
+typealias virsh_exec_t alias xm_exec_t;
|
|
+
|
|
+allow virsh_t self:capability { setpcap dac_override ipc_lock sys_admin sys_chroot sys_nice sys_tty_config };
|
|
+allow virsh_t self:process { getcap getsched setsched setcap setexec signal };
|
|
+allow virsh_t self:fifo_file rw_fifo_file_perms;
|
|
+allow virsh_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+allow virsh_t self:tcp_socket create_stream_socket_perms;
|
|
+
|
|
+ps_process_pattern(virsh_t, svirt_sandbox_domain)
|
|
+
|
|
+can_exec(virsh_t, virsh_exec_t)
|
|
virt_domtrans(virsh_t)
|
|
virt_manage_images(virsh_t)
|
|
virt_manage_config(virsh_t)
|
|
virt_stream_connect(virsh_t)
|
|
|
|
-kernel_read_crypto_sysctls(virsh_t)
|
|
+manage_dirs_pattern(virsh_t, virt_lock_t, virt_lock_t)
|
|
+manage_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
|
|
+manage_lnk_files_pattern(virsh_t, virt_lock_t, virt_lock_t)
|
|
+files_lock_filetrans(virsh_t, virt_lock_t, { dir file lnk_file })
|
|
+
|
|
+manage_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
|
+manage_blk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
|
+manage_lnk_files_pattern(virsh_t, virt_image_type, virt_image_type)
|
|
+
|
|
+manage_dirs_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_chr_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_lnk_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_sock_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_fifo_files_pattern(virsh_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+virt_transition_svirt_sandbox(virsh_t, system_r)
|
|
+
|
|
+manage_dirs_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
|
+manage_files_pattern(virsh_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
|
+virt_filetrans_named_content(virsh_t)
|
|
+filetrans_pattern(virsh_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
|
+
|
|
+dontaudit virsh_t virt_var_lib_t:file read_inherited_file_perms;
|
|
+
|
|
+kernel_write_proc_files(virsh_t)
|
|
kernel_read_system_state(virsh_t)
|
|
kernel_read_network_state(virsh_t)
|
|
kernel_read_kernel_sysctls(virsh_t)
|
|
@@ -794,25 +885,18 @@ kernel_write_xen_state(virsh_t)
|
|
corecmd_exec_bin(virsh_t)
|
|
corecmd_exec_shell(virsh_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(virsh_t)
|
|
-corenet_all_recvfrom_netlabel(virsh_t)
|
|
corenet_tcp_sendrecv_generic_if(virsh_t)
|
|
corenet_tcp_sendrecv_generic_node(virsh_t)
|
|
-corenet_tcp_bind_generic_node(virsh_t)
|
|
-
|
|
-corenet_sendrecv_soundd_client_packets(virsh_t)
|
|
corenet_tcp_connect_soundd_port(virsh_t)
|
|
-corenet_tcp_sendrecv_soundd_port(virsh_t)
|
|
|
|
dev_read_rand(virsh_t)
|
|
dev_read_urand(virsh_t)
|
|
dev_read_sysfs(virsh_t)
|
|
|
|
files_read_etc_runtime_files(virsh_t)
|
|
-files_read_etc_files(virsh_t)
|
|
-files_read_usr_files(virsh_t)
|
|
files_list_mnt(virsh_t)
|
|
files_list_tmp(virsh_t)
|
|
+# Some common macros (you might be able to remove some)
|
|
|
|
fs_getattr_all_fs(virsh_t)
|
|
fs_manage_xenfs_dirs(virsh_t)
|
|
@@ -821,23 +905,23 @@ fs_search_auto_mountpoints(virsh_t)
|
|
|
|
storage_raw_read_fixed_disk(virsh_t)
|
|
|
|
-term_use_all_terms(virsh_t)
|
|
+term_use_all_inherited_terms(virsh_t)
|
|
+term_dontaudit_use_generic_ptys(virsh_t)
|
|
+
|
|
+userdom_search_admin_dir(virsh_t)
|
|
+userdom_read_home_certs(virsh_t)
|
|
|
|
init_stream_connect_script(virsh_t)
|
|
init_rw_script_stream_sockets(virsh_t)
|
|
init_use_fds(virsh_t)
|
|
|
|
-logging_send_syslog_msg(virsh_t)
|
|
+systemd_exec_systemctl(virsh_t)
|
|
|
|
-miscfiles_read_localization(virsh_t)
|
|
+auth_read_passwd(virsh_t)
|
|
|
|
-sysnet_dns_name_resolve(virsh_t)
|
|
+logging_send_syslog_msg(virsh_t)
|
|
|
|
-tunable_policy(`virt_use_fusefs',`
|
|
- fs_manage_fusefs_dirs(virsh_t)
|
|
- fs_manage_fusefs_files(virsh_t)
|
|
- fs_read_fusefs_symlinks(virsh_t)
|
|
-')
|
|
+sysnet_dns_name_resolve(virsh_t)
|
|
|
|
tunable_policy(`virt_use_nfs',`
|
|
fs_manage_nfs_dirs(virsh_t)
|
|
@@ -856,14 +940,20 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ rhcs_domtrans_fenced(virsh_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
rpm_exec(virsh_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xen_manage_image_dirs(virsh_t)
|
|
+ xen_read_image_files(virsh_t)
|
|
+ xen_read_lib_files(virsh_t)
|
|
xen_append_log(virsh_t)
|
|
xen_domtrans(virsh_t)
|
|
- xen_read_xenstored_pid_files(virsh_t)
|
|
+ xen_read_pid_files_xenstored(virsh_t)
|
|
xen_stream_connect(virsh_t)
|
|
xen_stream_connect_xenstore(virsh_t)
|
|
')
|
|
@@ -888,49 +978,65 @@ optional_policy(`
|
|
kernel_read_xen_state(virsh_ssh_t)
|
|
kernel_write_xen_state(virsh_ssh_t)
|
|
|
|
+ dontaudit virsh_ssh_t virsh_transition_domain:fifo_file rw_inherited_fifo_file_perms;
|
|
files_search_tmp(virsh_ssh_t)
|
|
|
|
fs_manage_xenfs_dirs(virsh_ssh_t)
|
|
fs_manage_xenfs_files(virsh_ssh_t)
|
|
+
|
|
+ userdom_search_admin_dir(virsh_ssh_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Lxc local policy
|
|
+# virt_lxc local policy
|
|
#
|
|
+allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource setuid sys_nice setgid };
|
|
+allow virtd_lxc_t self:process { transition setpgid signal_perms };
|
|
+allow virtd_lxc_t self:capability2 compromise_kernel;
|
|
|
|
-allow virtd_lxc_t self:capability { dac_override net_admin net_raw setpcap chown sys_admin sys_boot sys_resource };
|
|
allow virtd_lxc_t self:process { setexec setrlimit setsched getcap setcap signal_perms };
|
|
allow virtd_lxc_t self:fifo_file rw_fifo_file_perms;
|
|
-allow virtd_lxc_t self:netlink_route_socket nlmsg_write;
|
|
-allow virtd_lxc_t self:unix_stream_socket { accept listen };
|
|
+allow virtd_lxc_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
+allow virtd_lxc_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
allow virtd_lxc_t self:packet_socket create_socket_perms;
|
|
+ps_process_pattern(virtd_lxc_t, svirt_sandbox_domain)
|
|
+allow virtd_t virtd_lxc_t:unix_stream_socket create_stream_socket_perms;
|
|
|
|
-allow virtd_lxc_t svirt_lxc_domain:process { getattr getsched setsched transition signal signull sigkill };
|
|
+files_entrypoint_all_files(virtd_lxc_t)
|
|
|
|
allow virtd_lxc_t virt_image_type:dir mounton;
|
|
manage_files_pattern(virtd_lxc_t, virt_image_t, virt_image_t)
|
|
|
|
+domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
|
|
+allow virtd_t virtd_lxc_t:process { getattr signal signull sigkill };
|
|
+
|
|
allow virtd_lxc_t virt_var_run_t:dir search_dir_perms;
|
|
-manage_dirs_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
|
-manage_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
|
-manage_sock_files_pattern(virtd_lxc_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t)
|
|
-files_pid_filetrans(virtd_lxc_t, virtd_lxc_var_run_t, { file dir })
|
|
-
|
|
-manage_dirs_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_chr_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_lnk_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_sock_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_fifo_files_pattern(virtd_lxc_t, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-allow virtd_lxc_t svirt_lxc_file_t:dir_file_class_set { relabelto relabelfrom };
|
|
-allow virtd_lxc_t svirt_lxc_file_t:filesystem { relabelto relabelfrom };
|
|
+manage_dirs_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
|
+manage_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
|
+manage_sock_files_pattern(virtd_lxc_t, virt_lxc_var_run_t, virt_lxc_var_run_t)
|
|
+files_pid_filetrans(virtd_lxc_t, virt_lxc_var_run_t, { file dir })
|
|
+filetrans_pattern(virtd_lxc_t, virt_var_run_t, virt_lxc_var_run_t, dir, "lxc")
|
|
+
|
|
+manage_dirs_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_chr_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_lnk_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_sock_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_fifo_files_pattern(virtd_lxc_t, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+allow virtd_lxc_t svirt_sandbox_file_t:dir_file_class_set { relabelto relabelfrom };
|
|
+allow virtd_lxc_t svirt_sandbox_file_t:filesystem { relabelto relabelfrom };
|
|
+files_associate_rootfs(svirt_sandbox_file_t)
|
|
+
|
|
+seutil_read_file_contexts(virtd_lxc_t)
|
|
|
|
storage_manage_fixed_disk(virtd_lxc_t)
|
|
+storage_rw_fuse(virtd_lxc_t)
|
|
|
|
kernel_read_all_sysctls(virtd_lxc_t)
|
|
kernel_read_network_state(virtd_lxc_t)
|
|
kernel_read_system_state(virtd_lxc_t)
|
|
+kernel_request_load_module(virtd_lxc_t)
|
|
|
|
corecmd_exec_bin(virtd_lxc_t)
|
|
corecmd_exec_shell(virtd_lxc_t)
|
|
@@ -942,17 +1048,16 @@ dev_read_urand(virtd_lxc_t)
|
|
|
|
domain_use_interactive_fds(virtd_lxc_t)
|
|
|
|
-files_associate_rootfs(svirt_lxc_file_t)
|
|
files_search_all(virtd_lxc_t)
|
|
files_getattr_all_files(virtd_lxc_t)
|
|
-files_read_usr_files(virtd_lxc_t)
|
|
files_relabel_rootfs(virtd_lxc_t)
|
|
files_mounton_non_security(virtd_lxc_t)
|
|
files_mount_all_file_type_fs(virtd_lxc_t)
|
|
files_unmount_all_file_type_fs(virtd_lxc_t)
|
|
files_list_isid_type_dirs(virtd_lxc_t)
|
|
-files_root_filetrans(virtd_lxc_t, svirt_lxc_file_t, dir_file_class_set)
|
|
+files_root_filetrans(virtd_lxc_t, svirt_sandbox_file_t, dir_file_class_set)
|
|
|
|
+fs_read_fusefs_files(virtd_lxc_t)
|
|
fs_getattr_all_fs(virtd_lxc_t)
|
|
fs_manage_tmpfs_dirs(virtd_lxc_t)
|
|
fs_manage_tmpfs_chr_files(virtd_lxc_t)
|
|
@@ -964,8 +1069,23 @@ fs_rw_cgroup_files(virtd_lxc_t)
|
|
fs_unmount_all_fs(virtd_lxc_t)
|
|
fs_relabelfrom_tmpfs(virtd_lxc_t)
|
|
|
|
+logging_send_audit_msgs(virtd_lxc_t)
|
|
+
|
|
selinux_mount_fs(virtd_lxc_t)
|
|
selinux_unmount_fs(virtd_lxc_t)
|
|
+seutil_read_config(virtd_lxc_t)
|
|
+
|
|
+term_use_generic_ptys(virtd_lxc_t)
|
|
+term_use_ptmx(virtd_lxc_t)
|
|
+term_relabel_pty_fs(virtd_lxc_t)
|
|
+
|
|
+auth_use_nsswitch(virtd_lxc_t)
|
|
+
|
|
+logging_send_syslog_msg(virtd_lxc_t)
|
|
+
|
|
+seutil_domtrans_setfiles(virtd_lxc_t)
|
|
+seutil_read_default_contexts(virtd_lxc_t)
|
|
+
|
|
selinux_get_enforce_mode(virtd_lxc_t)
|
|
selinux_get_fs_mount(virtd_lxc_t)
|
|
selinux_validate_context(virtd_lxc_t)
|
|
@@ -974,194 +1094,239 @@ selinux_compute_create_context(virtd_lxc_t)
|
|
selinux_compute_relabel_context(virtd_lxc_t)
|
|
selinux_compute_user_contexts(virtd_lxc_t)
|
|
|
|
-term_use_generic_ptys(virtd_lxc_t)
|
|
-term_use_ptmx(virtd_lxc_t)
|
|
-term_relabel_pty_fs(virtd_lxc_t)
|
|
+sysnet_exec_ifconfig(virtd_lxc_t)
|
|
|
|
-auth_use_nsswitch(virtd_lxc_t)
|
|
+userdom_read_admin_home_files(virtd_lxc_t)
|
|
|
|
-logging_send_syslog_msg(virtd_lxc_t)
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(virtd_lxc_t)
|
|
+ init_dbus_chat(virtd_lxc_t)
|
|
|
|
-miscfiles_read_localization(virtd_lxc_t)
|
|
+ optional_policy(`
|
|
+ hal_dbus_chat(virtd_lxc_t)
|
|
+ ')
|
|
+')
|
|
|
|
-seutil_domtrans_setfiles(virtd_lxc_t)
|
|
-seutil_read_config(virtd_lxc_t)
|
|
-seutil_read_default_contexts(virtd_lxc_t)
|
|
+optional_policy(`
|
|
+ gnome_read_generic_cache_files(virtd_lxc_t)
|
|
+')
|
|
|
|
-sysnet_domtrans_ifconfig(virtd_lxc_t)
|
|
+optional_policy(`
|
|
+ setrans_manage_pid_files(virtd_lxc_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(virtd_lxc_t)
|
|
+')
|
|
|
|
########################################
|
|
#
|
|
-# Common virt lxc domain local policy
|
|
+# svirt_sandbox_domain local policy
|
|
#
|
|
+allow svirt_sandbox_domain self:key manage_key_perms;
|
|
+allow svirt_sandbox_domain self:process { getattr signal_perms getsched getpgid getcap setsched setcap setpgid setrlimit };
|
|
+allow svirt_sandbox_domain self:fifo_file manage_file_perms;
|
|
+allow svirt_sandbox_domain self:sem create_sem_perms;
|
|
+allow svirt_sandbox_domain self:shm create_shm_perms;
|
|
+allow svirt_sandbox_domain self:msgq create_msgq_perms;
|
|
+allow svirt_sandbox_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+allow svirt_sandbox_domain self:unix_dgram_socket { sendto create_socket_perms };
|
|
+allow svirt_sandbox_domain self:passwd rootok;
|
|
+
|
|
+allow virtd_t svirt_sandbox_domain:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+allow virtd_t svirt_sandbox_domain:process { signal_perms getattr };
|
|
+allow virtd_lxc_t svirt_sandbox_domain:process { getattr getsched setsched setrlimit transition signal_perms };
|
|
+
|
|
+allow svirt_sandbox_domain virtd_lxc_t:process sigchld;
|
|
+allow svirt_sandbox_domain virtd_lxc_t:fd use;
|
|
+allow svirt_sandbox_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
|
+
|
|
+manage_dirs_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_lnk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_sock_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+manage_fifo_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+allow svirt_sandbox_domain svirt_sandbox_file_t:chr_file setattr;
|
|
+rw_chr_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+
|
|
+allow svirt_sandbox_domain svirt_sandbox_file_t:blk_file setattr;
|
|
+rw_blk_files_pattern(svirt_sandbox_domain, svirt_sandbox_file_t, svirt_sandbox_file_t)
|
|
+can_exec(svirt_sandbox_domain, svirt_sandbox_file_t)
|
|
+allow svirt_sandbox_domain svirt_sandbox_file_t:dir mounton;
|
|
+allow svirt_sandbox_domain svirt_sandbox_file_t:filesystem getattr;
|
|
+
|
|
+kernel_getattr_proc(svirt_sandbox_domain)
|
|
+kernel_list_all_proc(svirt_sandbox_domain)
|
|
+kernel_read_all_sysctls(svirt_sandbox_domain)
|
|
+kernel_rw_net_sysctls(svirt_sandbox_domain)
|
|
+kernel_dontaudit_search_kernel_sysctl(svirt_sandbox_domain)
|
|
+
|
|
+corecmd_exec_all_executables(svirt_sandbox_domain)
|
|
+
|
|
+files_dontaudit_getattr_all_dirs(svirt_sandbox_domain)
|
|
+files_dontaudit_getattr_all_files(svirt_sandbox_domain)
|
|
+files_dontaudit_getattr_all_symlinks(svirt_sandbox_domain)
|
|
+files_dontaudit_getattr_all_pipes(svirt_sandbox_domain)
|
|
+files_dontaudit_getattr_all_sockets(svirt_sandbox_domain)
|
|
+files_dontaudit_list_all_mountpoints(svirt_sandbox_domain)
|
|
+files_dontaudit_write_etc_runtime_files(svirt_sandbox_domain)
|
|
+files_entrypoint_all_files(svirt_sandbox_domain)
|
|
+files_list_var(svirt_sandbox_domain)
|
|
+files_list_var_lib(svirt_sandbox_domain)
|
|
+files_search_all(svirt_sandbox_domain)
|
|
+files_read_config_files(svirt_sandbox_domain)
|
|
+files_read_usr_symlinks(svirt_sandbox_domain)
|
|
+files_search_locks(svirt_sandbox_domain)
|
|
+files_dontaudit_unmount_all_mountpoints(svirt_sandbox_domain)
|
|
+
|
|
+fs_getattr_all_fs(svirt_sandbox_domain)
|
|
+fs_list_inotifyfs(svirt_sandbox_domain)
|
|
+fs_rw_inherited_tmpfs_files(svirt_sandbox_domain)
|
|
+fs_read_fusefs_files(svirt_sandbox_domain)
|
|
+
|
|
+auth_dontaudit_read_passwd(svirt_sandbox_domain)
|
|
+auth_dontaudit_read_login_records(svirt_sandbox_domain)
|
|
+auth_dontaudit_write_login_records(svirt_sandbox_domain)
|
|
+auth_search_pam_console_data(svirt_sandbox_domain)
|
|
+
|
|
+clock_read_adjtime(svirt_sandbox_domain)
|
|
+
|
|
+init_read_utmp(svirt_sandbox_domain)
|
|
+init_dontaudit_write_utmp(svirt_sandbox_domain)
|
|
+
|
|
+libs_dontaudit_setattr_lib_files(svirt_sandbox_domain)
|
|
+
|
|
+miscfiles_dontaudit_access_check_cert(svirt_sandbox_domain)
|
|
+miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_sandbox_domain)
|
|
+miscfiles_read_fonts(svirt_sandbox_domain)
|
|
+miscfiles_read_hwdata(svirt_sandbox_domain)
|
|
+
|
|
+systemd_read_unit_files(svirt_sandbox_domain)
|
|
+
|
|
+userdom_use_inherited_user_terminals(svirt_sandbox_domain)
|
|
+userdom_dontaudit_append_inherited_admin_home_file(svirt_sandbox_domain)
|
|
+userdom_dontaudit_read_inherited_admin_home_files(svirt_sandbox_domain)
|
|
+
|
|
+optional_policy(`
|
|
+ apache_exec_modules(svirt_sandbox_domain)
|
|
+ apache_read_sys_content(svirt_sandbox_domain)
|
|
+')
|
|
|
|
-allow svirt_lxc_domain self:capability { kill setuid setgid dac_override sys_boot };
|
|
-allow svirt_lxc_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
|
|
-allow svirt_lxc_domain self:fifo_file manage_file_perms;
|
|
-allow svirt_lxc_domain self:sem create_sem_perms;
|
|
-allow svirt_lxc_domain self:shm create_shm_perms;
|
|
-allow svirt_lxc_domain self:msgq create_msgq_perms;
|
|
-allow svirt_lxc_domain self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
-allow svirt_lxc_domain self:unix_dgram_socket { sendto create_socket_perms };
|
|
-
|
|
-allow svirt_lxc_domain virtd_lxc_t:fd use;
|
|
-allow svirt_lxc_domain virtd_lxc_t:fifo_file rw_fifo_file_perms;
|
|
-allow svirt_lxc_domain virtd_lxc_t:process sigchld;
|
|
-
|
|
-allow svirt_lxc_domain virtd_lxc_t:unix_stream_socket { connectto rw_socket_perms };
|
|
-
|
|
-allow svirt_lxc_domain virsh_t:fd use;
|
|
-allow svirt_lxc_domain virsh_t:fifo_file rw_fifo_file_perms;
|
|
-allow svirt_lxc_domain virsh_t:process sigchld;
|
|
-
|
|
-allow svirt_lxc_domain virtd_lxc_var_run_t:dir list_dir_perms;
|
|
-allow svirt_lxc_domain virtd_lxc_var_run_t:file read_file_perms;
|
|
-
|
|
-manage_dirs_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_lnk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_sock_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-manage_fifo_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-rw_chr_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-rw_blk_files_pattern(svirt_lxc_domain, svirt_lxc_file_t, svirt_lxc_file_t)
|
|
-
|
|
-allow svirt_lxc_net_t svirt_lxc_file_t:dir mounton;
|
|
-allow svirt_lxc_net_t svirt_lxc_file_t:filesystem getattr;
|
|
-
|
|
-can_exec(svirt_lxc_domain, svirt_lxc_file_t)
|
|
-
|
|
-kernel_getattr_proc(svirt_lxc_domain)
|
|
-kernel_list_all_proc(svirt_lxc_domain)
|
|
-kernel_read_kernel_sysctls(svirt_lxc_domain)
|
|
-kernel_rw_net_sysctls(svirt_lxc_domain)
|
|
-kernel_read_system_state(svirt_lxc_domain)
|
|
-kernel_dontaudit_search_kernel_sysctl(svirt_lxc_domain)
|
|
-
|
|
-corecmd_exec_all_executables(svirt_lxc_domain)
|
|
-
|
|
-files_dontaudit_getattr_all_dirs(svirt_lxc_domain)
|
|
-files_dontaudit_getattr_all_files(svirt_lxc_domain)
|
|
-files_dontaudit_getattr_all_symlinks(svirt_lxc_domain)
|
|
-files_dontaudit_getattr_all_pipes(svirt_lxc_domain)
|
|
-files_dontaudit_getattr_all_sockets(svirt_lxc_domain)
|
|
-files_dontaudit_list_all_mountpoints(svirt_lxc_domain)
|
|
-files_dontaudit_write_etc_runtime_files(svirt_lxc_domain)
|
|
-# files_entrypoint_all_files(svirt_lxc_domain)
|
|
-files_list_var(svirt_lxc_domain)
|
|
-files_list_var_lib(svirt_lxc_domain)
|
|
-files_search_all(svirt_lxc_domain)
|
|
-files_read_config_files(svirt_lxc_domain)
|
|
-files_read_usr_files(svirt_lxc_domain)
|
|
-files_read_usr_symlinks(svirt_lxc_domain)
|
|
-
|
|
-fs_getattr_all_fs(svirt_lxc_domain)
|
|
-fs_list_inotifyfs(svirt_lxc_domain)
|
|
-
|
|
-# fs_rw_inherited_tmpfs_files(svirt_lxc_domain)
|
|
-# fs_rw_inherited_cifs_files(svirt_lxc_domain)
|
|
-# fs_rw_inherited_noxattr_fs_files(svirt_lxc_domain)
|
|
-
|
|
-auth_dontaudit_read_login_records(svirt_lxc_domain)
|
|
-auth_dontaudit_write_login_records(svirt_lxc_domain)
|
|
-auth_search_pam_console_data(svirt_lxc_domain)
|
|
-
|
|
-clock_read_adjtime(svirt_lxc_domain)
|
|
-
|
|
-init_read_utmp(svirt_lxc_domain)
|
|
-init_dontaudit_write_utmp(svirt_lxc_domain)
|
|
-
|
|
-libs_dontaudit_setattr_lib_files(svirt_lxc_domain)
|
|
-
|
|
-miscfiles_read_localization(svirt_lxc_domain)
|
|
-miscfiles_dontaudit_setattr_fonts_cache_dirs(svirt_lxc_domain)
|
|
-miscfiles_read_fonts(svirt_lxc_domain)
|
|
-
|
|
-mta_dontaudit_read_spool_symlinks(svirt_lxc_domain)
|
|
+optional_policy(`
|
|
+ mta_dontaudit_read_spool_symlinks(svirt_sandbox_domain)
|
|
+')
|
|
|
|
optional_policy(`
|
|
- udev_read_pid_files(svirt_lxc_domain)
|
|
+ ssh_use_ptys(svirt_sandbox_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
- apache_exec_modules(svirt_lxc_domain)
|
|
- apache_read_sys_content(svirt_lxc_domain)
|
|
+ udev_read_pid_files(svirt_sandbox_domain)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ userhelper_dontaudit_write_config(svirt_sandbox_domain)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Lxc net local policy
|
|
+# svirt_lxc_net_t local policy
|
|
#
|
|
+virt_sandbox_domain_template(svirt_lxc_net)
|
|
+typeattribute svirt_lxc_net_t sandbox_net_domain;
|
|
|
|
-allow svirt_lxc_net_t self:capability { chown dac_read_search dac_override fowner fsetid net_raw net_admin sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
|
+allow svirt_lxc_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
|
dontaudit svirt_lxc_net_t self:capability2 block_suspend;
|
|
-allow svirt_lxc_net_t self:process setrlimit;
|
|
-allow svirt_lxc_net_t self:tcp_socket { accept listen };
|
|
-allow svirt_lxc_net_t self:netlink_route_socket nlmsg_write;
|
|
-allow svirt_lxc_net_t self:packet_socket create_socket_perms;
|
|
-allow svirt_lxc_net_t self:socket create_socket_perms;
|
|
-allow svirt_lxc_net_t self:rawip_socket create_socket_perms;
|
|
+allow svirt_lxc_net_t self:process { execstack execmem };
|
|
allow svirt_lxc_net_t self:netlink_socket create_socket_perms;
|
|
-allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_socket_perms;
|
|
+allow svirt_lxc_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
|
allow svirt_lxc_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
-kernel_read_network_state(svirt_lxc_net_t)
|
|
-kernel_read_irq_sysctls(svirt_lxc_net_t)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(svirt_lxc_net_t)
|
|
-corenet_all_recvfrom_netlabel(svirt_lxc_net_t)
|
|
-corenet_tcp_sendrecv_generic_if(svirt_lxc_net_t)
|
|
-corenet_udp_sendrecv_generic_if(svirt_lxc_net_t)
|
|
-corenet_tcp_sendrecv_generic_node(svirt_lxc_net_t)
|
|
-corenet_udp_sendrecv_generic_node(svirt_lxc_net_t)
|
|
-corenet_tcp_sendrecv_all_ports(svirt_lxc_net_t)
|
|
-corenet_udp_sendrecv_all_ports(svirt_lxc_net_t)
|
|
-corenet_tcp_bind_generic_node(svirt_lxc_net_t)
|
|
-corenet_udp_bind_generic_node(svirt_lxc_net_t)
|
|
+allow svirt_lxc_net_t virt_lxc_var_run_t:dir list_dir_perms;
|
|
+allow svirt_lxc_net_t virt_lxc_var_run_t:file read_file_perms;
|
|
|
|
-corenet_sendrecv_all_server_packets(svirt_lxc_net_t)
|
|
-corenet_udp_bind_all_ports(svirt_lxc_net_t)
|
|
-corenet_tcp_bind_all_ports(svirt_lxc_net_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(svirt_lxc_net_t)
|
|
-corenet_tcp_connect_all_ports(svirt_lxc_net_t)
|
|
+kernel_read_irq_sysctls(svirt_lxc_net_t)
|
|
|
|
+dev_read_sysfs(svirt_lxc_net_t)
|
|
dev_getattr_mtrr_dev(svirt_lxc_net_t)
|
|
dev_read_rand(svirt_lxc_net_t)
|
|
-dev_read_sysfs(svirt_lxc_net_t)
|
|
dev_read_urand(svirt_lxc_net_t)
|
|
|
|
files_read_kernel_modules(svirt_lxc_net_t)
|
|
|
|
+fs_noxattr_type(svirt_sandbox_file_t)
|
|
fs_mount_cgroup(svirt_lxc_net_t)
|
|
fs_manage_cgroup_dirs(svirt_lxc_net_t)
|
|
-fs_rw_cgroup_files(svirt_lxc_net_t)
|
|
+fs_manage_cgroup_files(svirt_lxc_net_t)
|
|
+
|
|
+term_pty(svirt_sandbox_file_t)
|
|
|
|
auth_use_nsswitch(svirt_lxc_net_t)
|
|
|
|
+rpm_read_db(svirt_lxc_net_t)
|
|
+
|
|
logging_send_audit_msgs(svirt_lxc_net_t)
|
|
|
|
userdom_use_user_ptys(svirt_lxc_net_t)
|
|
|
|
-optional_policy(`
|
|
- rpm_read_db(svirt_lxc_net_t)
|
|
-')
|
|
-
|
|
-#######################################
|
|
+########################################
|
|
#
|
|
-# Prot exec local policy
|
|
+# svirt_lxc_net_t local policy
|
|
#
|
|
+virt_sandbox_domain_template(svirt_qemu_net)
|
|
+typeattribute svirt_qemu_net_t sandbox_net_domain;
|
|
+
|
|
+allow svirt_qemu_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
|
+dontaudit svirt_qemu_net_t self:capability2 block_suspend;
|
|
+allow svirt_qemu_net_t self:process { execstack execmem };
|
|
+allow svirt_qemu_net_t self:netlink_socket create_socket_perms;
|
|
+allow svirt_qemu_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
|
+allow svirt_qemu_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
+
|
|
+term_use_generic_ptys(svirt_qemu_net_t)
|
|
+term_use_ptmx(svirt_qemu_net_t)
|
|
+
|
|
+dev_rw_kvm(svirt_qemu_net_t)
|
|
+
|
|
+manage_sock_files_pattern(svirt_qemu_net_t, qemu_var_run_t, qemu_var_run_t)
|
|
+
|
|
+list_dirs_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
|
+read_files_pattern(svirt_qemu_net_t, virt_content_t, virt_content_t)
|
|
+
|
|
+append_files_pattern(svirt_qemu_net_t, virt_log_t, virt_log_t)
|
|
+
|
|
+kernel_read_irq_sysctls(svirt_qemu_net_t)
|
|
+
|
|
+dev_read_sysfs(svirt_qemu_net_t)
|
|
+dev_getattr_mtrr_dev(svirt_qemu_net_t)
|
|
+dev_read_rand(svirt_qemu_net_t)
|
|
+dev_read_urand(svirt_qemu_net_t)
|
|
|
|
-allow svirt_prot_exec_t self:process { execmem execstack };
|
|
+files_read_kernel_modules(svirt_qemu_net_t)
|
|
+
|
|
+fs_noxattr_type(svirt_sandbox_file_t)
|
|
+fs_mount_cgroup(svirt_qemu_net_t)
|
|
+fs_manage_cgroup_dirs(svirt_qemu_net_t)
|
|
+fs_manage_cgroup_files(svirt_qemu_net_t)
|
|
+
|
|
+term_pty(svirt_sandbox_file_t)
|
|
+
|
|
+auth_use_nsswitch(svirt_qemu_net_t)
|
|
+
|
|
+rpm_read_db(svirt_qemu_net_t)
|
|
+
|
|
+logging_send_audit_msgs(svirt_qemu_net_t)
|
|
+
|
|
+userdom_use_user_ptys(svirt_qemu_net_t)
|
|
|
|
########################################
|
|
#
|
|
-# Qmf local policy
|
|
+# virt_qmf local policy
|
|
#
|
|
-
|
|
allow virt_qmf_t self:capability { sys_nice sys_tty_config };
|
|
allow virt_qmf_t self:process { setsched signal };
|
|
allow virt_qmf_t self:fifo_file rw_fifo_file_perms;
|
|
-allow virt_qmf_t self:unix_stream_socket { accept listen };
|
|
+allow virt_qmf_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow virt_qmf_t self:tcp_socket create_stream_socket_perms;
|
|
allow virt_qmf_t self:netlink_route_socket create_netlink_socket_perms;
|
|
|
|
@@ -1174,12 +1339,12 @@ dev_read_sysfs(virt_qmf_t)
|
|
dev_read_rand(virt_qmf_t)
|
|
dev_read_urand(virt_qmf_t)
|
|
|
|
+corenet_tcp_connect_matahari_port(virt_qmf_t)
|
|
+
|
|
domain_use_interactive_fds(virt_qmf_t)
|
|
|
|
logging_send_syslog_msg(virt_qmf_t)
|
|
|
|
-miscfiles_read_localization(virt_qmf_t)
|
|
-
|
|
sysnet_read_config(virt_qmf_t)
|
|
|
|
optional_policy(`
|
|
@@ -1192,9 +1357,8 @@ optional_policy(`
|
|
|
|
########################################
|
|
#
|
|
-# Bridgehelper local policy
|
|
+# virt_bridgehelper local policy
|
|
#
|
|
-
|
|
allow virt_bridgehelper_t self:process { setcap getcap };
|
|
allow virt_bridgehelper_t self:capability { setpcap setgid setuid net_admin };
|
|
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
|
|
@@ -1207,5 +1371,194 @@ kernel_read_network_state(virt_bridgehelper_t)
|
|
|
|
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
|
|
|
|
-userdom_search_user_home_dirs(virt_bridgehelper_t)
|
|
-userdom_use_user_ptys(virt_bridgehelper_t)
|
|
+userdom_use_inherited_user_ptys(virt_bridgehelper_t)
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# virt_qemu_ga local policy
|
|
+#
|
|
+
|
|
+allow virt_qemu_ga_t self:capability { sys_admin sys_tty_config };
|
|
+
|
|
+allow virt_qemu_ga_t self:fifo_file rw_fifo_file_perms;
|
|
+allow virt_qemu_ga_t self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+allow virt_qemu_ga_t virt_qemu_ga_exec_t:dir search_dir_perms;
|
|
+can_exec(virt_qemu_ga_t, virt_qemu_ga_exec_t)
|
|
+
|
|
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
|
|
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_tmp_t, virt_qemu_ga_tmp_t)
|
|
+files_tmp_filetrans(virt_qemu_ga_t, virt_qemu_ga_tmp_t, { file dir })
|
|
+
|
|
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
|
|
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_var_run_t, virt_qemu_ga_var_run_t)
|
|
+files_pid_filetrans(virt_qemu_ga_t, virt_qemu_ga_var_run_t, { dir file } )
|
|
+
|
|
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
|
|
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_data_t, virt_qemu_ga_data_t)
|
|
+
|
|
+manage_dirs_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
|
|
+manage_files_pattern(virt_qemu_ga_t, virt_qemu_ga_log_t, virt_qemu_ga_log_t)
|
|
+logging_log_filetrans(virt_qemu_ga_t, virt_qemu_ga_log_t, { dir file })
|
|
+
|
|
+kernel_read_system_state(virt_qemu_ga_t)
|
|
+
|
|
+corecmd_exec_shell(virt_qemu_ga_t)
|
|
+corecmd_exec_bin(virt_qemu_ga_t)
|
|
+
|
|
+dev_rw_sysfs(virt_qemu_ga_t)
|
|
+
|
|
+files_list_all_mountpoints(virt_qemu_ga_t)
|
|
+files_write_all_mountpoints(virt_qemu_ga_t)
|
|
+
|
|
+fs_list_all(virt_qemu_ga_t)
|
|
+fs_getattr_all_fs(virt_qemu_ga_t)
|
|
+
|
|
+term_use_virtio_console(virt_qemu_ga_t)
|
|
+term_use_all_ttys(virt_qemu_ga_t)
|
|
+term_use_unallocated_ttys(virt_qemu_ga_t)
|
|
+
|
|
+logging_send_syslog_msg(virt_qemu_ga_t)
|
|
+
|
|
+sysnet_dns_name_resolve(virt_qemu_ga_t)
|
|
+
|
|
+systemd_exec_systemctl(virt_qemu_ga_t)
|
|
+systemd_start_power_services(virt_qemu_ga_t)
|
|
+
|
|
+userdom_use_user_ptys(virt_qemu_ga_t)
|
|
+
|
|
+optional_policy(`
|
|
+ bootloader_domtrans(virt_qemu_ga_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ dbus_system_bus_client(virt_qemu_ga_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ cron_initrc_domtrans(virt_qemu_ga_t)
|
|
+ cron_domtrans(virt_qemu_ga_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ devicekit_manage_pid_files(virt_qemu_ga_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ fstools_domtrans(virt_qemu_ga_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ shutdown_domtrans(virt_qemu_ga_t)
|
|
+')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# qemu-ga unconfined hook script local policy
|
|
+#
|
|
+
|
|
+optional_policy(`
|
|
+ type virt_qemu_ga_unconfined_t;
|
|
+ domain_type(virt_qemu_ga_unconfined_t)
|
|
+
|
|
+ domain_entry_file(virt_qemu_ga_unconfined_t, virt_qemu_ga_unconfined_exec_t)
|
|
+ role system_r types virt_qemu_ga_unconfined_t;
|
|
+
|
|
+ domtrans_pattern(virt_qemu_ga_t, virt_qemu_ga_unconfined_exec_t, virt_qemu_ga_unconfined_t)
|
|
+
|
|
+ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir search_dir_perms;
|
|
+ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:dir read_file_perms;
|
|
+ allow virt_qemu_ga_t virt_qemu_ga_unconfined_exec_t:file ioctl;
|
|
+
|
|
+ init_domtrans_script(virt_qemu_ga_unconfined_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ unconfined_domain(virt_qemu_ga_unconfined_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+#######################################
|
|
+#
|
|
+# tye for svirt sockets
|
|
+#
|
|
+
|
|
+type svirt_socket_t;
|
|
+domain_type(svirt_socket_t)
|
|
+role system_r types svirt_socket_t;
|
|
+allow virtd_t svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
|
|
+allow virt_domain svirt_socket_t:unix_stream_socket { connectto create_stream_socket_perms };
|
|
+
|
|
+tunable_policy(`virt_transition_userdomain',`
|
|
+ userdom_transition(virtd_t)
|
|
+ userdom_transition(virtd_lxc_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# svirt_lxc_net_t local policy
|
|
+#
|
|
+virt_sandbox_domain_template(svirt_kvm_net)
|
|
+typeattribute svirt_kvm_net_t sandbox_net_domain;
|
|
+
|
|
+allow svirt_kvm_net_t self:capability { kill setuid setgid sys_boot ipc_lock chown dac_read_search dac_override fowner fsetid sys_chroot sys_admin sys_nice sys_ptrace sys_resource setpcap };
|
|
+dontaudit svirt_kvm_net_t self:capability2 block_suspend;
|
|
+allow svirt_kvm_net_t self:netlink_socket create_socket_perms;
|
|
+allow svirt_kvm_net_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
|
|
+allow svirt_kvm_net_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
+
|
|
+term_use_generic_ptys(svirt_kvm_net_t)
|
|
+term_use_ptmx(svirt_kvm_net_t)
|
|
+
|
|
+dev_rw_kvm(svirt_kvm_net_t)
|
|
+
|
|
+manage_sock_files_pattern(svirt_kvm_net_t, virt_var_run_t, virt_var_run_t)
|
|
+
|
|
+list_dirs_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t)
|
|
+read_files_pattern(svirt_kvm_net_t, virt_content_t, virt_content_t)
|
|
+
|
|
+append_files_pattern(svirt_kvm_net_t, virt_log_t, virt_log_t)
|
|
+
|
|
+kernel_read_network_state(svirt_kvm_net_t)
|
|
+kernel_read_irq_sysctls(svirt_kvm_net_t)
|
|
+
|
|
+dev_read_sysfs(svirt_kvm_net_t)
|
|
+dev_getattr_mtrr_dev(svirt_kvm_net_t)
|
|
+dev_read_rand(svirt_kvm_net_t)
|
|
+dev_read_urand(svirt_kvm_net_t)
|
|
+
|
|
+files_read_kernel_modules(svirt_kvm_net_t)
|
|
+
|
|
+fs_noxattr_type(svirt_sandbox_file_t)
|
|
+fs_mount_cgroup(svirt_kvm_net_t)
|
|
+fs_manage_cgroup_dirs(svirt_kvm_net_t)
|
|
+fs_manage_cgroup_files(svirt_kvm_net_t)
|
|
+
|
|
+term_pty(svirt_sandbox_file_t)
|
|
+
|
|
+auth_use_nsswitch(svirt_kvm_net_t)
|
|
+
|
|
+rpm_read_db(svirt_kvm_net_t)
|
|
+
|
|
+logging_send_audit_msgs(svirt_kvm_net_t)
|
|
+
|
|
+userdom_use_user_ptys(svirt_kvm_net_t)
|
|
+
|
|
+kernel_read_network_state(sandbox_net_domain)
|
|
+
|
|
+allow sandbox_net_domain self:capability { net_raw net_admin net_bind_service };
|
|
+
|
|
+allow sandbox_net_domain self:udp_socket create_socket_perms;
|
|
+allow sandbox_net_domain self:tcp_socket create_stream_socket_perms;
|
|
+allow sandbox_net_domain self:netlink_route_socket create_netlink_socket_perms;
|
|
+allow sandbox_net_domain self:packet_socket create_socket_perms;
|
|
+allow sandbox_net_domain self:socket create_socket_perms;
|
|
+allow sandbox_net_domain self:rawip_socket create_socket_perms;
|
|
+
|
|
+corenet_tcp_bind_generic_node(sandbox_net_domain)
|
|
+corenet_udp_bind_generic_node(sandbox_net_domain)
|
|
+corenet_tcp_sendrecv_all_ports(sandbox_net_domain)
|
|
+corenet_udp_sendrecv_all_ports(sandbox_net_domain)
|
|
+corenet_udp_bind_all_ports(sandbox_net_domain)
|
|
+corenet_tcp_bind_all_ports(sandbox_net_domain)
|
|
+corenet_tcp_connect_all_ports(sandbox_net_domain)
|
|
+
|
|
diff --git a/vlock.te b/vlock.te
|
|
index 6b72968..de409cc 100644
|
|
--- a/vlock.te
|
|
+++ b/vlock.te
|
|
@@ -38,7 +38,7 @@ auth_use_pam(vlock_t)
|
|
|
|
init_dontaudit_rw_utmp(vlock_t)
|
|
|
|
-miscfiles_read_localization(vlock_t)
|
|
+logging_send_syslog_msg(vlock_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(vlock_t)
|
|
-userdom_use_user_terminals(vlock_t)
|
|
+userdom_use_inherited_user_terminals(vlock_t)
|
|
diff --git a/vmware.if b/vmware.if
|
|
index 20a1fb2..470ea95 100644
|
|
--- a/vmware.if
|
|
+++ b/vmware.if
|
|
@@ -26,7 +26,11 @@ interface(`vmware_role',`
|
|
domtrans_pattern($2, vmware_exec_t, vmware_t)
|
|
|
|
ps_process_pattern($2, vmware_t)
|
|
- allow $2 vmware_t:process { ptrace signal_perms };
|
|
+ allow $2 vmware_t:process signal_perms;
|
|
+
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $2 vmware_t:process ptrace;
|
|
+ ')
|
|
|
|
allow $2 { vmware_tmp_t vmware_file_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
allow $2 { vmware_conf_t vmware_file_t vmware_tmp_t vmware_tmpfs_t }:file { manage_file_perms relabel_file_perms };
|
|
diff --git a/vmware.te b/vmware.te
|
|
index 4ad1894..d72037f 100644
|
|
--- a/vmware.te
|
|
+++ b/vmware.te
|
|
@@ -65,7 +65,8 @@ ifdef(`enable_mcs',`
|
|
# Host local policy
|
|
#
|
|
|
|
-allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time sys_ptrace kill dac_override };
|
|
+allow vmware_host_t self:capability { net_admin sys_module };
|
|
+allow vmware_host_t self:capability { setgid setuid net_raw sys_nice sys_time kill dac_override };
|
|
dontaudit vmware_host_t self:capability sys_tty_config;
|
|
allow vmware_host_t self:process { execstack execmem signal_perms };
|
|
allow vmware_host_t self:fifo_file rw_fifo_file_perms;
|
|
@@ -94,8 +95,8 @@ can_exec(vmware_host_t, vmware_host_exec_t)
|
|
kernel_read_kernel_sysctls(vmware_host_t)
|
|
kernel_read_system_state(vmware_host_t)
|
|
kernel_read_network_state(vmware_host_t)
|
|
+kernel_request_load_module(vmware_host_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(vmware_host_t)
|
|
corenet_all_recvfrom_netlabel(vmware_host_t)
|
|
corenet_tcp_sendrecv_generic_if(vmware_host_t)
|
|
corenet_udp_sendrecv_generic_if(vmware_host_t)
|
|
@@ -115,14 +116,13 @@ dev_getattr_all_blk_files(vmware_host_t)
|
|
dev_read_sysfs(vmware_host_t)
|
|
dev_read_urand(vmware_host_t)
|
|
dev_rw_vmware(vmware_host_t)
|
|
+dev_rw_generic_chr_files(vmware_host_t)
|
|
|
|
domain_use_interactive_fds(vmware_host_t)
|
|
domain_dontaudit_read_all_domains_state(vmware_host_t)
|
|
|
|
files_list_tmp(vmware_host_t)
|
|
-files_read_etc_files(vmware_host_t)
|
|
files_read_etc_runtime_files(vmware_host_t)
|
|
-files_read_usr_files(vmware_host_t)
|
|
|
|
fs_getattr_all_fs(vmware_host_t)
|
|
fs_search_auto_mountpoints(vmware_host_t)
|
|
@@ -138,23 +138,27 @@ libs_exec_ld_so(vmware_host_t)
|
|
|
|
logging_send_syslog_msg(vmware_host_t)
|
|
|
|
-miscfiles_read_localization(vmware_host_t)
|
|
-
|
|
sysnet_dns_name_resolve(vmware_host_t)
|
|
sysnet_domtrans_ifconfig(vmware_host_t)
|
|
|
|
+systemd_start_power_services(vmware_host_t)
|
|
+
|
|
userdom_dontaudit_use_unpriv_user_fds(vmware_host_t)
|
|
userdom_dontaudit_search_user_home_dirs(vmware_host_t)
|
|
|
|
netutils_domtrans_ping(vmware_host_t)
|
|
|
|
optional_policy(`
|
|
- hostname_exec(vmware_host_t)
|
|
+ unconfined_domain(vmware_host_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
+ hostname_exec(vmware_host_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
modutils_domtrans_insmod(vmware_host_t)
|
|
-')
|
|
+')
|
|
|
|
optional_policy(`
|
|
samba_read_config(vmware_host_t)
|
|
@@ -244,9 +248,7 @@ dev_search_sysfs(vmware_t)
|
|
|
|
domain_use_interactive_fds(vmware_t)
|
|
|
|
-files_read_etc_files(vmware_t)
|
|
files_read_etc_runtime_files(vmware_t)
|
|
-files_read_usr_files(vmware_t)
|
|
files_list_home(vmware_t)
|
|
|
|
fs_getattr_all_fs(vmware_t)
|
|
@@ -258,9 +260,8 @@ storage_raw_write_removable_device(vmware_t)
|
|
libs_exec_ld_so(vmware_t)
|
|
libs_read_lib_files(vmware_t)
|
|
|
|
-miscfiles_read_localization(vmware_t)
|
|
|
|
-userdom_use_user_terminals(vmware_t)
|
|
+userdom_use_inherited_user_terminals(vmware_t)
|
|
userdom_list_user_home_dirs(vmware_t)
|
|
|
|
sysnet_dns_name_resolve(vmware_t)
|
|
diff --git a/vnstatd.if b/vnstatd.if
|
|
index 137ac44..b644854 100644
|
|
--- a/vnstatd.if
|
|
+++ b/vnstatd.if
|
|
@@ -157,7 +157,6 @@ interface(`vnstatd_manage_lib_files',`
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
interface(`vnstatd_admin',`
|
|
gen_require(`
|
|
@@ -165,9 +164,13 @@ interface(`vnstatd_admin',`
|
|
type vnstatd_var_run_t;
|
|
')
|
|
|
|
- allow $1 vnstatd_t:process { ptrace signal_perms };
|
|
+ allow $1 vnstatd_t:process signal_perms;
|
|
ps_process_pattern($1, vnstatd_t)
|
|
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 vnstatd_t:process ptrace;
|
|
+ ')
|
|
+
|
|
init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 vnstatd_initrc_exec_t system_r;
|
|
diff --git a/vnstatd.te b/vnstatd.te
|
|
index e2220ae..0dcf5f6 100644
|
|
--- a/vnstatd.te
|
|
+++ b/vnstatd.te
|
|
@@ -36,7 +36,7 @@ allow vnstatd_t self:unix_stream_socket { accept listen };
|
|
|
|
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
|
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
|
-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
|
|
+files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, dir)
|
|
|
|
manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
|
|
manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
|
|
@@ -47,14 +47,10 @@ kernel_read_system_state(vnstatd_t)
|
|
|
|
domain_use_interactive_fds(vnstatd_t)
|
|
|
|
-files_read_etc_files(vnstatd_t)
|
|
-
|
|
fs_getattr_xattr_fs(vnstatd_t)
|
|
|
|
logging_send_syslog_msg(vnstatd_t)
|
|
|
|
-miscfiles_read_localization(vnstatd_t)
|
|
-
|
|
########################################
|
|
#
|
|
# Client local policy
|
|
@@ -64,23 +60,19 @@ allow vnstat_t self:process signal;
|
|
allow vnstat_t self:fifo_file rw_fifo_file_perms;
|
|
allow vnstat_t self:unix_stream_socket { accept listen };
|
|
|
|
+files_search_var_lib(vnstat_t)
|
|
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
|
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
|
|
-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
|
|
|
|
kernel_read_network_state(vnstat_t)
|
|
kernel_read_system_state(vnstat_t)
|
|
|
|
domain_use_interactive_fds(vnstat_t)
|
|
|
|
-files_read_etc_files(vnstat_t)
|
|
-
|
|
fs_getattr_xattr_fs(vnstat_t)
|
|
|
|
logging_send_syslog_msg(vnstat_t)
|
|
|
|
-miscfiles_read_localization(vnstat_t)
|
|
-
|
|
optional_policy(`
|
|
cron_system_entry(vnstat_t, vnstat_exec_t)
|
|
')
|
|
diff --git a/vpn.fc b/vpn.fc
|
|
index 524ac2f..076dcc3 100644
|
|
--- a/vpn.fc
|
|
+++ b/vpn.fc
|
|
@@ -1,7 +1,13 @@
|
|
-/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
|
|
+#
|
|
+# sbin
|
|
+#
|
|
+/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
|
|
|
|
+#
|
|
+# /usr
|
|
+#
|
|
/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
|
|
|
|
-/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
|
|
+/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
|
|
|
|
-/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
|
|
+/var/run/vpnc(/.*)? gen_context(system_u:object_r:vpnc_var_run_t,s0)
|
|
diff --git a/vpn.if b/vpn.if
|
|
index 7a7f342..afedcba 100644
|
|
--- a/vpn.if
|
|
+++ b/vpn.if
|
|
@@ -1,8 +1,8 @@
|
|
-## <summary>Virtual Private Networking client.</summary>
|
|
+## <summary>Virtual Private Networking client</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute vpn clients in the vpnc domain.
|
|
+## Execute VPN clients in the vpnc domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -15,15 +15,13 @@ interface(`vpn_domtrans',`
|
|
type vpnc_t, vpnc_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, vpnc_exec_t, vpnc_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute vpn clients in the vpnc
|
|
-## domain, and allow the specified
|
|
-## role the vpnc domain.
|
|
+## Execute VPN clients in the vpnc domain, and
|
|
+## allow the specified role the vpnc domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -40,6 +38,7 @@ interface(`vpn_domtrans',`
|
|
interface(`vpn_run',`
|
|
gen_require(`
|
|
attribute_role vpnc_roles;
|
|
+ type vpnc_t;
|
|
')
|
|
|
|
vpn_domtrans($1)
|
|
@@ -48,7 +47,7 @@ interface(`vpn_run',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send kill signals to vpnc.
|
|
+## Send VPN clients the kill signal.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -66,7 +65,7 @@ interface(`vpn_kill',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send generic signals to vpnc.
|
|
+## Send generic signals to VPN clients.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -84,7 +83,7 @@ interface(`vpn_signal',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Send null signals to vpnc.
|
|
+## Send signull to VPN clients.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -103,7 +102,7 @@ interface(`vpn_signull',`
|
|
########################################
|
|
## <summary>
|
|
## Send and receive messages from
|
|
-## vpnc over dbus.
|
|
+## Vpnc over dbus.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
diff --git a/vpn.te b/vpn.te
|
|
index 95b26d1..55557cb 100644
|
|
--- a/vpn.te
|
|
+++ b/vpn.te
|
|
@@ -6,6 +6,7 @@ policy_module(vpn, 1.16.0)
|
|
#
|
|
|
|
attribute_role vpnc_roles;
|
|
+roleattribute system_r vpnc_roles;
|
|
|
|
type vpnc_t;
|
|
type vpnc_exec_t;
|
|
@@ -28,9 +29,13 @@ allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock n
|
|
allow vpnc_t self:process { getsched signal };
|
|
allow vpnc_t self:fifo_file rw_fifo_file_perms;
|
|
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
-allow vpnc_t self:tcp_socket { accept listen };
|
|
+allow vpnc_t self:tcp_socket create_stream_socket_perms;
|
|
+allow vpnc_t self:udp_socket create_socket_perms;
|
|
allow vpnc_t self:rawip_socket create_socket_perms;
|
|
+allow vpnc_t self:unix_dgram_socket create_socket_perms;
|
|
+allow vpnc_t self:unix_stream_socket create_socket_perms;
|
|
allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
|
|
+# cjp: this needs to be fixed
|
|
allow vpnc_t self:socket create_socket_perms;
|
|
|
|
manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
|
|
@@ -47,7 +52,6 @@ kernel_read_all_sysctls(vpnc_t)
|
|
kernel_request_load_module(vpnc_t)
|
|
kernel_rw_net_sysctls(vpnc_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(vpnc_t)
|
|
corenet_all_recvfrom_netlabel(vpnc_t)
|
|
corenet_tcp_sendrecv_generic_if(vpnc_t)
|
|
corenet_udp_sendrecv_generic_if(vpnc_t)
|
|
@@ -58,38 +62,32 @@ corenet_raw_sendrecv_generic_node(vpnc_t)
|
|
corenet_tcp_sendrecv_all_ports(vpnc_t)
|
|
corenet_udp_sendrecv_all_ports(vpnc_t)
|
|
corenet_udp_bind_generic_node(vpnc_t)
|
|
-
|
|
-corenet_sendrecv_all_server_packets(vpnc_t)
|
|
corenet_udp_bind_generic_port(vpnc_t)
|
|
-
|
|
-corenet_sendrecv_isakmp_server_packets(vpnc_t)
|
|
corenet_udp_bind_isakmp_port(vpnc_t)
|
|
-
|
|
-corenet_sendrecv_generic_server_packets(vpnc_t)
|
|
corenet_udp_bind_ipsecnat_port(vpnc_t)
|
|
-
|
|
-corenet_sendrecv_all_client_packets(vpnc_t)
|
|
corenet_tcp_connect_all_ports(vpnc_t)
|
|
-
|
|
+corenet_sendrecv_all_client_packets(vpnc_t)
|
|
+corenet_sendrecv_isakmp_server_packets(vpnc_t)
|
|
+corenet_sendrecv_generic_server_packets(vpnc_t)
|
|
corenet_rw_tun_tap_dev(vpnc_t)
|
|
|
|
-corecmd_exec_all_executables(vpnc_t)
|
|
-
|
|
dev_read_rand(vpnc_t)
|
|
dev_read_urand(vpnc_t)
|
|
dev_read_sysfs(vpnc_t)
|
|
|
|
domain_use_interactive_fds(vpnc_t)
|
|
|
|
-files_exec_etc_files(vpnc_t)
|
|
-files_read_etc_runtime_files(vpnc_t)
|
|
-files_dontaudit_search_home(vpnc_t)
|
|
-
|
|
fs_getattr_xattr_fs(vpnc_t)
|
|
fs_getattr_tmpfs(vpnc_t)
|
|
|
|
-term_use_all_ptys(vpnc_t)
|
|
-term_use_all_ttys(vpnc_t)
|
|
+term_use_all_inherited_ptys(vpnc_t)
|
|
+term_use_all_inherited_ttys(vpnc_t)
|
|
+
|
|
+corecmd_exec_all_executables(vpnc_t)
|
|
+
|
|
+files_exec_etc_files(vpnc_t)
|
|
+files_read_etc_runtime_files(vpnc_t)
|
|
+files_dontaudit_search_home(vpnc_t)
|
|
|
|
auth_use_nsswitch(vpnc_t)
|
|
|
|
@@ -103,16 +101,15 @@ locallogin_use_fds(vpnc_t)
|
|
logging_send_syslog_msg(vpnc_t)
|
|
logging_dontaudit_search_logs(vpnc_t)
|
|
|
|
-miscfiles_read_localization(vpnc_t)
|
|
-
|
|
-seutil_dontaudit_search_config(vpnc_t)
|
|
+seutil_use_newrole_fds(vpnc_t)
|
|
|
|
sysnet_run_ifconfig(vpnc_t, vpnc_roles)
|
|
sysnet_etc_filetrans_config(vpnc_t)
|
|
sysnet_manage_config(vpnc_t)
|
|
|
|
userdom_use_all_users_fds(vpnc_t)
|
|
-userdom_dontaudit_search_user_home_content(vpnc_t)
|
|
+userdom_read_home_certs(vpnc_t)
|
|
+userdom_search_admin_dir(vpnc_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(vpnc_t)
|
|
@@ -125,7 +122,3 @@ optional_policy(`
|
|
optional_policy(`
|
|
networkmanager_attach_tun_iface(vpnc_t)
|
|
')
|
|
-
|
|
-optional_policy(`
|
|
- seutil_use_newrole_fds(vpnc_t)
|
|
-')
|
|
diff --git a/watchdog.fc b/watchdog.fc
|
|
index eecd0e0..8df2e8c 100644
|
|
--- a/watchdog.fc
|
|
+++ b/watchdog.fc
|
|
@@ -1,7 +1,12 @@
|
|
/etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0)
|
|
+/etc/watchdog\.d(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0)
|
|
|
|
/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
|
|
|
|
+/usr/libexec/watchdog/scripts(/.*)? gen_context(system_u:object_r:watchdog_unconfined_exec_t,s0)
|
|
+
|
|
+/var/cache/watchdog(/.*)? gen_context(system_u:object_r:watchdog_cache_t,s0)
|
|
+
|
|
/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
|
|
|
|
/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
|
|
diff --git a/watchdog.te b/watchdog.te
|
|
index 3548317..d8655b2 100644
|
|
--- a/watchdog.te
|
|
+++ b/watchdog.te
|
|
@@ -12,12 +12,18 @@ init_daemon_domain(watchdog_t, watchdog_exec_t)
|
|
type watchdog_initrc_exec_t;
|
|
init_script_file(watchdog_initrc_exec_t)
|
|
|
|
+type watchdog_cache_t;
|
|
+files_type(watchdog_cache_t)
|
|
+
|
|
type watchdog_log_t;
|
|
logging_log_file(watchdog_log_t)
|
|
|
|
type watchdog_var_run_t;
|
|
files_pid_file(watchdog_var_run_t)
|
|
|
|
+type watchdog_unconfined_exec_t;
|
|
+application_executable_file(watchdog_unconfined_exec_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -29,8 +35,12 @@ allow watchdog_t self:process { setsched signal_perms };
|
|
allow watchdog_t self:fifo_file rw_fifo_file_perms;
|
|
allow watchdog_t self:tcp_socket { accept listen };
|
|
|
|
-allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
|
|
-logging_log_filetrans(watchdog_t, watchdog_log_t, file)
|
|
+manage_files_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
|
|
+manage_dirs_pattern(watchdog_t, watchdog_cache_t, watchdog_cache_t)
|
|
+
|
|
+manage_files_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
|
|
+manage_dirs_pattern(watchdog_t,watchdog_log_t,watchdog_log_t)
|
|
+logging_log_filetrans(watchdog_t, watchdog_log_t,{dir file})
|
|
|
|
manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
|
|
files_pid_filetrans(watchdog_t, watchdog_var_run_t, file)
|
|
@@ -63,7 +73,6 @@ domain_signull_all_domains(watchdog_t)
|
|
domain_signal_all_domains(watchdog_t)
|
|
domain_kill_all_domains(watchdog_t)
|
|
|
|
-files_read_etc_files(watchdog_t)
|
|
files_manage_etc_runtime_files(watchdog_t)
|
|
files_etc_filetrans_etc_runtime(watchdog_t, file)
|
|
|
|
@@ -75,8 +84,6 @@ auth_append_login_records(watchdog_t)
|
|
|
|
logging_send_syslog_msg(watchdog_t)
|
|
|
|
-miscfiles_read_localization(watchdog_t)
|
|
-
|
|
sysnet_dns_name_resolve(watchdog_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
|
|
@@ -97,3 +104,28 @@ optional_policy(`
|
|
optional_policy(`
|
|
udev_read_db(watchdog_t)
|
|
')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# watchdog_unconfined_script_t local policy
|
|
+#
|
|
+
|
|
+optional_policy(`
|
|
+ type watchdog_unconfined_t;
|
|
+ domain_type(watchdog_unconfined_t)
|
|
+
|
|
+ domain_entry_file(watchdog_unconfined_t, watchdog_unconfined_exec_t)
|
|
+ role system_r types watchdog_unconfined_t;
|
|
+
|
|
+ domtrans_pattern(watchdog_t, watchdog_unconfined_exec_t, watchdog_unconfined_t)
|
|
+
|
|
+ allow watchdog_t watchdog_unconfined_exec_t:dir search_dir_perms;
|
|
+ allow watchdog_t watchdog_unconfined_exec_t:dir read_file_perms;
|
|
+ allow watchdog_t watchdog_unconfined_exec_t:file ioctl;
|
|
+
|
|
+ init_domtrans_script(watchdog_unconfined_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ unconfined_domain(watchdog_unconfined_t)
|
|
+ ')
|
|
+')
|
|
diff --git a/wdmd.fc b/wdmd.fc
|
|
index 66f11f7..e051997 100644
|
|
--- a/wdmd.fc
|
|
+++ b/wdmd.fc
|
|
@@ -1,5 +1,7 @@
|
|
/etc/rc\.d/init\.d/wdmd -- gen_context(system_u:object_r:wdmd_initrc_exec_t,s0)
|
|
|
|
-/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
|
|
+/usr/sbin/wdmd -- gen_context(system_u:object_r:wdmd_exec_t,s0)
|
|
+
|
|
+/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
|
|
+/var/run/checkquorum-timer -- gen_context(system_u:object_r:wdmd_var_run_t,s0)
|
|
|
|
-/var/run/wdmd(/.*)? gen_context(system_u:object_r:wdmd_var_run_t,s0)
|
|
diff --git a/wdmd.if b/wdmd.if
|
|
index 1e3aec0..d17ff39 100644
|
|
--- a/wdmd.if
|
|
+++ b/wdmd.if
|
|
@@ -1,29 +1,47 @@
|
|
-## <summary>Watchdog multiplexing daemon.</summary>
|
|
+
|
|
+## <summary>watchdog multiplexing daemon</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to wdmd with a unix
|
|
-## domain stream socket.
|
|
+## Execute a domain transition to run wdmd.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`wdmd_domtrans',`
|
|
+ gen_require(`
|
|
+ type wdmd_t, wdmd_exec_t;
|
|
+ ')
|
|
+
|
|
+ domtrans_pattern($1, wdmd_exec_t, wdmd_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute wdmd server in the wdmd domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## The type of the process performing this action.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`wdmd_stream_connect',`
|
|
+interface(`wdmd_initrc_domtrans',`
|
|
gen_require(`
|
|
- type wdmd_t, wdmd_var_run_t;
|
|
+ type wdmd_initrc_exec_t;
|
|
')
|
|
|
|
- files_search_pids($1)
|
|
- stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t)
|
|
+ init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an wdmd environment.
|
|
+## All of the rules required to administrate
|
|
+## an wdmd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -39,17 +57,77 @@ interface(`wdmd_stream_connect',`
|
|
#
|
|
interface(`wdmd_admin',`
|
|
gen_require(`
|
|
- type wdmd_t, wdmd_initrc_exec_t, wdmd_var_run_t;
|
|
+ type wdmd_t;
|
|
+ type wdmd_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 wdmd_t:process { ptrace signal_perms };
|
|
+ allow $1 wdmd_t:process signal_perms;
|
|
ps_process_pattern($1, wdmd_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 wdmd_t:process ptrace;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, wdmd_initrc_exec_t)
|
|
+ wdmd_initrc_domtrans($1)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 wdmd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Create, read, write, and delete wdmd PID files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`wdmd_manage_pid_files',`
|
|
+ gen_require(`
|
|
+ type wdmd_var_run_t;
|
|
+ ')
|
|
+
|
|
files_search_pids($1)
|
|
- admin_pattern($1, wdmd_var_run_t)
|
|
+ manage_files_pattern($1, wdmd_var_run_t, wdmd_var_run_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to wdmd over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`wdmd_stream_connect',`
|
|
+ gen_require(`
|
|
+ type wdmd_t, wdmd_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, wdmd_var_run_t, wdmd_var_run_t, wdmd_t)
|
|
+')
|
|
+
|
|
+
|
|
+####################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read/write wdmd's tmpfs files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`wdmd_rw_tmpfs',`
|
|
+ gen_require(`
|
|
+ type wdmd_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ rw_files_pattern($1, wdmd_tmpfs_t, wdmd_tmpfs_t)
|
|
+
|
|
')
|
|
diff --git a/wdmd.te b/wdmd.te
|
|
index 4815a93..24dcf51 100644
|
|
--- a/wdmd.te
|
|
+++ b/wdmd.te
|
|
@@ -45,16 +45,15 @@ corecmd_exec_shell(wdmd_t)
|
|
dev_read_watchdog(wdmd_t)
|
|
dev_write_watchdog(wdmd_t)
|
|
|
|
+fs_getattr_all_fs(wdmd_t)
|
|
fs_read_anon_inodefs_files(wdmd_t)
|
|
|
|
auth_use_nsswitch(wdmd_t)
|
|
|
|
logging_send_syslog_msg(wdmd_t)
|
|
|
|
-miscfiles_read_localization(wdmd_t)
|
|
-
|
|
optional_policy(`
|
|
- corosync_initrc_domtrans(wdmd_t)
|
|
- corosync_stream_connect(wdmd_t)
|
|
- corosync_rw_tmpfs(wdmd_t)
|
|
+ rhcs_initrc_domtrans_cluster(wdmd_t)
|
|
+ rhcs_stream_connect_cluster(wdmd_t)
|
|
+ rhcs_rw_cluster_tmpfs(wdmd_t)
|
|
')
|
|
diff --git a/webadm.te b/webadm.te
|
|
index 2a6cae7..6d0a2a1 100644
|
|
--- a/webadm.te
|
|
+++ b/webadm.te
|
|
@@ -25,6 +25,9 @@ role webadm_r;
|
|
|
|
userdom_base_user_template(webadm)
|
|
|
|
+type webadm_tmp_t;
|
|
+files_tmp_file(webadm_tmp_t)
|
|
+
|
|
########################################
|
|
#
|
|
# Local policy
|
|
@@ -32,6 +35,12 @@ userdom_base_user_template(webadm)
|
|
|
|
allow webadm_t self:capability { dac_override dac_read_search kill sys_nice };
|
|
|
|
+manage_dirs_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
|
|
+manage_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
|
|
+manage_lnk_files_pattern(webadm_t, webadm_tmp_t, webadm_tmp_t)
|
|
+files_tmp_filetrans(webadm_t, webadm_tmp_t, { file dir })
|
|
+can_exec(webadm_t, webadm_tmp_t)
|
|
+
|
|
files_dontaudit_search_all_dirs(webadm_t)
|
|
files_list_var(webadm_t)
|
|
|
|
@@ -43,7 +52,9 @@ logging_send_syslog_msg(webadm_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(webadm_t)
|
|
|
|
-apache_admin(webadm_t, webadm_r)
|
|
+optional_policy(`
|
|
+ apache_admin(webadm_t, webadm_r)
|
|
+')
|
|
|
|
tunable_policy(`webadm_manage_user_files',`
|
|
userdom_manage_user_home_content_files(webadm_t)
|
|
diff --git a/webalizer.te b/webalizer.te
|
|
index ae919b9..e0b1983 100644
|
|
--- a/webalizer.te
|
|
+++ b/webalizer.te
|
|
@@ -55,27 +55,35 @@ can_exec(webalizer_t, webalizer_exec_t)
|
|
kernel_read_kernel_sysctls(webalizer_t)
|
|
kernel_read_system_state(webalizer_t)
|
|
|
|
-files_read_etc_runtime_files(webalizer_t)
|
|
+corenet_all_recvfrom_netlabel(webalizer_t)
|
|
+corenet_tcp_sendrecv_generic_if(webalizer_t)
|
|
+corenet_tcp_sendrecv_generic_node(webalizer_t)
|
|
+corenet_tcp_sendrecv_all_ports(webalizer_t)
|
|
|
|
fs_search_auto_mountpoints(webalizer_t)
|
|
fs_getattr_xattr_fs(webalizer_t)
|
|
fs_rw_anon_inodefs_files(webalizer_t)
|
|
|
|
-auth_use_nsswitch(webalizer_t)
|
|
+files_read_etc_runtime_files(webalizer_t)
|
|
|
|
logging_list_logs(webalizer_t)
|
|
logging_send_syslog_msg(webalizer_t)
|
|
|
|
-miscfiles_read_localization(webalizer_t)
|
|
+auth_use_nsswitch(webalizer_t)
|
|
+
|
|
miscfiles_read_public_files(webalizer_t)
|
|
|
|
-userdom_use_user_terminals(webalizer_t)
|
|
+sysnet_dns_name_resolve(webalizer_t)
|
|
+sysnet_read_config(webalizer_t)
|
|
+
|
|
+userdom_use_inherited_user_terminals(webalizer_t)
|
|
userdom_use_unpriv_users_fds(webalizer_t)
|
|
userdom_dontaudit_search_user_home_content(webalizer_t)
|
|
|
|
optional_policy(`
|
|
apache_read_log(webalizer_t)
|
|
apache_content_template(webalizer)
|
|
+ apache_manage_sys_content(webalizer_t)
|
|
manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
|
|
manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
|
|
')
|
|
diff --git a/wine.if b/wine.if
|
|
index fd2b6cc..52a2e72 100644
|
|
--- a/wine.if
|
|
+++ b/wine.if
|
|
@@ -1,46 +1,57 @@
|
|
-## <summary>Run Windows programs in Linux.</summary>
|
|
+## <summary>Wine Is Not an Emulator. Run Windows programs in Linux.</summary>
|
|
|
|
-########################################
|
|
+#######################################
|
|
## <summary>
|
|
-## Role access for wine.
|
|
+## The per role template for the wine module.
|
|
## </summary>
|
|
-## <param name="role">
|
|
+## <desc>
|
|
+## <p>
|
|
+## This template creates a derived domains which are used
|
|
+## for wine applications.
|
|
+## </p>
|
|
+## </desc>
|
|
+## <param name="user_role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role associated with the user domain.
|
|
## </summary>
|
|
## </param>
|
|
-## <param name="domain">
|
|
+## <param name="user_domain">
|
|
## <summary>
|
|
-## User domain for the role.
|
|
+## The type of the user domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`wine_role',`
|
|
+template(`wine_role',`
|
|
gen_require(`
|
|
- attribute_role wine_roles;
|
|
- type wine_exec_t, wine_t, wine_tmp_t;
|
|
+ type wine_t;
|
|
type wine_home_t;
|
|
+ type wine_exec_t;
|
|
')
|
|
|
|
- roleattribute $1 wine_roles;
|
|
-
|
|
- domtrans_pattern($2, wine_exec_t, wine_t)
|
|
+ role $1 types wine_t;
|
|
|
|
+ domain_auto_trans($2, wine_exec_t, wine_t)
|
|
+ # Unrestricted inheritance from the caller.
|
|
+ allow $2 wine_t:process { noatsecure siginh rlimitinh };
|
|
+ allow wine_t $2:fd use;
|
|
+ allow wine_t $2:process { sigchld signull };
|
|
allow wine_t $2:unix_stream_socket connectto;
|
|
- allow wine_t $2:process signull;
|
|
|
|
+ # Allow the user domain to signal/ps.
|
|
ps_process_pattern($2, wine_t)
|
|
- allow $2 wine_t:process { ptrace signal_perms };
|
|
+ allow $2 wine_t:process signal_perms;
|
|
|
|
allow $2 wine_t:fd use;
|
|
- allow $2 wine_t:shm { associate getattr };
|
|
- allow $2 wine_t:shm rw_shm_perms;
|
|
+ allow $2 wine_t:shm { associate getattr unix_read unix_write };
|
|
allow $2 wine_t:unix_stream_socket connectto;
|
|
|
|
- allow $2 { wine_tmp_t wine_home_t }:dir { manage_dir_perms relabel_dir_perms };
|
|
- allow $2 { wine_tmp_t wine_home_t }:file { manage_file_perms relabel_file_perms };
|
|
- allow $2 wine_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
|
|
- userdom_user_home_dir_filetrans($2, wine_home_t, dir, ".wine")
|
|
+ # X access, Home files
|
|
+ manage_dirs_pattern($2, wine_home_t, wine_home_t)
|
|
+ manage_files_pattern($2, wine_home_t, wine_home_t)
|
|
+ manage_lnk_files_pattern($2, wine_home_t, wine_home_t)
|
|
+ relabel_dirs_pattern($2, wine_home_t, wine_home_t)
|
|
+ relabel_files_pattern($2, wine_home_t, wine_home_t)
|
|
+ relabel_lnk_files_pattern($2, wine_home_t, wine_home_t)
|
|
')
|
|
|
|
#######################################
|
|
@@ -72,31 +83,25 @@ interface(`wine_role',`
|
|
#
|
|
template(`wine_role_template',`
|
|
gen_require(`
|
|
+ type wine_t;
|
|
+ attribute wine_domain;
|
|
type wine_exec_t;
|
|
')
|
|
|
|
- type $1_wine_t;
|
|
- userdom_user_application_domain($1_wine_t, wine_exec_t)
|
|
+ type $1_wine_t, wine_domain;
|
|
+ domain_type($1_wine_t)
|
|
+ domain_entry_file($1_wine_t, wine_exec_t)
|
|
+ ubac_constrained($1_wine_t)
|
|
role $2 types $1_wine_t;
|
|
-
|
|
- allow $1_wine_t self:process { execmem execstack };
|
|
-
|
|
- allow $3 $1_wine_t:process { ptrace noatsecure signal_perms };
|
|
- ps_process_pattern($3, $1_wine_t)
|
|
-
|
|
+ allow $3 $1_wine_t:process { getattr noatsecure signal_perms };
|
|
domtrans_pattern($3, wine_exec_t, $1_wine_t)
|
|
-
|
|
- corecmd_bin_domtrans($1_wine_t, $3)
|
|
+ corecmd_bin_domtrans($1_wine_t, $1_t)
|
|
|
|
userdom_unpriv_usertype($1, $1_wine_t)
|
|
- userdom_manage_user_tmpfs_files($1_wine_t)
|
|
+ userdom_manage_tmpfs_role($2, $1_wine_t)
|
|
|
|
domain_mmap_low($1_wine_t)
|
|
|
|
- tunable_policy(`wine_mmap_zero_ignore',`
|
|
- dontaudit $1_wine_t self:memprotect mmap_zero;
|
|
- ')
|
|
-
|
|
optional_policy(`
|
|
xserver_role($1_r, $1_wine_t)
|
|
')
|
|
@@ -123,9 +128,8 @@ interface(`wine_domtrans',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute wine in the wine domain,
|
|
-## and allow the specified role
|
|
-## the wine domain.
|
|
+## Execute wine in the wine domain, and
|
|
+## allow the specified role the wine domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -140,11 +144,11 @@ interface(`wine_domtrans',`
|
|
#
|
|
interface(`wine_run',`
|
|
gen_require(`
|
|
- attribute_role wine_roles;
|
|
+ type wine_t;
|
|
')
|
|
|
|
wine_domtrans($1)
|
|
- roleattribute $2 wine_roles;
|
|
+ role $2 types wine_t;
|
|
')
|
|
|
|
########################################
|
|
diff --git a/wine.te b/wine.te
|
|
index 491b87b..689460b 100644
|
|
--- a/wine.te
|
|
+++ b/wine.te
|
|
@@ -14,10 +14,11 @@ policy_module(wine, 1.11.0)
|
|
## </desc>
|
|
gen_tunable(wine_mmap_zero_ignore, false)
|
|
|
|
+attribute wine_domain;
|
|
attribute_role wine_roles;
|
|
roleattribute system_r wine_roles;
|
|
|
|
-type wine_t;
|
|
+type wine_t, wine_domain;
|
|
type wine_exec_t;
|
|
userdom_user_application_domain(wine_t, wine_exec_t)
|
|
role wine_roles types wine_t;
|
|
@@ -25,56 +26,57 @@ role wine_roles types wine_t;
|
|
type wine_home_t;
|
|
userdom_user_home_content(wine_home_t)
|
|
|
|
-type wine_tmp_t;
|
|
-userdom_user_tmp_file(wine_tmp_t)
|
|
-
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
+domain_mmap_low(wine_t)
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_domain(wine_t)
|
|
+')
|
|
|
|
-allow wine_t self:process { execstack execmem execheap };
|
|
-allow wine_t self:fifo_file manage_fifo_file_perms;
|
|
|
|
-can_exec(wine_t, wine_exec_t)
|
|
+########################################
|
|
+#
|
|
+# Common wine domain policy
|
|
+#
|
|
|
|
-userdom_user_home_dir_filetrans(wine_t, wine_home_t, dir, ".wine")
|
|
+allow wine_domain self:process { execstack execmem execheap };
|
|
+allow wine_domain self:fifo_file manage_fifo_file_perms;
|
|
|
|
-manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
|
|
-manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
|
|
-files_tmp_filetrans(wine_t, wine_tmp_t, { file dir })
|
|
+can_exec(wine_domain, wine_exec_t)
|
|
|
|
-domain_mmap_low(wine_t)
|
|
+manage_files_pattern(wine_domain, wine_home_t, wine_home_t)
|
|
+manage_dirs_pattern(wine_domain, wine_home_t, wine_home_t)
|
|
+userdom_user_home_dir_filetrans(wine_domain, wine_home_t, dir, ".wine")
|
|
+userdom_tmpfs_filetrans(wine_domain, file)
|
|
|
|
-files_execmod_all_files(wine_t)
|
|
+files_execmod_all_files(wine_domain)
|
|
|
|
-userdom_use_user_terminals(wine_t)
|
|
+userdom_use_inherited_user_terminals(wine_domain)
|
|
|
|
tunable_policy(`wine_mmap_zero_ignore',`
|
|
- dontaudit wine_t self:memprotect mmap_zero;
|
|
+ dontaudit wine_domain self:memprotect mmap_zero;
|
|
')
|
|
|
|
optional_policy(`
|
|
- dbus_system_bus_client(wine_t)
|
|
+ dbus_system_bus_client(wine_domain)
|
|
|
|
optional_policy(`
|
|
- hal_dbus_chat(wine_t)
|
|
+ hal_dbus_chat(wine_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
- policykit_dbus_chat(wine_t)
|
|
+ policykit_dbus_chat(wine_domain)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
- rtkit_scheduled(wine_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- unconfined_domain(wine_t)
|
|
+ rtkit_scheduled(wine_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
- xserver_read_xdm_pid(wine_t)
|
|
- xserver_rw_shm(wine_t)
|
|
+ xserver_read_xdm_pid(wine_domain)
|
|
+ xserver_rw_shm(wine_domain)
|
|
')
|
|
diff --git a/wireshark.te b/wireshark.te
|
|
index ff6ef38..436d3bf 100644
|
|
--- a/wireshark.te
|
|
+++ b/wireshark.te
|
|
@@ -34,7 +34,7 @@ userdom_user_tmpfs_file(wireshark_tmpfs_t)
|
|
# Local Policy
|
|
#
|
|
|
|
-allow wireshark_t self:capability { net_admin net_raw setgid };
|
|
+allow wireshark_t self:capability { net_admin net_raw };
|
|
allow wireshark_t self:process { signal getsched };
|
|
allow wireshark_t self:fifo_file rw_fifo_file_perms;
|
|
allow wireshark_t self:shm create_shm_perms;
|
|
@@ -82,7 +82,6 @@ dev_read_rand(wireshark_t)
|
|
dev_read_sysfs(wireshark_t)
|
|
dev_read_urand(wireshark_t)
|
|
|
|
-files_read_usr_files(wireshark_t)
|
|
|
|
fs_getattr_all_fs(wireshark_t)
|
|
fs_list_inotifyfs(wireshark_t)
|
|
@@ -90,31 +89,15 @@ fs_search_auto_mountpoints(wireshark_t)
|
|
|
|
auth_use_nsswitch(wireshark_t)
|
|
|
|
-libs_read_lib_files(wireshark_t)
|
|
-
|
|
miscfiles_read_fonts(wireshark_t)
|
|
-miscfiles_read_localization(wireshark_t)
|
|
|
|
userdom_use_user_terminals(wireshark_t)
|
|
|
|
userdom_manage_user_home_content_files(wireshark_t)
|
|
-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
|
|
-
|
|
-tunable_policy(`use_nfs_home_dirs',`
|
|
- fs_manage_nfs_dirs(wireshark_t)
|
|
- fs_manage_nfs_files(wireshark_t)
|
|
- fs_manage_nfs_symlinks(wireshark_t)
|
|
-')
|
|
|
|
-tunable_policy(`use_samba_home_dirs',`
|
|
- fs_manage_cifs_dirs(wireshark_t)
|
|
- fs_manage_cifs_files(wireshark_t)
|
|
- fs_manage_cifs_symlinks(wireshark_t)
|
|
-')
|
|
+userdom_filetrans_home_content(wireshark_t)
|
|
|
|
-optional_policy(`
|
|
- seutil_use_newrole_fds(wireshark_t)
|
|
-')
|
|
+userdom_home_manager(wireshark_t)
|
|
|
|
optional_policy(`
|
|
userhelper_use_fd(wireshark_t)
|
|
diff --git a/wm.fc b/wm.fc
|
|
index 304ae09..c1d10a1 100644
|
|
--- a/wm.fc
|
|
+++ b/wm.fc
|
|
@@ -1,4 +1,4 @@
|
|
/usr/bin/gnome-shell -- gen_context(system_u:object_r:wm_exec_t,s0)
|
|
/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
|
|
/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
|
|
-/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
|
|
+/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
|
|
diff --git a/wm.if b/wm.if
|
|
index 95f888d..36b2f81 100644
|
|
--- a/wm.if
|
|
+++ b/wm.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>X Window Managers.</summary>
|
|
+## <summary>X Window Managers</summary>
|
|
|
|
#######################################
|
|
## <summary>
|
|
@@ -29,69 +29,59 @@
|
|
#
|
|
template(`wm_role_template',`
|
|
gen_require(`
|
|
- attribute wm_domain;
|
|
type wm_exec_t;
|
|
+ class dbus send_msg;
|
|
+ attribute wm_domain;
|
|
')
|
|
|
|
- ########################################
|
|
- #
|
|
- # Declarations
|
|
- #
|
|
-
|
|
type $1_wm_t, wm_domain;
|
|
- userdom_user_application_domain($1_wm_t, wm_exec_t)
|
|
+ domain_type($1_wm_t)
|
|
+ domain_entry_file($1_wm_t, wm_exec_t)
|
|
role $2 types $1_wm_t;
|
|
|
|
- ########################################
|
|
- #
|
|
- # Policy
|
|
- #
|
|
-
|
|
allow $1_wm_t $3:unix_stream_socket connectto;
|
|
allow $3 $1_wm_t:unix_stream_socket connectto;
|
|
+ allow $3 $1_wm_t:process { signal sigchld signull };
|
|
+ allow $1_wm_t $3:process { signull sigkill };
|
|
|
|
- allow $3 $1_wm_t:process { ptrace signal_perms };
|
|
- ps_process_pattern($3, $1_wm_t)
|
|
+ allow $1_wm_t $3:dbus send_msg;
|
|
+ allow $3 $1_wm_t:dbus send_msg;
|
|
|
|
- allow $1_wm_t $3:process { signull sigkill };
|
|
+ userdom_manage_home_role($2, $1_wm_t)
|
|
+ userdom_manage_tmpfs_role($2, $1_wm_t)
|
|
+ userdom_manage_tmp_role($2, $1_wm_t)
|
|
+ userdom_exec_user_tmp_files($1_wm_t)
|
|
|
|
domtrans_pattern($3, wm_exec_t, $1_wm_t)
|
|
|
|
corecmd_bin_domtrans($1_wm_t, $3)
|
|
corecmd_shell_domtrans($1_wm_t, $3)
|
|
|
|
+ auth_use_nsswitch($1_wm_t)
|
|
+
|
|
+ kernel_read_system_state($1_wm_t)
|
|
+
|
|
+ auth_use_nsswitch($1_wm_t)
|
|
+
|
|
mls_file_read_all_levels($1_wm_t)
|
|
mls_file_write_all_levels($1_wm_t)
|
|
mls_xwin_read_all_levels($1_wm_t)
|
|
mls_xwin_write_all_levels($1_wm_t)
|
|
mls_fd_use_all_levels($1_wm_t)
|
|
|
|
- auth_use_nsswitch($1_wm_t)
|
|
-
|
|
- xserver_role($2, $1_wm_t)
|
|
- xserver_manage_core_devices($1_wm_t)
|
|
-
|
|
- optional_policy(`
|
|
- dbus_spec_session_bus_client($1, $1_wm_t)
|
|
- dbus_system_bus_client($1_wm_t)
|
|
-
|
|
- optional_policy(`
|
|
- wm_dbus_chat($1, $3)
|
|
- ')
|
|
- ')
|
|
-
|
|
optional_policy(`
|
|
- gnome_stream_connect_gkeyringd($1, $1_wm_t)
|
|
+ pulseaudio_run($1_wm_t, $2)
|
|
')
|
|
|
|
optional_policy(`
|
|
- pulseaudio_run($1_wm_t, $2)
|
|
+ xserver_role($2, $1_wm_t)
|
|
+ xserver_manage_core_devices($1_wm_t)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute wm in the caller domain.
|
|
+## Execute the wm program in the wm domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -104,33 +94,5 @@ interface(`wm_exec',`
|
|
type wm_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, wm_exec_t)
|
|
')
|
|
-
|
|
-########################################
|
|
-## <summary>
|
|
-## Send and receive messages from
|
|
-## specified wm over dbus.
|
|
-## </summary>
|
|
-## <param name="role_prefix">
|
|
-## <summary>
|
|
-## The prefix of the user domain (e.g., user
|
|
-## is the prefix for user_t).
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`wm_dbus_chat',`
|
|
- gen_require(`
|
|
- type $1_wm_t;
|
|
- class dbus send_msg;
|
|
- ')
|
|
-
|
|
- allow $2 $1_wm_t:dbus send_msg;
|
|
- allow $1_wm_t $2:dbus send_msg;
|
|
-')
|
|
diff --git a/wm.te b/wm.te
|
|
index 638d10f..5fb9960 100644
|
|
--- a/wm.te
|
|
+++ b/wm.te
|
|
@@ -1,12 +1,12 @@
|
|
policy_module(wm, 1.3.3)
|
|
|
|
+attribute wm_domain;
|
|
+
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
-attribute wm_domain;
|
|
-
|
|
type wm_exec_t;
|
|
corecmd_executable_file(wm_exec_t)
|
|
|
|
@@ -18,11 +18,11 @@ corecmd_executable_file(wm_exec_t)
|
|
allow wm_domain self:fifo_file rw_fifo_file_perms;
|
|
allow wm_domain self:process { setcap setrlimit execmem signal_perms getsched setsched };
|
|
allow wm_domain self:netlink_kobject_uevent_socket create_socket_perms;
|
|
+
|
|
allow wm_domain self:shm create_shm_perms;
|
|
allow wm_domain self:unix_dgram_socket create_socket_perms;
|
|
|
|
-kernel_read_system_state(wm_domain)
|
|
-
|
|
+corecmd_dontaudit_access_all_executables(wm_domain)
|
|
corecmd_getattr_all_executables(wm_domain)
|
|
|
|
dev_read_sound(wm_domain)
|
|
@@ -31,12 +31,18 @@ dev_read_urand(wm_domain)
|
|
dev_rw_wireless(wm_domain)
|
|
dev_write_sound(wm_domain)
|
|
|
|
-files_read_usr_files(wm_domain)
|
|
-
|
|
fs_getattr_all_fs(wm_domain)
|
|
|
|
+application_signull(wm_domain)
|
|
+
|
|
+init_read_state(wm_domain)
|
|
+
|
|
miscfiles_read_fonts(wm_domain)
|
|
-miscfiles_read_localization(wm_domain)
|
|
+
|
|
+systemd_dbus_chat_logind(wm_domain)
|
|
+systemd_read_logind_sessions_files(wm_domain)
|
|
+systemd_write_inhibit_pipes(wm_domain)
|
|
+systemd_login_read_pid_files(wm_domain)
|
|
|
|
userdom_manage_user_tmp_sockets(wm_domain)
|
|
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
|
|
@@ -45,24 +51,38 @@ userdom_manage_user_home_content_dirs(wm_domain)
|
|
userdom_manage_user_home_content_files(wm_domain)
|
|
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
|
|
|
|
-optional_policy(`
|
|
- accountsd_dbus_chat(wm_domain)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- bluetooth_dbus_chat(wm_domain)
|
|
-')
|
|
+udev_read_pid_files(wm_domain)
|
|
|
|
optional_policy(`
|
|
- devicekit_dbus_chat_power(wm_domain)
|
|
+ gnome_stream_connect_gkeyringd(wm_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
- networkmanager_dbus_chat(wm_domain)
|
|
-')
|
|
+ dbus_system_bus_client(wm_domain)
|
|
+ dbus_session_bus_client(wm_domain)
|
|
+ optional_policy(`
|
|
+ accountsd_dbus_chat(wm_domain)
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
+ bluetooth_dbus_chat(wm_domain)
|
|
+ ')
|
|
|
|
-optional_policy(`
|
|
- policykit_dbus_chat(wm_domain)
|
|
+ optional_policy(`
|
|
+ devicekit_dbus_chat_power(wm_domain)
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
+ networkmanager_dbus_chat(wm_domain)
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
+ policykit_dbus_chat(wm_domain)
|
|
+ ')
|
|
+
|
|
+ optional_policy(`
|
|
+ systemd_dbus_chat_logind(wm_domain)
|
|
+ ')
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -72,3 +92,7 @@ optional_policy(`
|
|
optional_policy(`
|
|
userhelper_exec_consolehelper(wm_domain)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ xserver_manage_core_devices(wm_domain)
|
|
+')
|
|
diff --git a/xen.fc b/xen.fc
|
|
index 42d83b0..651d1cb 100644
|
|
--- a/xen.fc
|
|
+++ b/xen.fc
|
|
@@ -1,38 +1,42 @@
|
|
/dev/xen/tapctrl.* -p gen_context(system_u:object_r:xenctl_t,s0)
|
|
|
|
-/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
|
-/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
|
|
-/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
|
|
-/usr/lib/xen-[^/]*/bin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
|
|
-/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
|
|
-
|
|
/usr/sbin/blktapctrl -- gen_context(system_u:object_r:blktap_exec_t,s0)
|
|
/usr/sbin/evtchnd -- gen_context(system_u:object_r:evtchnd_exec_t,s0)
|
|
/usr/sbin/tapdisk -- gen_context(system_u:object_r:blktap_exec_t,s0)
|
|
+
|
|
+#/usr/lib/xen/bin/qemu-dm -- gen_context(system_u:object_r:qemu_dm_exec_t,s0)
|
|
+
|
|
+ifdef(`distro_debian',`
|
|
+/usr/lib/xen-[^/]*/bin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
|
+/usr/lib/xen-[^/]*/bin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
|
|
+/usr/lib/xen-[^/]*/bin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
|
|
+/usr/lib/xen-[^/]*/bin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
|
|
+',`
|
|
/usr/sbin/xenconsoled -- gen_context(system_u:object_r:xenconsoled_exec_t,s0)
|
|
-/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
|
|
+/usr/sbin/xend -- gen_context(system_u:object_r:xend_exec_t,s0)
|
|
/usr/sbin/xenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
|
|
-/usr/sbin/xl -- gen_context(system_u:object_r:xm_exec_t,s0)
|
|
-/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
|
|
+/usr/sbin/oxenstored -- gen_context(system_u:object_r:xenstored_exec_t,s0)
|
|
+')
|
|
|
|
-/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
|
+/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
|
/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
|
|
-/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
|
+/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
|
|
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
|
|
|
|
/var/log/evtchnd\.log.* -- gen_context(system_u:object_r:evtchnd_var_log_t,s0)
|
|
-/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
|
|
+/var/log/xen(/.*)? gen_context(system_u:object_r:xend_var_log_t,s0)
|
|
/var/log/xen-hotplug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
|
/var/log/xend\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
|
/var/log/xend-debug\.log.* -- gen_context(system_u:object_r:xend_var_log_t,s0)
|
|
+/var/log/xenstored.* gen_context(system_u:object_r:xenstored_var_log_t,s0)
|
|
|
|
/var/run/evtchnd -s gen_context(system_u:object_r:evtchnd_var_run_t,s0)
|
|
/var/run/evtchnd\.pid -- gen_context(system_u:object_r:evtchnd_var_run_t,s0)
|
|
-/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
|
|
-/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
|
|
+/var/run/xenconsoled\.pid -- gen_context(system_u:object_r:xenconsoled_var_run_t,s0)
|
|
+/var/run/xend(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
|
|
/var/run/xend\.pid -- gen_context(system_u:object_r:xend_var_run_t,s0)
|
|
-/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
|
|
+/var/run/xenner(/.*)? gen_context(system_u:object_r:xend_var_run_t,s0)
|
|
/var/run/xenstore\.pid -- gen_context(system_u:object_r:xenstored_var_run_t,s0)
|
|
/var/run/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_run_t,s0)
|
|
|
|
-/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
|
|
+/xen(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
|
|
diff --git a/xen.if b/xen.if
|
|
index f93558c..16e29c1 100644
|
|
--- a/xen.if
|
|
+++ b/xen.if
|
|
@@ -1,13 +1,13 @@
|
|
-## <summary>Xen hypervisor.</summary>
|
|
+## <summary>Xen hypervisor</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute a domain transition to run xend.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed to transition.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`xen_domtrans',`
|
|
@@ -15,18 +15,18 @@ interface(`xen_domtrans',`
|
|
type xend_t, xend_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, xend_exec_t, xend_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute xend in the caller domain.
|
|
+## Allow the specified domain to execute xend
|
|
+## in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`xen_exec',`
|
|
@@ -34,7 +34,6 @@ interface(`xen_exec',`
|
|
type xend_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
can_exec($1, xend_exec_t)
|
|
')
|
|
|
|
@@ -75,24 +74,43 @@ interface(`xen_dontaudit_use_fds',`
|
|
dontaudit $1 xend_t:fd use;
|
|
')
|
|
|
|
+#######################################
|
|
+## <summary>
|
|
+## Read xend pid files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`xen_read_pid_files_xenstored',`
|
|
+ gen_require(`
|
|
+ type xenstored_var_run_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+
|
|
+ read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
|
|
+')
|
|
+
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
-## xend image directories.
|
|
+## Read xend lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
-interface(`xen_manage_image_dirs',`
|
|
+interface(`xen_read_lib_files',`
|
|
gen_require(`
|
|
type xend_var_lib_t;
|
|
')
|
|
|
|
- files_search_var_lib($1)
|
|
- manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
|
|
+ files_list_var_lib($1)
|
|
+ read_files_pattern($1, xend_var_lib_t, xend_var_lib_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -100,9 +118,9 @@ interface(`xen_manage_image_dirs',`
|
|
## Read xend image files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`xen_read_image_files',`
|
|
@@ -111,18 +129,40 @@ interface(`xen_read_image_files',`
|
|
')
|
|
|
|
files_list_var_lib($1)
|
|
+
|
|
list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
|
|
read_files_pattern($1, { xend_var_lib_t xen_image_t }, xen_image_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read and write xend image files.
|
|
+## Allow the specified domain to read/write
|
|
+## xend image files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`xen_manage_image_dirs',`
|
|
+ gen_require(`
|
|
+ type xend_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_list_var_lib($1)
|
|
+ manage_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to read/write
|
|
+## xend image files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`xen_rw_image_files',`
|
|
@@ -137,7 +177,8 @@ interface(`xen_rw_image_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Append xend log files.
|
|
+## Allow the specified domain to append
|
|
+## xend log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -157,13 +198,13 @@ interface(`xen_append_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Create, read, write, and delete
|
|
+## Create, read, write, and delete the
|
|
## xend log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
+## <summary>
|
|
## Domain allowed access.
|
|
-## </summary>
|
|
+## </summary>
|
|
## </param>
|
|
#
|
|
interface(`xen_manage_log',`
|
|
@@ -176,29 +217,11 @@ interface(`xen_manage_log',`
|
|
manage_files_pattern($1, xend_var_log_t, xend_var_log_t)
|
|
')
|
|
|
|
-#######################################
|
|
-## <summary>
|
|
-## Read xenstored pid files.
|
|
-## </summary>
|
|
-## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-#
|
|
-interface(`xen_read_xenstored_pid_files',`
|
|
- gen_require(`
|
|
- type xenstored_var_run_t;
|
|
- ')
|
|
-
|
|
- files_search_pids($1)
|
|
- read_files_pattern($1, xenstored_var_run_t, xenstored_var_run_t)
|
|
-')
|
|
-
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to read and write
|
|
-## Xen unix domain stream sockets.
|
|
+## Xen unix domain stream sockets. These
|
|
+## are leaked file descriptors.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -216,8 +239,7 @@ interface(`xen_dontaudit_rw_unix_stream_sockets',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to xenstored with a unix
|
|
-## domain stream socket.
|
|
+## Connect to xenstored over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -236,8 +258,7 @@ interface(`xen_stream_connect_xenstore',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to xend with a unix
|
|
-## domain stream socket.
|
|
+## Connect to xend over a unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -270,16 +291,15 @@ interface(`xen_stream_connect',`
|
|
interface(`xen_domtrans_xm',`
|
|
gen_require(`
|
|
type xm_t, xm_exec_t;
|
|
+ attribute virsh_transition_domain;
|
|
')
|
|
-
|
|
- corecmd_search_bin($1)
|
|
+ typeattribute $1 virsh_transition_domain;
|
|
domtrans_pattern($1, xm_exec_t, xm_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to xm with a unix
|
|
-## domain stream socket.
|
|
+## Connect to xm over a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -289,7 +309,7 @@ interface(`xen_domtrans_xm',`
|
|
#
|
|
interface(`xen_stream_connect_xm',`
|
|
gen_require(`
|
|
- type xm_t;
|
|
+ type xm_t, xenstored_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
diff --git a/xen.te b/xen.te
|
|
index 6f736a9..0fa964c 100644
|
|
--- a/xen.te
|
|
+++ b/xen.te
|
|
@@ -4,39 +4,31 @@ policy_module(xen, 1.13.0)
|
|
#
|
|
# Declarations
|
|
#
|
|
+attribute xm_transition_domain;
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether xend can
|
|
-## run blktapctrl and tapdisk.
|
|
+## <p>
|
|
+## Allow xend to run blktapctrl/tapdisk.
|
|
+## Not required if using dedicated logical volumes for disk images.
|
|
## </p>
|
|
## </desc>
|
|
-gen_tunable(xend_run_blktap, false)
|
|
+gen_tunable(xend_run_blktap, true)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether xen can
|
|
-## use fusefs file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow xend to run qemu-dm.
|
|
+## Not required if using paravirt and no vfb.
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(xen_use_fusefs, false)
|
|
+gen_tunable(xend_run_qemu, true)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether xen can
|
|
-## use nfs file systems.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow xen to manage nfs files
|
|
+## </p>
|
|
## </desc>
|
|
gen_tunable(xen_use_nfs, false)
|
|
|
|
-## <desc>
|
|
-## <p>
|
|
-## Determine whether xen can
|
|
-## use samba file systems.
|
|
-## </p>
|
|
-## </desc>
|
|
-gen_tunable(xen_use_samba, false)
|
|
-
|
|
type blktap_t;
|
|
type blktap_exec_t;
|
|
domain_type(blktap_t)
|
|
@@ -50,41 +42,55 @@ type evtchnd_t;
|
|
type evtchnd_exec_t;
|
|
init_daemon_domain(evtchnd_t, evtchnd_exec_t)
|
|
|
|
+# log files
|
|
type evtchnd_var_log_t;
|
|
logging_log_file(evtchnd_var_log_t)
|
|
|
|
+# pid files
|
|
type evtchnd_var_run_t;
|
|
files_pid_file(evtchnd_var_run_t)
|
|
|
|
+type qemu_dm_t;
|
|
+type qemu_dm_exec_t;
|
|
+domain_type(qemu_dm_t)
|
|
+domain_entry_file(qemu_dm_t, qemu_dm_exec_t)
|
|
+role system_r types qemu_dm_t;
|
|
+
|
|
+# console ptys
|
|
type xen_devpts_t;
|
|
term_pty(xen_devpts_t)
|
|
files_type(xen_devpts_t)
|
|
|
|
+# Xen Image files
|
|
type xen_image_t; # customizable
|
|
files_type(xen_image_t)
|
|
+# xen_image_t can be assigned to blk devices
|
|
dev_node(xen_image_t)
|
|
-
|
|
-optional_policy(`
|
|
- virt_image(xen_image_t)
|
|
-')
|
|
+virt_image(xen_image_t)
|
|
|
|
type xenctl_t;
|
|
files_type(xenctl_t)
|
|
|
|
type xend_t;
|
|
type xend_exec_t;
|
|
+domain_type(xend_t)
|
|
init_daemon_domain(xend_t, xend_exec_t)
|
|
|
|
+# tmp files
|
|
type xend_tmp_t;
|
|
files_tmp_file(xend_tmp_t)
|
|
|
|
+# var/lib files
|
|
type xend_var_lib_t;
|
|
files_type(xend_var_lib_t)
|
|
+# for mounting an NFS store
|
|
files_mountpoint(xend_var_lib_t)
|
|
|
|
+# log files
|
|
type xend_var_log_t;
|
|
logging_log_file(xend_var_log_t)
|
|
|
|
+# pid files
|
|
type xend_var_run_t;
|
|
files_pid_file(xend_var_run_t)
|
|
files_mountpoint(xend_var_run_t)
|
|
@@ -96,51 +102,50 @@ init_daemon_domain(xenstored_t, xenstored_exec_t)
|
|
type xenstored_tmp_t;
|
|
files_tmp_file(xenstored_tmp_t)
|
|
|
|
+# var/lib files
|
|
type xenstored_var_lib_t;
|
|
files_type(xenstored_var_lib_t)
|
|
files_mountpoint(xenstored_var_lib_t)
|
|
|
|
+# log files
|
|
type xenstored_var_log_t;
|
|
logging_log_file(xenstored_var_log_t)
|
|
|
|
+# pid files
|
|
type xenstored_var_run_t;
|
|
files_pid_file(xenstored_var_run_t)
|
|
-init_daemon_run_dir(xenstored_var_run_t, "xenstored")
|
|
|
|
type xenconsoled_t;
|
|
type xenconsoled_exec_t;
|
|
init_daemon_domain(xenconsoled_t, xenconsoled_exec_t)
|
|
|
|
+# pid files
|
|
type xenconsoled_var_run_t;
|
|
files_pid_file(xenconsoled_var_run_t)
|
|
|
|
-type xm_t;
|
|
-type xm_exec_t;
|
|
-init_system_domain(xm_t, xm_exec_t)
|
|
-
|
|
########################################
|
|
#
|
|
# blktap local policy
|
|
#
|
|
-
|
|
+# Do we need to allow execution of blktap?
|
|
tunable_policy(`xend_run_blktap',`
|
|
+ # If yes, transition to its own domain.
|
|
domtrans_pattern(xend_t, blktap_exec_t, blktap_t)
|
|
|
|
- allow blktap_t self:fifo_file { read write };
|
|
+',`
|
|
+ # If no, then silently refuse to run it.
|
|
+ dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
|
|
+')
|
|
|
|
- dev_read_sysfs(blktap_t)
|
|
- dev_rw_xen(blktap_t)
|
|
+allow blktap_t self:fifo_file { read write };
|
|
|
|
- files_read_etc_files(blktap_t)
|
|
+dev_read_sysfs(blktap_t)
|
|
+dev_rw_xen(blktap_t)
|
|
|
|
- logging_send_syslog_msg(blktap_t)
|
|
|
|
- miscfiles_read_localization(blktap_t)
|
|
+logging_send_syslog_msg(blktap_t)
|
|
|
|
- xen_stream_connect_xenstore(blktap_t)
|
|
-',`
|
|
- dontaudit xend_t blktap_exec_t:file { execute execute_no_trans };
|
|
-')
|
|
+xen_stream_connect_xenstore(blktap_t)
|
|
|
|
#######################################
|
|
#
|
|
@@ -148,9 +153,7 @@ tunable_policy(`xend_run_blktap',`
|
|
#
|
|
|
|
manage_dirs_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
|
|
-append_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
|
|
-create_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
|
|
-setattr_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
|
|
+manage_files_pattern(evtchnd_t, evtchnd_var_log_t, evtchnd_var_log_t)
|
|
logging_log_filetrans(evtchnd_t, evtchnd_var_log_t, { file dir })
|
|
|
|
manage_dirs_pattern(evtchnd_t, evtchnd_var_run_t, evtchnd_var_run_t)
|
|
@@ -160,28 +163,68 @@ files_pid_filetrans(evtchnd_t, evtchnd_var_run_t, { file sock_file dir })
|
|
|
|
########################################
|
|
#
|
|
+# qemu-dm local policy
|
|
+#
|
|
+
|
|
+# TODO: This part of policy should be removed
|
|
+# qemu-dm should run in xend_t domain
|
|
+
|
|
+# Do we need to allow execution of qemu-dm?
|
|
+tunable_policy(`xend_run_qemu',`
|
|
+ allow qemu_dm_t self:capability sys_resource;
|
|
+ allow qemu_dm_t self:process setrlimit;
|
|
+ allow qemu_dm_t self:fifo_file { read write };
|
|
+ allow qemu_dm_t self:tcp_socket create_stream_socket_perms;
|
|
+
|
|
+ # If yes, transition to its own domain.
|
|
+ domtrans_pattern(xend_t, qemu_dm_exec_t, qemu_dm_t)
|
|
+
|
|
+ append_files_pattern(qemu_dm_t, xend_var_log_t, xend_var_log_t)
|
|
+
|
|
+ rw_fifo_files_pattern(qemu_dm_t, xend_var_run_t, xend_var_run_t)
|
|
+
|
|
+ corenet_tcp_bind_generic_node(qemu_dm_t)
|
|
+ corenet_tcp_bind_vnc_port(qemu_dm_t)
|
|
+
|
|
+ dev_rw_xen(qemu_dm_t)
|
|
+
|
|
+
|
|
+ fs_manage_xenfs_dirs(qemu_dm_t)
|
|
+ fs_manage_xenfs_files(qemu_dm_t)
|
|
+
|
|
+
|
|
+ xen_stream_connect_xenstore(qemu_dm_t)
|
|
+',`
|
|
+ # If no, then silently refuse to run it.
|
|
+ dontaudit xend_t qemu_dm_exec_t:file { execute execute_no_trans };
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
# xend local policy
|
|
#
|
|
|
|
-allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_resource sys_rawio };
|
|
-dontaudit xend_t self:capability { sys_ptrace };
|
|
-allow xend_t self:process { setrlimit signal sigkill };
|
|
-dontaudit xend_t self:process ptrace;
|
|
+allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_admin sys_nice sys_tty_config net_raw sys_rawio };
|
|
+allow xend_t self:process { signal sigkill };
|
|
+
|
|
+# needed by qemu_dm
|
|
+allow xend_t self:capability sys_resource;
|
|
+allow xend_t self:process setrlimit;
|
|
+
|
|
+# internal communication is often done using fifo and unix sockets.
|
|
allow xend_t self:fifo_file rw_fifo_file_perms;
|
|
-allow xend_t self:unix_stream_socket { accept listen };
|
|
-allow xend_t self:tcp_socket { accept listen };
|
|
+allow xend_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow xend_t self:unix_dgram_socket create_socket_perms;
|
|
+allow xend_t self:netlink_route_socket r_netlink_socket_perms;
|
|
+allow xend_t self:tcp_socket create_stream_socket_perms;
|
|
allow xend_t self:packet_socket create_socket_perms;
|
|
allow xend_t self:tun_socket create_socket_perms;
|
|
|
|
allow xend_t xen_image_t:dir list_dir_perms;
|
|
manage_dirs_pattern(xend_t, xen_image_t, xen_image_t)
|
|
-manage_fifo_files_pattern(xend_t, xen_image_t, xen_image_t)
|
|
manage_files_pattern(xend_t, xen_image_t, xen_image_t)
|
|
read_lnk_files_pattern(xend_t, xen_image_t, xen_image_t)
|
|
-read_sock_files_pattern(xend_t, xen_image_t, xen_image_t)
|
|
-rw_chr_files_pattern(xend_t, xen_image_t, xen_image_t)
|
|
rw_blk_files_pattern(xend_t, xen_image_t, xen_image_t)
|
|
-fs_hugetlbfs_filetrans(xend_t, xen_image_t, file)
|
|
|
|
allow xend_t xenctl_t:fifo_file manage_fifo_file_perms;
|
|
dev_filetrans(xend_t, xenctl_t, fifo_file)
|
|
@@ -190,33 +233,37 @@ manage_files_pattern(xend_t, xend_tmp_t, xend_tmp_t)
|
|
manage_dirs_pattern(xend_t, xend_tmp_t, xend_tmp_t)
|
|
files_tmp_filetrans(xend_t, xend_tmp_t, { file dir })
|
|
|
|
+# pid file
|
|
manage_dirs_pattern(xend_t, xend_var_run_t, xend_var_run_t)
|
|
manage_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
|
|
manage_sock_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
|
|
manage_fifo_files_pattern(xend_t, xend_var_run_t, xend_var_run_t)
|
|
files_pid_filetrans(xend_t, xend_var_run_t, { file sock_file fifo_file dir })
|
|
|
|
+# log files
|
|
manage_dirs_pattern(xend_t, xend_var_log_t, xend_var_log_t)
|
|
-append_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
|
|
-create_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
|
|
-setattr_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
|
|
+manage_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
|
|
manage_sock_files_pattern(xend_t, xend_var_log_t, xend_var_log_t)
|
|
logging_log_filetrans(xend_t, xend_var_log_t, { sock_file file dir })
|
|
|
|
+# var/lib files for xend
|
|
manage_dirs_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
|
|
manage_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
|
|
manage_sock_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
|
|
manage_fifo_files_pattern(xend_t, xend_var_lib_t, xend_var_lib_t)
|
|
files_var_lib_filetrans(xend_t, xend_var_lib_t, { file dir })
|
|
|
|
+# transition to store
|
|
+domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
|
|
+
|
|
+# manage xenstored pid file
|
|
manage_files_pattern(xend_t, xenstored_var_run_t, xenstored_var_run_t)
|
|
|
|
-allow xend_t xenstored_var_lib_t:dir list_dir_perms;
|
|
+# mount tmpfs on /var/lib/xenstored
|
|
+allow xend_t xenstored_var_lib_t:dir read;
|
|
|
|
+# transition to console
|
|
domtrans_pattern(xend_t, xenconsoled_exec_t, xenconsoled_t)
|
|
-domtrans_pattern(xend_t, xenstored_exec_t, xenstored_t)
|
|
-
|
|
-xen_stream_connect_xenstore(xend_t)
|
|
|
|
kernel_read_kernel_sysctls(xend_t)
|
|
kernel_read_system_state(xend_t)
|
|
@@ -224,61 +271,44 @@ kernel_write_xen_state(xend_t)
|
|
kernel_read_xen_state(xend_t)
|
|
kernel_rw_net_sysctls(xend_t)
|
|
kernel_read_network_state(xend_t)
|
|
+kernel_request_load_module(xend_t)
|
|
|
|
corecmd_exec_bin(xend_t)
|
|
corecmd_exec_shell(xend_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(xend_t)
|
|
corenet_all_recvfrom_netlabel(xend_t)
|
|
corenet_tcp_sendrecv_generic_if(xend_t)
|
|
corenet_tcp_sendrecv_generic_node(xend_t)
|
|
corenet_tcp_sendrecv_all_ports(xend_t)
|
|
corenet_tcp_bind_generic_node(xend_t)
|
|
-
|
|
-corenet_sendrecv_xen_server_packets(xend_t)
|
|
corenet_tcp_bind_xen_port(xend_t)
|
|
-
|
|
-corenet_sendrecv_soundd_server_packets(xend_t)
|
|
corenet_tcp_bind_soundd_port(xend_t)
|
|
-
|
|
-corenet_sendrecv_generic_server_packets(xend_t)
|
|
corenet_tcp_bind_generic_port(xend_t)
|
|
-
|
|
-corenet_sendrecv_vnc_server_packets(xend_t)
|
|
corenet_tcp_bind_vnc_port(xend_t)
|
|
-
|
|
-corenet_sendrecv_xserver_client_packets(xend_t)
|
|
corenet_tcp_connect_xserver_port(xend_t)
|
|
-
|
|
-corenet_sendrecv_xen_client_packets(xend_t)
|
|
corenet_tcp_connect_xen_port(xend_t)
|
|
-
|
|
+corenet_sendrecv_xserver_client_packets(xend_t)
|
|
+corenet_sendrecv_xen_server_packets(xend_t)
|
|
+corenet_sendrecv_xen_client_packets(xend_t)
|
|
+corenet_sendrecv_soundd_server_packets(xend_t)
|
|
corenet_rw_tun_tap_dev(xend_t)
|
|
|
|
-dev_getattr_all_chr_files(xend_t)
|
|
dev_read_urand(xend_t)
|
|
+# run lsscsi
|
|
+dev_getattr_all_chr_files(xend_t)
|
|
dev_filetrans_xen(xend_t)
|
|
dev_rw_sysfs(xend_t)
|
|
dev_rw_xen(xend_t)
|
|
|
|
domain_dontaudit_read_all_domains_state(xend_t)
|
|
-domain_dontaudit_ptrace_all_domains(xend_t)
|
|
|
|
-files_read_etc_files(xend_t)
|
|
files_read_kernel_symbol_table(xend_t)
|
|
files_read_kernel_img(xend_t)
|
|
files_manage_etc_runtime_files(xend_t)
|
|
files_etc_filetrans_etc_runtime(xend_t, file)
|
|
-files_read_usr_files(xend_t)
|
|
files_read_default_symlinks(xend_t)
|
|
-files_search_mnt(xend_t)
|
|
|
|
-fs_getattr_all_fs(xend_t)
|
|
-fs_list_auto_mountpoints(xend_t)
|
|
-fs_read_dos_files(xend_t)
|
|
fs_read_removable_blk_files(xend_t)
|
|
-fs_manage_xenfs_dirs(xend_t)
|
|
-fs_manage_xenfs_files(xend_t)
|
|
|
|
storage_read_scsi_generic(xend_t)
|
|
|
|
@@ -295,7 +325,8 @@ locallogin_dontaudit_use_fds(xend_t)
|
|
|
|
logging_send_syslog_msg(xend_t)
|
|
|
|
-miscfiles_read_localization(xend_t)
|
|
+auth_read_passwd(xend_t)
|
|
+
|
|
miscfiles_read_hwdata(xend_t)
|
|
|
|
sysnet_domtrans_dhcpc(xend_t)
|
|
@@ -308,23 +339,7 @@ sysnet_rw_dhcp_config(xend_t)
|
|
|
|
userdom_dontaudit_search_user_home_dirs(xend_t)
|
|
|
|
-tunable_policy(`xen_use_fusefs',`
|
|
- fs_manage_fusefs_dirs(xend_t)
|
|
- fs_manage_fusefs_files(xend_t)
|
|
- fs_read_fusefs_symlinks(xend_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`xen_use_nfs',`
|
|
- fs_manage_nfs_dirs(xend_t)
|
|
- fs_manage_nfs_files(xend_t)
|
|
- fs_read_nfs_symlinks(xend_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`xen_use_samba',`
|
|
- fs_manage_cifs_dirs(xend_t)
|
|
- fs_manage_cifs_files(xend_t)
|
|
- fs_read_cifs_symlinks(xend_t)
|
|
-')
|
|
+xen_stream_connect_xenstore(xend_t)
|
|
|
|
optional_policy(`
|
|
brctl_domtrans(xend_t)
|
|
@@ -342,7 +357,7 @@ optional_policy(`
|
|
mount_domtrans(xend_t)
|
|
')
|
|
|
|
-optional_policy(`
|
|
+optional_policy(`
|
|
netutils_domtrans(xend_t)
|
|
')
|
|
|
|
@@ -351,6 +366,7 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ virt_manage_default_image_type(xend_t)
|
|
virt_search_images(xend_t)
|
|
virt_read_config(xend_t)
|
|
')
|
|
@@ -365,13 +381,9 @@ allow xenconsoled_t self:process setrlimit;
|
|
allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
-allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr_chr_file_perms };
|
|
-
|
|
-manage_dirs_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
|
|
-append_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
|
|
-create_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
|
|
-setattr_files_pattern(xenconsoled_t, xend_var_log_t, xend_var_log_t)
|
|
+allow xenconsoled_t xen_devpts_t:chr_file { rw_term_perms setattr };
|
|
|
|
+# pid file
|
|
manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
|
|
manage_sock_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
|
|
files_pid_filetrans(xenconsoled_t, xenconsoled_var_run_t, { file sock_file })
|
|
@@ -384,10 +396,6 @@ dev_rw_xen(xenconsoled_t)
|
|
dev_filetrans_xen(xenconsoled_t)
|
|
dev_rw_sysfs(xenconsoled_t)
|
|
|
|
-domain_dontaudit_ptrace_all_domains(xenconsoled_t)
|
|
-
|
|
-files_read_etc_files(xenconsoled_t)
|
|
-files_read_usr_files(xenconsoled_t)
|
|
|
|
fs_list_tmpfs(xenconsoled_t)
|
|
fs_manage_xenfs_dirs(xenconsoled_t)
|
|
@@ -395,15 +403,13 @@ fs_manage_xenfs_files(xenconsoled_t)
|
|
|
|
term_create_pty(xenconsoled_t, xen_devpts_t)
|
|
term_use_generic_ptys(xenconsoled_t)
|
|
-term_use_console(xenconsoled_t)
|
|
|
|
init_use_fds(xenconsoled_t)
|
|
init_use_script_ptys(xenconsoled_t)
|
|
|
|
-logging_search_logs(xenconsoled_t)
|
|
-
|
|
-miscfiles_read_localization(xenconsoled_t)
|
|
+auth_read_passwd(xenconsoled_t)
|
|
|
|
+xen_manage_log(xenconsoled_t)
|
|
xen_stream_connect_xenstore(xenconsoled_t)
|
|
|
|
optional_policy(`
|
|
@@ -416,24 +422,26 @@ optional_policy(`
|
|
#
|
|
|
|
allow xenstored_t self:capability { dac_override ipc_lock sys_resource };
|
|
-allow xenstored_t self:unix_stream_socket { accept listen };
|
|
+allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
|
|
+allow xenstored_t self:unix_dgram_socket create_socket_perms;
|
|
|
|
manage_files_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
|
|
manage_dirs_pattern(xenstored_t, xenstored_tmp_t, xenstored_tmp_t)
|
|
files_tmp_filetrans(xenstored_t, xenstored_tmp_t, { file dir })
|
|
|
|
+# pid file
|
|
manage_dirs_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
|
|
manage_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
|
|
manage_sock_files_pattern(xenstored_t, xenstored_var_run_t, xenstored_var_run_t)
|
|
files_pid_filetrans(xenstored_t, xenstored_var_run_t, { file sock_file dir })
|
|
|
|
+# log files
|
|
manage_dirs_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
|
|
-append_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
|
|
-create_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
|
|
-setattr_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
|
|
+manage_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
|
|
manage_sock_files_pattern(xenstored_t, xenstored_var_log_t, xenstored_var_log_t)
|
|
logging_log_filetrans(xenstored_t, xenstored_var_log_t, { sock_file file dir })
|
|
|
|
+# var/lib files for xenstored
|
|
manage_dirs_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
|
|
manage_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
|
|
manage_sock_files_pattern(xenstored_t, xenstored_var_lib_t, xenstored_var_lib_t)
|
|
@@ -448,157 +456,40 @@ dev_filetrans_xen(xenstored_t)
|
|
dev_rw_xen(xenstored_t)
|
|
dev_read_sysfs(xenstored_t)
|
|
|
|
-files_read_etc_files(xenstored_t)
|
|
-files_read_usr_files(xenstored_t)
|
|
+
|
|
|
|
fs_search_xenfs(xenstored_t)
|
|
fs_manage_xenfs_files(xenstored_t)
|
|
|
|
term_use_generic_ptys(xenstored_t)
|
|
+term_use_console(xenconsoled_t)
|
|
|
|
init_use_fds(xenstored_t)
|
|
init_use_script_ptys(xenstored_t)
|
|
|
|
logging_send_syslog_msg(xenstored_t)
|
|
|
|
-miscfiles_read_localization(xenstored_t)
|
|
-
|
|
xen_append_log(xenstored_t)
|
|
|
|
-########################################
|
|
-#
|
|
-# xm local policy
|
|
-#
|
|
-
|
|
-allow xm_t self:capability { setpcap dac_override ipc_lock sys_nice sys_tty_config };
|
|
-allow xm_t self:process { getcap getsched setsched setcap signal };
|
|
-allow xm_t self:fifo_file rw_fifo_file_perms;
|
|
-allow xm_t self:unix_stream_socket { accept connectto listen };
|
|
-allow xm_t self:tcp_socket { accept listen };
|
|
-
|
|
-manage_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
|
|
-manage_fifo_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
|
|
-manage_sock_files_pattern(xm_t, xend_var_lib_t, xend_var_lib_t)
|
|
-
|
|
-manage_files_pattern(xm_t, xen_image_t, xen_image_t)
|
|
-manage_blk_files_pattern(xm_t, xen_image_t, xen_image_t)
|
|
-manage_lnk_files_pattern(xm_t, xen_image_t, xen_image_t)
|
|
-
|
|
-read_files_pattern(xm_t, xenstored_var_run_t, xenstored_var_run_t)
|
|
-
|
|
-xen_manage_image_dirs(xm_t)
|
|
-xen_append_log(xm_t)
|
|
-xen_domtrans(xm_t)
|
|
-xen_stream_connect(xm_t)
|
|
-xen_stream_connect_xenstore(xm_t)
|
|
-
|
|
-can_exec(xm_t, xm_exec_t)
|
|
-
|
|
-kernel_read_system_state(xm_t)
|
|
-kernel_read_network_state(xm_t)
|
|
-kernel_read_kernel_sysctls(xm_t)
|
|
-kernel_read_sysctl(xm_t)
|
|
-kernel_read_xen_state(xm_t)
|
|
-kernel_write_xen_state(xm_t)
|
|
-
|
|
-corecmd_exec_bin(xm_t)
|
|
-corecmd_exec_shell(xm_t)
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(xm_t)
|
|
-corenet_all_recvfrom_netlabel(xm_t)
|
|
-corenet_tcp_sendrecv_generic_if(xm_t)
|
|
-corenet_tcp_sendrecv_generic_node(xm_t)
|
|
-
|
|
-corenet_sendrecv_soundd_client_packets(xm_t)
|
|
-corenet_tcp_connect_soundd_port(xm_t)
|
|
-corenet_tcp_sendrecv_soundd_port(xm_t)
|
|
-
|
|
-dev_read_rand(xm_t)
|
|
-dev_read_urand(xm_t)
|
|
-dev_read_sysfs(xm_t)
|
|
-
|
|
-files_read_etc_runtime_files(xm_t)
|
|
-files_read_etc_files(xm_t)
|
|
-files_read_usr_files(xm_t)
|
|
-files_search_pids(xm_t)
|
|
-files_search_var_lib(xm_t)
|
|
-files_list_mnt(xm_t)
|
|
-files_list_tmp(xm_t)
|
|
-
|
|
-fs_getattr_all_fs(xm_t)
|
|
-fs_manage_xenfs_dirs(xm_t)
|
|
-fs_manage_xenfs_files(xm_t)
|
|
-fs_search_auto_mountpoints(xm_t)
|
|
-
|
|
-storage_raw_read_fixed_disk(xm_t)
|
|
-
|
|
-term_use_all_terms(xm_t)
|
|
-
|
|
-init_stream_connect_script(xm_t)
|
|
-init_rw_script_stream_sockets(xm_t)
|
|
-init_use_fds(xm_t)
|
|
-
|
|
-logging_send_syslog_msg(xm_t)
|
|
-
|
|
-miscfiles_read_localization(xm_t)
|
|
-
|
|
-sysnet_dns_name_resolve(xm_t)
|
|
-
|
|
-tunable_policy(`xen_use_fusefs',`
|
|
- fs_manage_fusefs_dirs(xm_t)
|
|
- fs_manage_fusefs_files(xm_t)
|
|
- fs_read_fusefs_symlinks(xm_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`xen_use_nfs',`
|
|
- fs_manage_nfs_dirs(xm_t)
|
|
- fs_manage_nfs_files(xm_t)
|
|
- fs_read_nfs_symlinks(xm_t)
|
|
-')
|
|
-
|
|
-tunable_policy(`xen_use_samba',`
|
|
- fs_manage_cifs_dirs(xm_t)
|
|
- fs_manage_cifs_files(xm_t)
|
|
- fs_read_cifs_symlinks(xm_t)
|
|
-')
|
|
-
|
|
optional_policy(`
|
|
- cron_system_entry(xm_t, xm_exec_t)
|
|
+ virt_read_config(xenstored_t)
|
|
')
|
|
|
|
+########################################
|
|
+#
|
|
+# SSH component local policy
|
|
+#
|
|
optional_policy(`
|
|
- dbus_system_bus_client(xm_t)
|
|
-
|
|
- optional_policy(`
|
|
- hal_dbus_chat(xm_t)
|
|
+ #Should have a boolean wrapping these
|
|
+ fs_list_auto_mountpoints(xend_t)
|
|
+ files_search_mnt(xend_t)
|
|
+ fs_getattr_all_fs(xend_t)
|
|
+ fs_read_dos_files(xend_t)
|
|
+ fs_manage_xenfs_dirs(xend_t)
|
|
+ fs_manage_xenfs_files(xend_t)
|
|
+
|
|
+ tunable_policy(`xen_use_nfs',`
|
|
+ fs_manage_nfs_files(xend_t)
|
|
+ fs_read_nfs_symlinks(xend_t)
|
|
')
|
|
')
|
|
-
|
|
-optional_policy(`
|
|
- rpm_exec(xm_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- vhostmd_rw_tmpfs_files(xm_t)
|
|
- vhostmd_stream_connect(xm_t)
|
|
- vhostmd_dontaudit_rw_stream_connect(xm_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- virt_domtrans(xm_t)
|
|
- virt_manage_images(xm_t)
|
|
- virt_manage_config(xm_t)
|
|
- virt_stream_connect(xm_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- ssh_basic_client_template(xm, xm_t, system_r)
|
|
-
|
|
- kernel_read_xen_state(xm_ssh_t)
|
|
- kernel_write_xen_state(xm_ssh_t)
|
|
-
|
|
- files_search_tmp(xm_ssh_t)
|
|
-
|
|
- fs_manage_xenfs_dirs(xm_ssh_t)
|
|
- fs_manage_xenfs_files(xm_ssh_t)
|
|
-')
|
|
diff --git a/xfs.te b/xfs.te
|
|
index 0928c5d..d270a72 100644
|
|
--- a/xfs.te
|
|
+++ b/xfs.te
|
|
@@ -41,7 +41,6 @@ can_exec(xfs_t, xfs_exec_t)
|
|
kernel_read_kernel_sysctls(xfs_t)
|
|
kernel_read_system_state(xfs_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(xfs_t)
|
|
corenet_all_recvfrom_netlabel(xfs_t)
|
|
corenet_tcp_sendrecv_generic_if(xfs_t)
|
|
corenet_tcp_sendrecv_generic_node(xfs_t)
|
|
@@ -63,7 +62,6 @@ fs_search_auto_mountpoints(xfs_t)
|
|
domain_use_interactive_fds(xfs_t)
|
|
|
|
files_read_etc_runtime_files(xfs_t)
|
|
-files_read_usr_files(xfs_t)
|
|
|
|
auth_use_nsswitch(xfs_t)
|
|
|
|
@@ -71,7 +69,6 @@ init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100")
|
|
|
|
logging_send_syslog_msg(xfs_t)
|
|
|
|
-miscfiles_read_localization(xfs_t)
|
|
miscfiles_read_fonts(xfs_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(xfs_t)
|
|
diff --git a/xguest.te b/xguest.te
|
|
index a64aad3..0f7c96d 100644
|
|
--- a/xguest.te
|
|
+++ b/xguest.te
|
|
@@ -6,46 +6,47 @@ policy_module(xguest, 1.2.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether xguest can
|
|
-## mount removable media.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow xguest users to mount removable media
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(xguest_mount_media, false)
|
|
+gen_tunable(xguest_mount_media, true)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether xguest can
|
|
-## configure network manager.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow xguest users to configure Network Manager and connect to apache ports
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(xguest_connect_network, false)
|
|
+gen_tunable(xguest_connect_network, true)
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether xguest can
|
|
-## use blue tooth devices.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow xguest to use blue tooth devices
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(xguest_use_bluetooth, false)
|
|
+gen_tunable(xguest_use_bluetooth, true)
|
|
|
|
role xguest_r;
|
|
|
|
userdom_restricted_xwindows_user_template(xguest)
|
|
+sysnet_dns_name_resolve(xguest_t)
|
|
+
|
|
+init_dbus_chat(xguest_t)
|
|
+init_status(xguest_t)
|
|
+systemd_dontaudit_dbus_chat(xguest_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
-kernel_dontaudit_request_load_module(xguest_t)
|
|
-
|
|
ifndef(`enable_mls',`
|
|
fs_exec_noxattr(xguest_t)
|
|
|
|
- tunable_policy(`user_rw_noexattrfile',`
|
|
+ tunable_policy(`selinuxuser_rw_noexattrfile',`
|
|
fs_manage_noxattr_fs_files(xguest_t)
|
|
fs_manage_noxattr_fs_dirs(xguest_t)
|
|
+ # Write floppies
|
|
storage_raw_read_removable_device(xguest_t)
|
|
storage_raw_write_removable_device(xguest_t)
|
|
',`
|
|
@@ -54,9 +55,22 @@ ifndef(`enable_mls',`
|
|
')
|
|
|
|
optional_policy(`
|
|
+ # Dontaudit fusermount
|
|
+ mount_dontaudit_exec_fusermount(xguest_t)
|
|
+')
|
|
+
|
|
+kernel_dontaudit_request_load_module(xguest_t)
|
|
+kernel_read_software_raid_state(xguest_t)
|
|
+
|
|
+tunable_policy(`selinuxuser_execstack',`
|
|
+ allow xguest_t self:process execstack;
|
|
+')
|
|
+
|
|
+# Allow mounting of file systems
|
|
+optional_policy(`
|
|
tunable_policy(`xguest_mount_media',`
|
|
kernel_read_fs_sysctls(xguest_t)
|
|
-
|
|
+ kernel_request_load_module(xguest_t)
|
|
files_dontaudit_getattr_boot_dirs(xguest_t)
|
|
files_search_mnt(xguest_t)
|
|
|
|
@@ -65,10 +79,9 @@ optional_policy(`
|
|
fs_manage_noxattr_fs_dirs(xguest_t)
|
|
fs_getattr_noxattr_fs(xguest_t)
|
|
fs_read_noxattr_fs_symlinks(xguest_t)
|
|
+ fs_mount_fusefs(xguest_t)
|
|
|
|
auth_list_pam_console_data(xguest_t)
|
|
-
|
|
- init_read_utmp(xguest_t)
|
|
')
|
|
')
|
|
|
|
@@ -84,12 +97,17 @@ optional_policy(`
|
|
')
|
|
')
|
|
|
|
+
|
|
optional_policy(`
|
|
- apache_role(xguest_r, xguest_t)
|
|
+ colord_dbus_chat(xguest_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ chrome_role(xguest_r, xguest_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- gnomeclock_dontaudit_dbus_chat(xguest_t)
|
|
+ dbus_dontaudit_chat_system_bus(xguest_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -97,75 +115,78 @@ optional_policy(`
|
|
')
|
|
|
|
optional_policy(`
|
|
- java_role(xguest_r, xguest_t)
|
|
+ apache_role(xguest_r, xguest_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mozilla_role(xguest_r, xguest_t)
|
|
+ mozilla_run_plugin(xguest_t, xguest_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
- tunable_policy(`xguest_connect_network',`
|
|
- kernel_read_network_state(xguest_t)
|
|
+ mount_run_fusermount(xguest_t, xguest_r)
|
|
+')
|
|
|
|
+optional_policy(`
|
|
+ pcscd_read_pid_files(xguest_t)
|
|
+ pcscd_stream_connect(xguest_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ rhsmcertd_dontaudit_dbus_chat(xguest_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`xguest_connect_network',`
|
|
networkmanager_dbus_chat(xguest_t)
|
|
networkmanager_read_lib_files(xguest_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`xguest_connect_network',`
|
|
+ kernel_read_network_state(xguest_t)
|
|
|
|
- corenet_all_recvfrom_unlabeled(xguest_t)
|
|
- corenet_all_recvfrom_netlabel(xguest_t)
|
|
+ corenet_tcp_connect_pulseaudio_port(xguest_t)
|
|
corenet_tcp_sendrecv_generic_if(xguest_t)
|
|
corenet_raw_sendrecv_generic_if(xguest_t)
|
|
corenet_tcp_sendrecv_generic_node(xguest_t)
|
|
corenet_raw_sendrecv_generic_node(xguest_t)
|
|
-
|
|
- corenet_sendrecv_pulseaudio_client_packets(xguest_t)
|
|
- corenet_tcp_connect_pulseaudio_port(xguest_t)
|
|
- corenet_tcp_sendrecv_pulseaudio_port(xguest_t)
|
|
-
|
|
- corenet_sendrecv_http_client_packets(xguest_t)
|
|
- corenet_tcp_connect_http_port(xguest_t)
|
|
+ corenet_tcp_connect_commplex_link_port(xguest_t)
|
|
corenet_tcp_sendrecv_http_port(xguest_t)
|
|
-
|
|
- corenet_sendrecv_http_cache_client_packets(xguest_t)
|
|
- corenet_tcp_connect_http_cache_port(xguest_t)
|
|
corenet_tcp_sendrecv_http_cache_port(xguest_t)
|
|
-
|
|
- corenet_sendrecv_squid_client_packets(xguest_t)
|
|
- corenet_tcp_connect_squid_port(xguest_t)
|
|
corenet_tcp_sendrecv_squid_port(xguest_t)
|
|
-
|
|
- corenet_sendrecv_ftp_client_packets(xguest_t)
|
|
- corenet_tcp_connect_ftp_port(xguest_t)
|
|
corenet_tcp_sendrecv_ftp_port(xguest_t)
|
|
-
|
|
- corenet_sendrecv_ipp_client_packets(xguest_t)
|
|
- corenet_tcp_connect_ipp_port(xguest_t)
|
|
corenet_tcp_sendrecv_ipp_port(xguest_t)
|
|
-
|
|
- corenet_sendrecv_generic_client_packets(xguest_t)
|
|
+ corenet_tcp_connect_http_port(xguest_t)
|
|
+ corenet_tcp_connect_http_cache_port(xguest_t)
|
|
+ corenet_tcp_connect_squid_port(xguest_t)
|
|
+ corenet_tcp_connect_flash_port(xguest_t)
|
|
+ corenet_tcp_connect_ftp_port(xguest_t)
|
|
+ corenet_tcp_connect_ipp_port(xguest_t)
|
|
corenet_tcp_connect_generic_port(xguest_t)
|
|
- corenet_tcp_sendrecv_generic_port(xguest_t)
|
|
-
|
|
- corenet_sendrecv_soundd_client_packets(xguest_t)
|
|
corenet_tcp_connect_soundd_port(xguest_t)
|
|
- corenet_tcp_sendrecv_soundd_port(xguest_t)
|
|
-
|
|
- corenet_sendrecv_speech_client_packets(xguest_t)
|
|
- corenet_tcp_connect_speech_port(xguest_t)
|
|
- corenet_tcp_sendrecv_speech_port(xguest_t)
|
|
-
|
|
- corenet_sendrecv_transproxy_client_packets(xguest_t)
|
|
- corenet_tcp_connect_transproxy_port(xguest_t)
|
|
- corenet_tcp_sendrecv_transproxy_port(xguest_t)
|
|
-
|
|
+ corenet_sendrecv_http_client_packets(xguest_t)
|
|
+ corenet_sendrecv_http_cache_client_packets(xguest_t)
|
|
+ corenet_sendrecv_squid_client_packets(xguest_t)
|
|
+ corenet_sendrecv_ftp_client_packets(xguest_t)
|
|
+ corenet_sendrecv_ipp_client_packets(xguest_t)
|
|
+ corenet_sendrecv_generic_client_packets(xguest_t)
|
|
+ # Should not need other ports
|
|
corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
|
|
corenet_dontaudit_tcp_bind_generic_port(xguest_t)
|
|
+ corenet_tcp_connect_speech_port(xguest_t)
|
|
+ corenet_tcp_sendrecv_transproxy_port(xguest_t)
|
|
+ corenet_tcp_connect_transproxy_port(xguest_t)
|
|
')
|
|
')
|
|
|
|
optional_policy(`
|
|
- pcscd_read_pid_files(xguest_t)
|
|
- pcscd_stream_connect(xguest_t)
|
|
+ gen_require(`
|
|
+ type mozilla_t;
|
|
+ ')
|
|
+
|
|
+ allow xguest_t mozilla_t:process transition;
|
|
+ role xguest_r types mozilla_t;
|
|
')
|
|
|
|
-#gen_user(xguest_u,, xguest_r, s0, s0)
|
|
+gen_user(xguest_u, user, xguest_r, s0, s0)
|
|
diff --git a/xprint.te b/xprint.te
|
|
index 3c44d84..ce5e69d 100644
|
|
--- a/xprint.te
|
|
+++ b/xprint.te
|
|
@@ -32,7 +32,6 @@ kernel_read_kernel_sysctls(xprint_t)
|
|
corecmd_exec_bin(xprint_t)
|
|
corecmd_exec_shell(xprint_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(xprint_t)
|
|
corenet_all_recvfrom_netlabel(xprint_t)
|
|
corenet_tcp_sendrecv_generic_if(xprint_t)
|
|
corenet_udp_sendrecv_generic_if(xprint_t)
|
|
@@ -46,9 +45,7 @@ dev_read_urand(xprint_t)
|
|
|
|
domain_use_interactive_fds(xprint_t)
|
|
|
|
-files_read_etc_files(xprint_t)
|
|
files_read_etc_runtime_files(xprint_t)
|
|
-files_read_usr_files(xprint_t)
|
|
files_search_var_lib(xprint_t)
|
|
files_search_tmp(xprint_t)
|
|
|
|
@@ -58,7 +55,6 @@ fs_search_auto_mountpoints(xprint_t)
|
|
logging_send_syslog_msg(xprint_t)
|
|
|
|
miscfiles_read_fonts(xprint_t)
|
|
-miscfiles_read_localization(xprint_t)
|
|
|
|
sysnet_read_config(xprint_t)
|
|
|
|
diff --git a/xscreensaver.te b/xscreensaver.te
|
|
index 04096a0..98a8205 100644
|
|
--- a/xscreensaver.te
|
|
+++ b/xscreensaver.te
|
|
@@ -25,7 +25,6 @@ allow xscreensaver_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
kernel_read_system_state(xscreensaver_t)
|
|
|
|
-files_read_usr_files(xscreensaver_t)
|
|
|
|
auth_use_nsswitch(xscreensaver_t)
|
|
auth_domtrans_chk_passwd(xscreensaver_t)
|
|
@@ -35,9 +34,8 @@ init_read_utmp(xscreensaver_t)
|
|
logging_send_audit_msgs(xscreensaver_t)
|
|
logging_send_syslog_msg(xscreensaver_t)
|
|
|
|
-miscfiles_read_localization(xscreensaver_t)
|
|
-
|
|
-userdom_use_user_terminals(xscreensaver_t)
|
|
+userdom_use_inherited_user_ptys(xscreensaver_t)
|
|
+#access to .icons and ~/.xscreensaver
|
|
userdom_read_user_home_content_files(xscreensaver_t)
|
|
|
|
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
|
|
diff --git a/yam.te b/yam.te
|
|
index 2695db2..123c042 100644
|
|
--- a/yam.te
|
|
+++ b/yam.te
|
|
@@ -73,11 +73,11 @@ auth_use_nsswitch(yam_t)
|
|
|
|
logging_send_syslog_msg(yam_t)
|
|
|
|
-miscfiles_read_localization(yam_t)
|
|
-
|
|
seutil_read_config(yam_t)
|
|
|
|
-userdom_use_user_terminals(yam_t)
|
|
+sysnet_read_config(yam_t)
|
|
+
|
|
+userdom_use_inherited_user_terminals(yam_t)
|
|
userdom_use_unpriv_users_fds(yam_t)
|
|
userdom_search_user_home_dirs(yam_t)
|
|
|
|
diff --git a/zabbix.fc b/zabbix.fc
|
|
index c3b5a81..7d8b570 100644
|
|
--- a/zabbix.fc
|
|
+++ b/zabbix.fc
|
|
@@ -4,11 +4,15 @@
|
|
/usr/bin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
|
|
/usr/bin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
|
|
|
|
-/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
|
|
/usr/sbin/zabbix_agentd -- gen_context(system_u:object_r:zabbix_agent_exec_t,s0)
|
|
+/usr/sbin/zabbix_server -- gen_context(system_u:object_r:zabbix_exec_t,s0)
|
|
/usr/sbin/zabbix_server_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
|
|
/usr/sbin/zabbix_server_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
|
|
/usr/sbin/zabbix_server_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
|
|
+/usr/sbin/zabbix_proxy -- gen_context(system_u:object_r:zabbix_exec_t,s0)
|
|
+/usr/sbin/zabbix_proxy_mysql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
|
|
+/usr/sbin/zabbix_proxy_pgsql -- gen_context(system_u:object_r:zabbix_exec_t,s0)
|
|
+/usr/sbin/zabbix_proxy_sqlite3 -- gen_context(system_u:object_r:zabbix_exec_t,s0)
|
|
|
|
/var/log/zabbix(/.*)? gen_context(system_u:object_r:zabbix_log_t,s0)
|
|
|
|
diff --git a/zabbix.if b/zabbix.if
|
|
index dd63de0..38ce620 100644
|
|
--- a/zabbix.if
|
|
+++ b/zabbix.if
|
|
@@ -1,4 +1,4 @@
|
|
-## <summary>Distributed infrastructure monitoring.</summary>
|
|
+## <summary>Distributed infrastructure monitoring</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
@@ -15,13 +15,12 @@ interface(`zabbix_domtrans',`
|
|
type zabbix_t, zabbix_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, zabbix_exec_t, zabbix_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to zabbit on the TCP network.
|
|
+## Allow connectivity to the zabbix server
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -34,7 +33,7 @@ interface(`zabbix_tcp_connect',`
|
|
type zabbix_t;
|
|
')
|
|
|
|
- corenet_sendrecv_zabbix_client_packets($1)
|
|
+ corenet_sendrecv_zabbix_agent_client_packets($1)
|
|
corenet_tcp_connect_zabbix_port($1)
|
|
corenet_tcp_recvfrom_labeled($1, zabbix_t)
|
|
corenet_tcp_sendrecv_zabbix_port($1)
|
|
@@ -42,7 +41,7 @@ interface(`zabbix_tcp_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read zabbix log files.
|
|
+## Allow the specified domain to read zabbix's log files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -62,13 +61,34 @@ interface(`zabbix_read_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Append zabbix log files.
|
|
+## Allow the specified domain to read zabbix's tmp files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`zabbix_read_tmp',`
|
|
+ gen_require(`
|
|
+ type zabbix_tmp_t;
|
|
+ ')
|
|
+
|
|
+ files_search_tmp($1)
|
|
+ read_files_pattern($1, zabbix_tmp_t, zabbix_tmp_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to append
|
|
+## zabbix log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
#
|
|
interface(`zabbix_append_log',`
|
|
gen_require(`
|
|
@@ -81,7 +101,7 @@ interface(`zabbix_append_log',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read zabbix pid files.
|
|
+## Read zabbix PID files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -100,7 +120,7 @@ interface(`zabbix_read_pid_files',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to zabbix agent on the TCP network.
|
|
+## Allow connectivity to a zabbix agent
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -110,7 +130,7 @@ interface(`zabbix_read_pid_files',`
|
|
#
|
|
interface(`zabbix_agent_tcp_connect',`
|
|
gen_require(`
|
|
- type zabbix_agent_t;
|
|
+ type zabbix_t, zabbix_agent_t;
|
|
')
|
|
|
|
corenet_sendrecv_zabbix_agent_client_packets($1)
|
|
@@ -121,8 +141,8 @@ interface(`zabbix_agent_tcp_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an zabbix environment.
|
|
+## All of the rules required to administrate
|
|
+## an zabbix environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -131,7 +151,7 @@ interface(`zabbix_agent_tcp_connect',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the zabbix domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -139,16 +159,18 @@ interface(`zabbix_agent_tcp_connect',`
|
|
interface(`zabbix_admin',`
|
|
gen_require(`
|
|
type zabbix_t, zabbix_log_t, zabbix_var_run_t;
|
|
- type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t;
|
|
- type zabbit_tmpfs_t;
|
|
+ type zabbix_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, { zabbix_t zabbix_agent_t })
|
|
+ allow $1 zabbix_t:process signal_perms;
|
|
+ ps_process_pattern($1, zabbix_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 zabbix_t:process ptrace;
|
|
+ ')
|
|
|
|
- init_labeled_script_domtrans($1, { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t })
|
|
+ init_labeled_script_domtrans($1, zabbix_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
- role_transition $2 { zabbix_agent_initrc_exec_t zabbix_initrc_exec_t } system_r;
|
|
+ role_transition $2 zabbix_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
logging_list_logs($1)
|
|
@@ -156,10 +178,4 @@ interface(`zabbix_admin',`
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, zabbix_var_run_t)
|
|
-
|
|
- files_list_tmp($1)
|
|
- admin_pattern($1, zabbix_tmp_t)
|
|
-
|
|
- fs_list_tmpfs($1)
|
|
- admin_pattern($1, zabbix_tmpfs_t)
|
|
')
|
|
diff --git a/zabbix.te b/zabbix.te
|
|
index 7f496c6..16f1ab6 100644
|
|
--- a/zabbix.te
|
|
+++ b/zabbix.te
|
|
@@ -6,21 +6,23 @@ policy_module(zabbix, 1.6.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
+## <p>
|
|
## Determine whether zabbix can
|
|
## connect to all TCP ports
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(zabbix_can_network, false)
|
|
|
|
-type zabbix_t;
|
|
+attribute zabbix_domain;
|
|
+
|
|
+type zabbix_t, zabbix_domain;
|
|
type zabbix_exec_t;
|
|
init_daemon_domain(zabbix_t, zabbix_exec_t)
|
|
|
|
type zabbix_initrc_exec_t;
|
|
init_script_file(zabbix_initrc_exec_t)
|
|
|
|
-type zabbix_agent_t;
|
|
+type zabbix_agent_t, zabbix_domain;
|
|
type zabbix_agent_exec_t;
|
|
init_daemon_domain(zabbix_agent_t, zabbix_agent_exec_t)
|
|
|
|
@@ -41,22 +43,40 @@ files_pid_file(zabbix_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
+# zabbix domain local policy
|
|
+#
|
|
+
|
|
+allow zabbix_domain self:capability { setuid setgid };
|
|
+allow zabbix_domain self:process { setpgid setsched getsched signal_perms };
|
|
+allow zabbix_domain self:fifo_file rw_fifo_file_perms;
|
|
+allow zabbix_domain self:sem create_sem_perms;
|
|
+allow zabbix_domain self:shm create_shm_perms;
|
|
+allow zabbix_domain self:tcp_socket { accept listen };
|
|
+allow zabbix_domain self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+kernel_read_all_sysctls(zabbix_domain)
|
|
+
|
|
+corenet_tcp_sendrecv_generic_if(zabbix_domain)
|
|
+corenet_tcp_sendrecv_generic_node(zabbix_domain)
|
|
+corenet_tcp_bind_generic_node(zabbix_domain)
|
|
+
|
|
+corecmd_exec_shell(zabbix_domain)
|
|
+corecmd_exec_bin(zabbix_domain)
|
|
+
|
|
+dev_read_sysfs(zabbix_domain)
|
|
+dev_read_urand(zabbix_domain)
|
|
+
|
|
+########################################
|
|
+#
|
|
# Local policy
|
|
#
|
|
|
|
-allow zabbix_t self:capability { dac_read_search dac_override setuid setgid };
|
|
-allow zabbix_t self:process { setsched signal_perms };
|
|
-allow zabbix_t self:fifo_file rw_fifo_file_perms;
|
|
-allow zabbix_t self:unix_stream_socket create_stream_socket_perms;
|
|
-allow zabbix_t self:sem create_sem_perms;
|
|
-allow zabbix_t self:shm create_shm_perms;
|
|
-allow zabbix_t self:tcp_socket create_stream_socket_perms;
|
|
+allow zabbix_t self:capability { dac_read_search dac_override };
|
|
|
|
-allow zabbix_t zabbix_log_t:dir setattr_dir_perms;
|
|
-append_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
|
-create_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
|
-setattr_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
|
-logging_log_filetrans(zabbix_t, zabbix_log_t, file)
|
|
+manage_dirs_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
|
+manage_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
|
+manage_lnk_files_pattern(zabbix_t, zabbix_log_t, zabbix_log_t)
|
|
+logging_log_filetrans(zabbix_t, zabbix_log_t, { dir file })
|
|
|
|
manage_dirs_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
|
|
manage_files_pattern(zabbix_t, zabbix_tmp_t, zabbix_tmp_t)
|
|
@@ -70,13 +90,9 @@ manage_files_pattern(zabbix_t, zabbix_var_run_t, zabbix_var_run_t)
|
|
files_pid_filetrans(zabbix_t, zabbix_var_run_t, { dir file })
|
|
|
|
kernel_read_system_state(zabbix_t)
|
|
-kernel_read_kernel_sysctls(zabbix_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(zabbix_t)
|
|
corenet_all_recvfrom_netlabel(zabbix_t)
|
|
-corenet_tcp_sendrecv_generic_if(zabbix_t)
|
|
-corenet_tcp_sendrecv_generic_node(zabbix_t)
|
|
-corenet_tcp_bind_generic_node(zabbix_t)
|
|
|
|
corenet_sendrecv_ftp_client_packets(zabbix_t)
|
|
corenet_tcp_connect_ftp_port(zabbix_t)
|
|
@@ -90,17 +106,8 @@ corenet_sendrecv_zabbix_server_packets(zabbix_t)
|
|
corenet_tcp_bind_zabbix_port(zabbix_t)
|
|
corenet_tcp_sendrecv_zabbix_port(zabbix_t)
|
|
|
|
-corecmd_exec_bin(zabbix_t)
|
|
-corecmd_exec_shell(zabbix_t)
|
|
-
|
|
-dev_read_urand(zabbix_t)
|
|
-
|
|
-files_read_usr_files(zabbix_t)
|
|
-
|
|
auth_use_nsswitch(zabbix_t)
|
|
|
|
-miscfiles_read_localization(zabbix_t)
|
|
-
|
|
zabbix_agent_tcp_connect(zabbix_t)
|
|
|
|
tunable_policy(`zabbix_can_network',`
|
|
@@ -110,12 +117,11 @@ tunable_policy(`zabbix_can_network',`
|
|
')
|
|
|
|
optional_policy(`
|
|
- netutils_domtrans_ping(zabbix_t)
|
|
+ mysql_stream_connect(zabbix_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
- mysql_stream_connect(zabbix_t)
|
|
- mysql_tcp_connect(zabbix_t)
|
|
+ netutils_domtrans_ping(zabbix_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
@@ -125,6 +131,7 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
snmp_read_snmp_var_lib_files(zabbix_t)
|
|
+ snmp_read_snmp_var_lib_dirs(zabbix_t)
|
|
')
|
|
|
|
########################################
|
|
@@ -132,18 +139,7 @@ optional_policy(`
|
|
# Agent local policy
|
|
#
|
|
|
|
-allow zabbix_agent_t self:capability { setuid setgid };
|
|
-allow zabbix_agent_t self:process { setsched getsched signal };
|
|
-allow zabbix_agent_t self:fifo_file rw_fifo_file_perms;
|
|
-allow zabbix_agent_t self:sem create_sem_perms;
|
|
-allow zabbix_agent_t self:shm create_shm_perms;
|
|
-allow zabbix_agent_t self:tcp_socket { accept listen };
|
|
-allow zabbix_agent_t self:unix_stream_socket create_stream_socket_perms;
|
|
-
|
|
-append_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
|
|
-create_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
|
|
-setattr_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
|
|
-filetrans_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t, file)
|
|
+manage_files_pattern(zabbix_agent_t, zabbix_log_t, zabbix_log_t)
|
|
|
|
rw_files_pattern(zabbix_agent_t, zabbix_tmpfs_t, zabbix_tmpfs_t)
|
|
fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
|
@@ -151,16 +147,12 @@ fs_tmpfs_filetrans(zabbix_agent_t, zabbix_tmpfs_t, file)
|
|
manage_files_pattern(zabbix_agent_t, zabbix_var_run_t, zabbix_var_run_t)
|
|
files_pid_filetrans(zabbix_agent_t, zabbix_var_run_t, file)
|
|
|
|
-kernel_read_all_sysctls(zabbix_agent_t)
|
|
kernel_read_system_state(zabbix_agent_t)
|
|
|
|
-corecmd_read_all_executables(zabbix_agent_t)
|
|
-
|
|
corenet_all_recvfrom_unlabeled(zabbix_agent_t)
|
|
corenet_all_recvfrom_netlabel(zabbix_agent_t)
|
|
-corenet_tcp_sendrecv_generic_if(zabbix_agent_t)
|
|
-corenet_tcp_sendrecv_generic_node(zabbix_agent_t)
|
|
-corenet_tcp_bind_generic_node(zabbix_agent_t)
|
|
+
|
|
+corecmd_read_all_executables(zabbix_agent_t)
|
|
|
|
corenet_sendrecv_zabbix_agent_server_packets(zabbix_agent_t)
|
|
corenet_tcp_bind_zabbix_agent_port(zabbix_agent_t)
|
|
@@ -182,7 +174,6 @@ domain_search_all_domains_state(zabbix_agent_t)
|
|
files_getattr_all_dirs(zabbix_agent_t)
|
|
files_getattr_all_files(zabbix_agent_t)
|
|
files_read_all_symlinks(zabbix_agent_t)
|
|
-files_read_etc_files(zabbix_agent_t)
|
|
|
|
fs_getattr_all_fs(zabbix_agent_t)
|
|
|
|
@@ -190,8 +181,11 @@ init_read_utmp(zabbix_agent_t)
|
|
|
|
logging_search_logs(zabbix_agent_t)
|
|
|
|
-miscfiles_read_localization(zabbix_agent_t)
|
|
-
|
|
sysnet_dns_name_resolve(zabbix_agent_t)
|
|
|
|
zabbix_tcp_connect(zabbix_agent_t)
|
|
+
|
|
+optional_policy(`
|
|
+ hostname_exec(zabbix_agent_t)
|
|
+')
|
|
+
|
|
diff --git a/zarafa.fc b/zarafa.fc
|
|
index faf99ed..44e94fa 100644
|
|
--- a/zarafa.fc
|
|
+++ b/zarafa.fc
|
|
@@ -1,33 +1,34 @@
|
|
-/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
|
|
+/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0)
|
|
|
|
-/etc/rc\.d/init\.d/zarafa.* -- gen_context(system_u:object_r:zarafa_initrc_exec_t,s0)
|
|
+/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
|
|
+/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
|
|
+/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
|
|
+/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
|
|
+/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
|
|
+/usr/bin/zarafa-search -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
|
|
+/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
|
|
+/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
|
|
|
|
-/usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0)
|
|
-/usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0)
|
|
-/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
|
|
-/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
|
|
-/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
|
|
-/usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0)
|
|
-/usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0)
|
|
-
|
|
-/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
|
|
+/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
|
|
/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
|
|
-/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
|
|
+/var/lib/zarafa-webapp(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0)
|
|
|
|
-/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
|
|
+/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0)
|
|
/var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
|
|
/var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
|
|
/var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
|
|
/var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
|
|
/var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0)
|
|
+/var/log/zarafa/search\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
|
|
/var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
|
|
|
|
-/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
|
|
-/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
|
|
+/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
|
|
+/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0)
|
|
/var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
|
|
/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
|
|
-/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
|
|
+/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
|
|
/var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
|
|
/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
|
|
/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
|
|
+/var/run/zarafa-search\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
|
|
/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
|
|
diff --git a/zarafa.if b/zarafa.if
|
|
index 36e32df..3d08962 100644
|
|
--- a/zarafa.if
|
|
+++ b/zarafa.if
|
|
@@ -1,55 +1,59 @@
|
|
## <summary>Zarafa collaboration platform.</summary>
|
|
|
|
-#######################################
|
|
+######################################
|
|
## <summary>
|
|
-## The template to define a zarafa domain.
|
|
+## Creates types and rules for a basic
|
|
+## zararfa init daemon domain.
|
|
## </summary>
|
|
-## <param name="domain_prefix">
|
|
+## <param name="prefix">
|
|
## <summary>
|
|
-## Domain prefix to be used.
|
|
+## Prefix for the domain.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
template(`zarafa_domain_template',`
|
|
gen_require(`
|
|
- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile;
|
|
+ attribute zarafa_domain;
|
|
')
|
|
|
|
- ########################################
|
|
+ ##############################
|
|
#
|
|
- # Declarations
|
|
+ # $1_t declarations
|
|
#
|
|
|
|
type zarafa_$1_t, zarafa_domain;
|
|
type zarafa_$1_exec_t;
|
|
init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t)
|
|
|
|
- type zarafa_$1_log_t, zarafa_logfile;
|
|
+ type zarafa_$1_log_t;
|
|
logging_log_file(zarafa_$1_log_t)
|
|
|
|
- type zarafa_$1_var_run_t, zarafa_pidfile;
|
|
+ type zarafa_$1_var_run_t;
|
|
files_pid_file(zarafa_$1_var_run_t)
|
|
|
|
- ########################################
|
|
+ ##############################
|
|
#
|
|
- # Policy
|
|
+ # $1_t local policy
|
|
#
|
|
|
|
manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
|
|
manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t)
|
|
files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file })
|
|
|
|
- append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
|
|
- create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
|
|
- setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
|
|
- logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, file)
|
|
+ manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t)
|
|
+ logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file })
|
|
+
|
|
+ kernel_read_system_state(zarafa_$1_t)
|
|
|
|
auth_use_nsswitch(zarafa_$1_t)
|
|
+
|
|
+ logging_send_syslog_msg(zarafa_$1_t)
|
|
')
|
|
|
|
######################################
|
|
## <summary>
|
|
-## search zarafa configuration directories.
|
|
+## Allow the specified domain to search
|
|
+## zarafa configuration dirs.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -68,7 +72,7 @@ interface(`zarafa_search_config',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to run zarafa deliver.
|
|
+## Execute a domain transition to run zarafa_deliver.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -81,13 +85,12 @@ interface(`zarafa_domtrans_deliver',`
|
|
type zarafa_deliver_t, zarafa_deliver_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Execute a domain transition to run zarafa server.
|
|
+## Execute a domain transition to run zarafa_server.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -100,14 +103,12 @@ interface(`zarafa_domtrans_server',`
|
|
type zarafa_server_t, zarafa_server_exec_t;
|
|
')
|
|
|
|
- corecmd_search_bin($1)
|
|
domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t)
|
|
')
|
|
|
|
#######################################
|
|
## <summary>
|
|
-## Connect to zarafa server with a unix
|
|
-## domain stream socket.
|
|
+## Connect to zarafa-server unix domain stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -124,51 +125,24 @@ interface(`zarafa_stream_connect_server',`
|
|
stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
|
|
')
|
|
|
|
-########################################
|
|
+####################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an zarafa environment.
|
|
+## Allow the specified domain to manage
|
|
+## zarafa /var/lib files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
-## <summary>
|
|
-## Domain allowed access.
|
|
-## </summary>
|
|
-## </param>
|
|
-## <param name="role">
|
|
-## <summary>
|
|
-## Role allowed access.
|
|
-## </summary>
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
## </param>
|
|
-## <rolecap/>
|
|
#
|
|
-interface(`zarafa_admin',`
|
|
- gen_require(`
|
|
- attribute zarafa_domain, zarafa_logfile, zarafa_pidfile;
|
|
- type zarafa_etc_t, zarafa_initrc_exec_t, zarafa_deliver_tmp_t;
|
|
- type zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_share_t;
|
|
- type zarafa_var_lib_t;
|
|
- ')
|
|
-
|
|
- allow $1 zarafa_domain:process { ptrace signal_perms };
|
|
- ps_process_pattern($1, zarafa_domain)
|
|
-
|
|
- init_labeled_script_domtrans($1, zarafa_initrc_exec_t)
|
|
- domain_system_change_exemption($1)
|
|
- role_transition $2 zarafa_initrc_exec_t system_r;
|
|
- allow $2 system_r;
|
|
-
|
|
- files_search_etc($1)
|
|
- admin_pattern($1, zarafa_etc_t)
|
|
-
|
|
- files_search_tmp($1)
|
|
- admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t })
|
|
-
|
|
- logging_search_log($1)
|
|
- admin_pattern($1, zarafa_logfile)
|
|
-
|
|
- files_search_var_lib($1)
|
|
- admin_pattern($1, { zarafa_var_lib_t zarafa_share_t })
|
|
-
|
|
- files_search_pids($1)
|
|
- admin_pattern($1, zarafa_pidfile)
|
|
+interface(`zarafa_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type zarafa_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
|
|
+ manage_lnk_files_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
|
|
+ manage_dirs_pattern($1, zarafa_var_lib_t, zarafa_var_lib_t)
|
|
')
|
|
diff --git a/zarafa.te b/zarafa.te
|
|
index 3fded1c..5729b83 100644
|
|
--- a/zarafa.te
|
|
+++ b/zarafa.te
|
|
@@ -5,9 +5,14 @@ policy_module(zarafa, 1.2.0)
|
|
# Declarations
|
|
#
|
|
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow zarafa domains to setrlimit/sys_rouserce.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(zarafa_setrlimit, false)
|
|
+
|
|
attribute zarafa_domain;
|
|
-attribute zarafa_logfile;
|
|
-attribute zarafa_pidfile;
|
|
|
|
zarafa_domain_template(deliver)
|
|
|
|
@@ -17,9 +22,6 @@ files_tmp_file(zarafa_deliver_tmp_t)
|
|
type zarafa_etc_t;
|
|
files_config_file(zarafa_etc_t)
|
|
|
|
-type zarafa_initrc_exec_t;
|
|
-init_script_file(zarafa_initrc_exec_t)
|
|
-
|
|
zarafa_domain_template(gateway)
|
|
zarafa_domain_template(ical)
|
|
zarafa_domain_template(indexer)
|
|
@@ -43,61 +45,74 @@ files_tmp_file(zarafa_var_lib_t)
|
|
|
|
########################################
|
|
#
|
|
-# Deliver local policy
|
|
+# zarafa-deliver local policy
|
|
#
|
|
|
|
manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
|
|
manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t)
|
|
files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir })
|
|
|
|
+auth_use_nsswitch(zarafa_deliver_t)
|
|
+
|
|
+corenet_tcp_bind_lmtp_port(zarafa_deliver_t)
|
|
+
|
|
########################################
|
|
#
|
|
-# Gateway local policy
|
|
+# zarafa_gateway local policy
|
|
#
|
|
-
|
|
-corenet_all_recvfrom_unlabeled(zarafa_gateway_t)
|
|
corenet_all_recvfrom_netlabel(zarafa_gateway_t)
|
|
corenet_tcp_sendrecv_generic_if(zarafa_gateway_t)
|
|
corenet_tcp_sendrecv_generic_node(zarafa_gateway_t)
|
|
+corenet_tcp_sendrecv_all_ports(zarafa_gateway_t)
|
|
corenet_tcp_bind_generic_node(zarafa_gateway_t)
|
|
-
|
|
-corenet_sendrecv_pop_server_packets(zarafa_gateway_t)
|
|
corenet_tcp_bind_pop_port(zarafa_gateway_t)
|
|
-corenet_tcp_sendrecv_pop_port(zarafa_gateway_t)
|
|
+
|
|
+######################################
|
|
+#
|
|
+# zarafa-indexer local policy
|
|
+#
|
|
+
|
|
+
|
|
+manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
|
|
+manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
|
|
+files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
|
|
+
|
|
+manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
|
|
+manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
|
|
+manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
|
|
+
|
|
+auth_use_nsswitch(zarafa_indexer_t)
|
|
|
|
#######################################
|
|
#
|
|
-# Ical local policy
|
|
+# zarafa-ical local policy
|
|
#
|
|
|
|
-corenet_all_recvfrom_unlabeled(zarafa_ical_t)
|
|
+
|
|
corenet_all_recvfrom_netlabel(zarafa_ical_t)
|
|
corenet_tcp_sendrecv_generic_if(zarafa_ical_t)
|
|
corenet_tcp_sendrecv_generic_node(zarafa_ical_t)
|
|
+corenet_tcp_sendrecv_all_ports(zarafa_ical_t)
|
|
corenet_tcp_bind_generic_node(zarafa_ical_t)
|
|
-
|
|
-corenet_sendrecv_http_cache_client_packets(zarafa_ical_t)
|
|
corenet_tcp_bind_http_cache_port(zarafa_ical_t)
|
|
-corenet_tcp_sendrecv_http_cache_port(zarafa_ical_t)
|
|
+
|
|
+auth_use_nsswitch(zarafa_ical_t)
|
|
|
|
######################################
|
|
#
|
|
-# Indexer local policy
|
|
+# zarafa-monitor local policy
|
|
#
|
|
|
|
-manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
|
|
-manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t)
|
|
-files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir })
|
|
|
|
-manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
|
|
-manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
|
|
-manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t)
|
|
+auth_use_nsswitch(zarafa_monitor_t)
|
|
|
|
########################################
|
|
#
|
|
-# Server local policy
|
|
+# zarafa_server local policy
|
|
#
|
|
|
|
+allow zarafa_server_t self:capability net_bind_service;
|
|
+
|
|
manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
|
|
manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t)
|
|
files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir })
|
|
@@ -109,70 +124,85 @@ files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }
|
|
|
|
stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(zarafa_server_t)
|
|
corenet_all_recvfrom_netlabel(zarafa_server_t)
|
|
corenet_tcp_sendrecv_generic_if(zarafa_server_t)
|
|
corenet_tcp_sendrecv_generic_node(zarafa_server_t)
|
|
+corenet_tcp_sendrecv_all_ports(zarafa_server_t)
|
|
corenet_tcp_bind_generic_node(zarafa_server_t)
|
|
-
|
|
-corenet_sendrecv_zarafa_server_packets(zarafa_server_t)
|
|
corenet_tcp_bind_zarafa_port(zarafa_server_t)
|
|
-corenet_tcp_sendrecv_zarafa_port(zarafa_server_t)
|
|
|
|
-files_read_usr_files(zarafa_server_t)
|
|
|
|
+auth_use_nsswitch(zarafa_server_t)
|
|
+
|
|
+logging_send_syslog_msg(zarafa_server_t)
|
|
logging_send_audit_msgs(zarafa_server_t)
|
|
|
|
+sysnet_dns_name_resolve(zarafa_server_t)
|
|
+
|
|
optional_policy(`
|
|
kerberos_use(zarafa_server_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(zarafa_server_t)
|
|
- mysql_tcp_connect(zarafa_server_t)
|
|
-')
|
|
-
|
|
-optional_policy(`
|
|
- postgresql_stream_connect(zarafa_server_t)
|
|
- postgresql_tcp_connect(zarafa_server_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
-# Spooler local policy
|
|
+# zarafa_spooler local policy
|
|
#
|
|
|
|
can_exec(zarafa_spooler_t, zarafa_spooler_exec_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(zarafa_spooler_t)
|
|
corenet_all_recvfrom_netlabel(zarafa_spooler_t)
|
|
corenet_tcp_sendrecv_generic_if(zarafa_spooler_t)
|
|
corenet_tcp_sendrecv_generic_node(zarafa_spooler_t)
|
|
-
|
|
-corenet_sendrecv_smtp_client_packets(zarafa_spooler_t)
|
|
+corenet_tcp_sendrecv_all_ports(zarafa_spooler_t)
|
|
corenet_tcp_connect_smtp_port(zarafa_spooler_t)
|
|
-corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t)
|
|
+
|
|
+auth_use_nsswitch(zarafa_spooler_t)
|
|
|
|
########################################
|
|
#
|
|
-# Zarafa domain local policy
|
|
+# zarafa_gateway local policy
|
|
#
|
|
+corenet_tcp_bind_pop_port(zarafa_gateway_t)
|
|
|
|
+#######################################
|
|
+#
|
|
+# zarafa-ical local policy
|
|
+#
|
|
+
|
|
+corenet_tcp_bind_http_cache_port(zarafa_ical_t)
|
|
+
|
|
+######################################
|
|
+#
|
|
+# zarafa-monitor local policy
|
|
+#
|
|
+
|
|
+
|
|
+########################################
|
|
+#
|
|
+# zarafa domains local policy
|
|
+#
|
|
+
|
|
+# bad permission on /etc/zarafa
|
|
allow zarafa_domain self:capability { kill dac_override chown setgid setuid };
|
|
-allow zarafa_domain self:process { setrlimit signal };
|
|
+allow zarafa_domain self:process { signal_perms };
|
|
allow zarafa_domain self:fifo_file rw_fifo_file_perms;
|
|
-allow zarafa_domain self:tcp_socket { accept listen };
|
|
-allow zarafa_domain self:unix_stream_socket { accept listen };
|
|
+allow zarafa_domain self:tcp_socket create_stream_socket_perms;
|
|
+allow zarafa_domain self:unix_stream_socket create_stream_socket_perms;
|
|
+
|
|
+tunable_policy(`zarafa_setrlimit',`
|
|
+ allow zarafa_domain self:capability sys_resource;
|
|
+ allow zarafa_domain self:process setrlimit;
|
|
+')
|
|
|
|
stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t)
|
|
|
|
read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t)
|
|
|
|
-kernel_read_system_state(zarafa_domain)
|
|
-
|
|
dev_read_rand(zarafa_domain)
|
|
dev_read_urand(zarafa_domain)
|
|
|
|
-logging_send_syslog_msg(zarafa_domain)
|
|
-
|
|
-miscfiles_read_localization(zarafa_domain)
|
|
+dev_read_sysfs(zarafa_domain)
|
|
diff --git a/zebra.fc b/zebra.fc
|
|
index 28ee4ca..e1b30b2 100644
|
|
--- a/zebra.fc
|
|
+++ b/zebra.fc
|
|
@@ -1,21 +1,22 @@
|
|
-/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
|
|
-/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
|
|
-
|
|
/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
|
/etc/rc\.d/init\.d/ripd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
|
-/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/ripngd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
|
+/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
|
|
+
|
|
+/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
|
|
+/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
|
|
+
|
|
+/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
|
|
+/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
|
|
|
|
-/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
|
|
/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
|
|
-/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
|
|
-/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
|
|
+/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
|
|
|
|
-/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
|
|
-/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
|
|
+/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
|
|
+/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
|
|
|
|
/var/run/\.zebra -s gen_context(system_u:object_r:zebra_var_run_t,s0)
|
|
/var/run/\.zserv -s gen_context(system_u:object_r:zebra_var_run_t,s0)
|
|
-/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
|
|
+/var/run/quagga(/.*)? gen_context(system_u:object_r:zebra_var_run_t,s0)
|
|
diff --git a/zebra.if b/zebra.if
|
|
index 3416401..ef64e73 100644
|
|
--- a/zebra.if
|
|
+++ b/zebra.if
|
|
@@ -1,8 +1,8 @@
|
|
-## <summary>Zebra border gateway protocol network routing service.</summary>
|
|
+## <summary>Zebra border gateway protocol network routing service</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Read zebra configuration content.
|
|
+## Read the configuration files for zebra.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -18,14 +18,13 @@ interface(`zebra_read_config',`
|
|
|
|
files_search_etc($1)
|
|
allow $1 zebra_conf_t:dir list_dir_perms;
|
|
- allow $1 zebra_conf_t:file read_file_perms;
|
|
- allow $1 zebra_conf_t:lnk_file read_lnk_file_perms;
|
|
+ read_files_pattern($1, zebra_conf_t, zebra_conf_t)
|
|
+ read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
-## Connect to zebra with a unix
|
|
-## domain stream socket.
|
|
+## Connect to zebra over an unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -44,8 +43,8 @@ interface(`zebra_stream_connect',`
|
|
|
|
########################################
|
|
## <summary>
|
|
-## All of the rules required to
|
|
-## administrate an zebra environment.
|
|
+## All of the rules required to administrate
|
|
+## an zebra environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -54,7 +53,7 @@ interface(`zebra_stream_connect',`
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
-## Role allowed access.
|
|
+## The role to be allowed to manage the zebra domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
@@ -62,12 +61,14 @@ interface(`zebra_stream_connect',`
|
|
interface(`zebra_admin',`
|
|
gen_require(`
|
|
type zebra_t, zebra_tmp_t, zebra_log_t;
|
|
- type zebra_conf_t, zebra_var_run_t;
|
|
- type zebra_initrc_exec_t;
|
|
+ type zebra_conf_t, zebra_var_run_t, zebra_initrc_exec_t;
|
|
')
|
|
|
|
- allow $1 zebra_t:process { ptrace signal_perms };
|
|
+ allow $1 zebra_t:process signal_perms;
|
|
ps_process_pattern($1, zebra_t)
|
|
+ tunable_policy(`deny_ptrace',`',`
|
|
+ allow $1 zebra_t:process ptrace;
|
|
+ ')
|
|
|
|
init_labeled_script_domtrans($1, zebra_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
diff --git a/zebra.te b/zebra.te
|
|
index 2e80d04..dd1513f 100644
|
|
--- a/zebra.te
|
|
+++ b/zebra.te
|
|
@@ -6,19 +6,19 @@ policy_module(zebra, 1.13.0)
|
|
#
|
|
|
|
## <desc>
|
|
-## <p>
|
|
-## Determine whether zebra daemon can
|
|
-## manage its configuration files.
|
|
-## </p>
|
|
+## <p>
|
|
+## Allow zebra daemon to write it configuration files
|
|
+## </p>
|
|
## </desc>
|
|
-gen_tunable(allow_zebra_write_config, false)
|
|
+#
|
|
+gen_tunable(zebra_write_config, false)
|
|
|
|
type zebra_t;
|
|
type zebra_exec_t;
|
|
init_daemon_domain(zebra_t, zebra_exec_t)
|
|
|
|
type zebra_conf_t;
|
|
-files_type(zebra_conf_t)
|
|
+files_config_file(zebra_conf_t)
|
|
|
|
type zebra_initrc_exec_t;
|
|
init_script_file(zebra_initrc_exec_t)
|
|
@@ -40,24 +40,24 @@ files_pid_file(zebra_var_run_t)
|
|
allow zebra_t self:capability { setgid setuid net_admin net_raw };
|
|
dontaudit zebra_t self:capability sys_tty_config;
|
|
allow zebra_t self:process { signal_perms getcap setcap };
|
|
-allow zebra_t self:fifo_file rw_fifo_file_perms;
|
|
-allow zebra_t self:unix_stream_socket { accept connectto listen };
|
|
+allow zebra_t self:file rw_file_perms;
|
|
+allow zebra_t self:unix_dgram_socket create_socket_perms;
|
|
+allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|
allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
|
|
allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
|
|
allow zebra_t self:udp_socket create_socket_perms;
|
|
allow zebra_t self:rawip_socket create_socket_perms;
|
|
|
|
allow zebra_t zebra_conf_t:dir list_dir_perms;
|
|
-allow zebra_t zebra_conf_t:file read_file_perms;
|
|
-allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms;
|
|
+read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
|
|
+read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
|
|
|
|
allow zebra_t zebra_log_t:dir setattr_dir_perms;
|
|
-append_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
|
|
-create_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
|
|
-setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
|
|
+manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
|
|
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
|
|
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
|
|
|
|
+# /tmp/.bgpd is such a bad idea!
|
|
allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
|
|
files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
|
|
|
|
@@ -71,7 +71,6 @@ kernel_read_network_state(zebra_t)
|
|
kernel_read_kernel_sysctls(zebra_t)
|
|
kernel_rw_net_sysctls(zebra_t)
|
|
|
|
-corenet_all_recvfrom_unlabeled(zebra_t)
|
|
corenet_all_recvfrom_netlabel(zebra_t)
|
|
corenet_tcp_sendrecv_generic_if(zebra_t)
|
|
corenet_udp_sendrecv_generic_if(zebra_t)
|
|
@@ -79,48 +78,44 @@ corenet_raw_sendrecv_generic_if(zebra_t)
|
|
corenet_tcp_sendrecv_generic_node(zebra_t)
|
|
corenet_udp_sendrecv_generic_node(zebra_t)
|
|
corenet_raw_sendrecv_generic_node(zebra_t)
|
|
+corenet_tcp_sendrecv_all_ports(zebra_t)
|
|
+corenet_udp_sendrecv_all_ports(zebra_t)
|
|
corenet_tcp_bind_generic_node(zebra_t)
|
|
corenet_udp_bind_generic_node(zebra_t)
|
|
-
|
|
-corenet_sendrecv_bgp_server_packets(zebra_t)
|
|
corenet_tcp_bind_bgp_port(zebra_t)
|
|
-corenet_sendrecv_bgp_client_packets(zebra_t)
|
|
+corenet_tcp_bind_zebra_port(zebra_t)
|
|
+corenet_udp_bind_router_port(zebra_t)
|
|
corenet_tcp_connect_bgp_port(zebra_t)
|
|
-corenet_tcp_sendrecv_bgp_port(zebra_t)
|
|
-
|
|
corenet_sendrecv_zebra_server_packets(zebra_t)
|
|
-corenet_tcp_bind_zebra_port(zebra_t)
|
|
-corenet_tcp_sendrecv_zebra_port(zebra_t)
|
|
-
|
|
corenet_sendrecv_router_server_packets(zebra_t)
|
|
-corenet_udp_bind_router_port(zebra_t)
|
|
-corenet_udp_sendrecv_router_port(zebra_t)
|
|
|
|
dev_associate_usbfs(zebra_var_run_t)
|
|
dev_list_all_dev_nodes(zebra_t)
|
|
+dev_read_rand(zebra_t)
|
|
+dev_read_urand(zebra_t)
|
|
dev_read_sysfs(zebra_t)
|
|
dev_rw_zero(zebra_t)
|
|
|
|
-domain_use_interactive_fds(zebra_t)
|
|
-
|
|
-files_read_etc_files(zebra_t)
|
|
-files_read_etc_runtime_files(zebra_t)
|
|
-
|
|
fs_getattr_all_fs(zebra_t)
|
|
fs_search_auto_mountpoints(zebra_t)
|
|
|
|
term_list_ptys(zebra_t)
|
|
|
|
-logging_send_syslog_msg(zebra_t)
|
|
+domain_use_interactive_fds(zebra_t)
|
|
+
|
|
+files_search_etc(zebra_t)
|
|
+files_read_etc_runtime_files(zebra_t)
|
|
|
|
-miscfiles_read_localization(zebra_t)
|
|
+auth_read_passwd(zebra_t)
|
|
+
|
|
+logging_send_syslog_msg(zebra_t)
|
|
|
|
sysnet_read_config(zebra_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(zebra_t)
|
|
userdom_dontaudit_search_user_home_dirs(zebra_t)
|
|
|
|
-tunable_policy(`allow_zebra_write_config',`
|
|
+tunable_policy(`zebra_write_config',`
|
|
manage_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
|
|
')
|
|
|
|
@@ -139,3 +134,7 @@ optional_policy(`
|
|
optional_policy(`
|
|
udev_read_db(zebra_t)
|
|
')
|
|
+
|
|
+optional_policy(`
|
|
+ unconfined_sigchld(zebra_t)
|
|
+')
|
|
diff --git a/zoneminder.fc b/zoneminder.fc
|
|
new file mode 100644
|
|
index 0000000..8c61505
|
|
--- /dev/null
|
|
+++ b/zoneminder.fc
|
|
@@ -0,0 +1,13 @@
|
|
+/etc/rc\.d/init\.d/zoneminder -- gen_context(system_u:object_r:zoneminder_initrc_exec_t,s0)
|
|
+
|
|
+/usr/bin/zmpkg.pl -- gen_context(system_u:object_r:zoneminder_exec_t,s0)
|
|
+
|
|
+/usr/lib/systemd/system/zoneminder.* -- gen_context(system_u:object_r:zoneminder_unit_file_t,s0)
|
|
+
|
|
+/usr/libexec/zoneminder/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_zoneminder_script_exec_t,s0)
|
|
+
|
|
+/var/lib/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_var_lib_t,s0)
|
|
+
|
|
+/var/log/zoneminder(/.*)? gen_context(system_u:object_r:zoneminder_log_t,s0)
|
|
+
|
|
+/var/spool/zoneminder-upload(/.*)? gen_context(system_u:object_r:zoneminder_spool_t,s0)
|
|
diff --git a/zoneminder.if b/zoneminder.if
|
|
new file mode 100644
|
|
index 0000000..d02a6f4
|
|
--- /dev/null
|
|
+++ b/zoneminder.if
|
|
@@ -0,0 +1,374 @@
|
|
+## <summary>policy for zoneminder</summary>
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Transition to zoneminder.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_domtrans',`
|
|
+ gen_require(`
|
|
+ type zoneminder_t, zoneminder_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, zoneminder_exec_t, zoneminder_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow the specified domain to execute zoneminder
|
|
+## in the caller domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_exec',`
|
|
+ gen_require(`
|
|
+ type zoneminder_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ can_exec($1, zoneminder_exec_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute zoneminder server in the zoneminder domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_initrc_domtrans',`
|
|
+ gen_require(`
|
|
+ type zoneminder_initrc_exec_t;
|
|
+ ')
|
|
+
|
|
+ init_labeled_script_domtrans($1, zoneminder_initrc_exec_t)
|
|
+')
|
|
+
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read zoneminder's log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`zoneminder_read_log',`
|
|
+ gen_require(`
|
|
+ type zoneminder_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ read_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Append to zoneminder log files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_append_log',`
|
|
+ gen_require(`
|
|
+ type zoneminder_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ append_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage zoneminder log files
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_manage_log',`
|
|
+ gen_require(`
|
|
+ type zoneminder_log_t;
|
|
+ ')
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ manage_dirs_pattern($1, zoneminder_log_t, zoneminder_log_t)
|
|
+ manage_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
|
|
+ manage_lnk_files_pattern($1, zoneminder_log_t, zoneminder_log_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search zoneminder lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_search_lib',`
|
|
+ gen_require(`
|
|
+ type zoneminder_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 zoneminder_var_lib_t:dir search_dir_perms;
|
|
+ files_search_var_lib($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read zoneminder lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_read_lib_files',`
|
|
+ gen_require(`
|
|
+ type zoneminder_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ read_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage zoneminder lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_manage_lib_files',`
|
|
+ gen_require(`
|
|
+ type zoneminder_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage zoneminder lib directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_manage_lib_dirs',`
|
|
+ gen_require(`
|
|
+ type zoneminder_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ manage_dirs_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage zoneminder sock_files files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_manage_lib_sock_files',`
|
|
+ gen_require(`
|
|
+ type sock_var_lib_t;
|
|
+ ')
|
|
+ files_search_var_lib($1)
|
|
+ manage_sock_files_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Search zoneminder spool directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_search_spool',`
|
|
+ gen_require(`
|
|
+ type zoneminder_spool_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 zoneminder_spool_t:dir search_dir_perms;
|
|
+ files_search_spool($1)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Read zoneminder spool files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_read_spool_files',`
|
|
+ gen_require(`
|
|
+ type zoneminder_spool_t;
|
|
+ ')
|
|
+
|
|
+ files_search_spool($1)
|
|
+ read_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage zoneminder spool files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_manage_spool_files',`
|
|
+ gen_require(`
|
|
+ type zoneminder_spool_t;
|
|
+ ')
|
|
+
|
|
+ files_search_spool($1)
|
|
+ manage_files_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Manage zoneminder spool dirs.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_manage_spool_dirs',`
|
|
+ gen_require(`
|
|
+ type zoneminder_spool_t;
|
|
+ ')
|
|
+
|
|
+ files_search_spool($1)
|
|
+ manage_dirs_pattern($1, zoneminder_spool_t, zoneminder_spool_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Connect to zoneminder over a unix stream socket.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_stream_connect',`
|
|
+ gen_require(`
|
|
+ type zoneminder_t, zoneminder_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ files_search_pids($1)
|
|
+ stream_connect_pattern($1, zoneminder_var_lib_t, zoneminder_var_lib_t, zoneminder_t)
|
|
+')
|
|
+
|
|
+######################################
|
|
+## <summary>
|
|
+## Read/write zonerimender tmpfs files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`zoneminder_rw_tmpfs_files',`
|
|
+ gen_require(`
|
|
+ type zoneminder_tmpfs_t;
|
|
+ ')
|
|
+
|
|
+ fs_search_tmpfs($1)
|
|
+ rw_files_pattern($1, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## All of the rules required to administrate
|
|
+## an zoneminder environment
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <param name="role">
|
|
+## <summary>
|
|
+## Role allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+## <rolecap/>
|
|
+#
|
|
+interface(`zoneminder_admin',`
|
|
+ gen_require(`
|
|
+ type zoneminder_t;
|
|
+ type zoneminder_initrc_exec_t;
|
|
+ type zoneminder_log_t;
|
|
+ type zoneminder_var_lib_t;
|
|
+ type zoneminder_spool_t;
|
|
+ ')
|
|
+
|
|
+ allow $1 zoneminder_t:process { ptrace signal_perms };
|
|
+ ps_process_pattern($1, zoneminder_t)
|
|
+
|
|
+ zoneminder_initrc_domtrans($1)
|
|
+ domain_system_change_exemption($1)
|
|
+ role_transition $2 zoneminder_initrc_exec_t system_r;
|
|
+ allow $2 system_r;
|
|
+
|
|
+ logging_search_logs($1)
|
|
+ admin_pattern($1, zoneminder_log_t)
|
|
+
|
|
+ files_search_var_lib($1)
|
|
+ admin_pattern($1, zoneminder_var_lib_t)
|
|
+
|
|
+ files_search_spool($1)
|
|
+ admin_pattern($1, zoneminder_spool_t)
|
|
+
|
|
+')
|
|
+
|
|
diff --git a/zoneminder.te b/zoneminder.te
|
|
new file mode 100644
|
|
index 0000000..add28f7
|
|
--- /dev/null
|
|
+++ b/zoneminder.te
|
|
@@ -0,0 +1,187 @@
|
|
+policy_module(zoneminder, 1.0.0)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# Declarations
|
|
+#
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow ZoneMinder to run su/sudo.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(zoneminder_run_sudo, false)
|
|
+
|
|
+
|
|
+## <desc>
|
|
+## <p>
|
|
+## Allow ZoneMinder to modify public files
|
|
+## used for public file transfer services.
|
|
+## </p>
|
|
+## </desc>
|
|
+gen_tunable(zoneminder_anon_write, false)
|
|
+
|
|
+gen_require(`
|
|
+ class passwd rootok;
|
|
+ class passwd passwd;
|
|
+ ')
|
|
+
|
|
+type zoneminder_t;
|
|
+type zoneminder_exec_t;
|
|
+init_daemon_domain(zoneminder_t, zoneminder_exec_t)
|
|
+
|
|
+type zoneminder_unit_file_t;
|
|
+systemd_unit_file(zoneminder_unit_file_t)
|
|
+
|
|
+type zoneminder_initrc_exec_t;
|
|
+init_script_file(zoneminder_initrc_exec_t)
|
|
+
|
|
+type zoneminder_log_t;
|
|
+logging_log_file(zoneminder_log_t)
|
|
+
|
|
+type zoneminder_tmpfs_t;
|
|
+files_tmpfs_file(zoneminder_tmpfs_t)
|
|
+
|
|
+type zoneminder_spool_t;
|
|
+files_type(zoneminder_spool_t)
|
|
+
|
|
+type zoneminder_var_lib_t;
|
|
+files_type(zoneminder_var_lib_t)
|
|
+
|
|
+type zoneminder_var_run_t;
|
|
+files_pid_file(zoneminder_var_run_t)
|
|
+
|
|
+########################################
|
|
+#
|
|
+# zoneminder local policy
|
|
+#
|
|
+allow zoneminder_t self:capability { chown dac_override };
|
|
+allow zoneminder_t self:process { signal_perms setpgid };
|
|
+allow zoneminder_t self:shm create_shm_perms;
|
|
+allow zoneminder_t self:fifo_file rw_fifo_file_perms;
|
|
+allow zoneminder_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
+allow zoneminder_t self:netlink_selinux_socket create_socket_perms;
|
|
+
|
|
+manage_dirs_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
|
|
+manage_files_pattern(zoneminder_t, zoneminder_log_t, zoneminder_log_t)
|
|
+logging_log_filetrans(zoneminder_t, zoneminder_log_t, { dir file })
|
|
+
|
|
+manage_dirs_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
|
|
+manage_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
|
|
+manage_lnk_files_pattern(zoneminder_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
|
|
+fs_tmpfs_filetrans(zoneminder_t, zoneminder_tmpfs_t, { dir file lnk_file })
|
|
+
|
|
+manage_dirs_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
|
+manage_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
|
+manage_sock_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
|
+manage_lnk_files_pattern(zoneminder_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
|
+files_var_lib_filetrans(zoneminder_t, zoneminder_var_lib_t, { dir file lnk_file sock_file })
|
|
+
|
|
+manage_dirs_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
|
|
+manage_files_pattern(zoneminder_t, zoneminder_var_run_t, zoneminder_var_run_t)
|
|
+files_pid_filetrans(zoneminder_t, zoneminder_var_run_t, { dir file })
|
|
+
|
|
+manage_dirs_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
|
|
+manage_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
|
|
+manage_lnk_files_pattern(zoneminder_t, zoneminder_spool_t, zoneminder_spool_t)
|
|
+files_spool_filetrans(zoneminder_t, zoneminder_spool_t, { dir file })
|
|
+
|
|
+kernel_read_system_state(zoneminder_t)
|
|
+
|
|
+domain_read_all_domains_state(zoneminder_t)
|
|
+
|
|
+corecmd_exec_bin(zoneminder_t)
|
|
+corecmd_exec_shell(zoneminder_t)
|
|
+
|
|
+corenet_tcp_bind_http_cache_port(zoneminder_t)
|
|
+corenet_tcp_bind_transproxy_port(zoneminder_t)
|
|
+corenet_tcp_connect_http_port(zoneminder_t)
|
|
+
|
|
+dev_read_sysfs(zoneminder_t)
|
|
+dev_read_rand(zoneminder_t)
|
|
+dev_read_urand(zoneminder_t)
|
|
+dev_read_video_dev(zoneminder_t)
|
|
+dev_write_video_dev(zoneminder_t)
|
|
+
|
|
+auth_use_nsswitch(zoneminder_t)
|
|
+#auth_read_shadow(zoneminder_t) need to debug zmpkg.pl to see why is needed this rule.
|
|
+
|
|
+logging_send_syslog_msg(zoneminder_t)
|
|
+logging_send_audit_msgs(zoneminder_t)
|
|
+
|
|
+mta_send_mail(zoneminder_t)
|
|
+
|
|
+tunable_policy(`zoneminder_anon_write',`
|
|
+ miscfiles_manage_public_files(zoneminder_t)
|
|
+')
|
|
+
|
|
+tunable_policy(`zoneminder_run_sudo',`
|
|
+ allow zoneminder_t self:capability { setuid setgid sys_resource };
|
|
+ allow zoneminder_t self:process { setrlimit setsched };
|
|
+ allow zoneminder_t self:key write;
|
|
+ allow zoneminder_t self:passwd { passwd rootok };
|
|
+
|
|
+ auth_rw_lastlog(zoneminder_t)
|
|
+ auth_rw_faillog(zoneminder_t)
|
|
+ auth_exec_chkpwd(zoneminder_t)
|
|
+
|
|
+ selinux_compute_access_vector(zoneminder_t)
|
|
+
|
|
+ systemd_write_inherited_logind_sessions_pipes(zoneminder_t)
|
|
+ systemd_dbus_chat_logind(zoneminder_t)
|
|
+
|
|
+ xserver_exec_xauth(zoneminder_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`zoneminder_run_sudo',`
|
|
+ dbus_system_bus_client(zoneminder_t)
|
|
+ ')
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ tunable_policy(`zoneminder_run_sudo',`
|
|
+ sudo_exec(zoneminder_t)
|
|
+ su_exec(zoneminder_t)
|
|
+ ')
|
|
+')
|
|
+optional_policy(`
|
|
+ mysql_stream_connect(zoneminder_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ fprintd_dbus_chat(zoneminder_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ motion_manage_all_files(zoneminder_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+#
|
|
+# zoneminder cgi local policy
|
|
+#
|
|
+
|
|
+optional_policy(`
|
|
+ apache_content_template(zoneminder)
|
|
+
|
|
+ # need more testing
|
|
+ #allow httpd_zoneminder_script_t self:shm create_shm_perms;
|
|
+
|
|
+ manage_sock_files_pattern(httpd_zoneminder_script_t, zoneminder_var_lib_t, zoneminder_var_lib_t)
|
|
+
|
|
+ rw_files_pattern(httpd_zoneminder_script_t, zoneminder_tmpfs_t, zoneminder_tmpfs_t)
|
|
+
|
|
+ zoneminder_stream_connect(httpd_zoneminder_script_t)
|
|
+
|
|
+ can_exec(zoneminder_t, httpd_zoneminder_script_exec_t)
|
|
+
|
|
+ files_search_var_lib(httpd_zoneminder_script_t)
|
|
+
|
|
+ logging_send_syslog_msg(httpd_zoneminder_script_t)
|
|
+
|
|
+ optional_policy(`
|
|
+ mysql_stream_connect(httpd_zoneminder_script_t)
|
|
+ ')
|
|
+
|
|
+')
|
|
diff --git a/zosremote.if b/zosremote.if
|
|
index b14698c..16e1581 100644
|
|
--- a/zosremote.if
|
|
+++ b/zosremote.if
|
|
@@ -35,6 +35,7 @@ interface(`zosremote_domtrans',`
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
+## <rolecap/>
|
|
#
|
|
interface(`zosremote_run',`
|
|
gen_require(`
|
|
diff --git a/zosremote.te b/zosremote.te
|
|
index bc6a5db..0abdceb 100644
|
|
--- a/zosremote.te
|
|
+++ b/zosremote.te
|
|
@@ -24,6 +24,4 @@ allow zos_remote_t self:unix_stream_socket { accept listen };
|
|
|
|
auth_use_nsswitch(zos_remote_t)
|
|
|
|
-miscfiles_read_localization(zos_remote_t)
|
|
-
|
|
logging_send_syslog_msg(zos_remote_t)
|