928 lines
21 KiB
Plaintext
928 lines
21 KiB
Plaintext
#
|
|
# This is the guide for converting old macros to local policy
|
|
# and new interfaces.
|
|
#
|
|
# $1, $2, etc. are replaced with and the first and second, etc.
|
|
# parameters to the old macro.
|
|
#
|
|
|
|
########################################
|
|
#
|
|
# Attributes
|
|
#
|
|
# $1 is the type this attribute is on
|
|
|
|
#
|
|
# admin_tty_type: complete
|
|
#
|
|
{ sysadm_tty_device_t sysadm_devpts_t }
|
|
|
|
#
|
|
# auth: complete
|
|
#
|
|
auth_read_shadow($1)
|
|
|
|
#
|
|
# auth_chkpwd: complete
|
|
#
|
|
auth_domtrans_chk_passwd($1)
|
|
|
|
#
|
|
# file_type: complete
|
|
#
|
|
files_file_type($1)
|
|
|
|
#
|
|
# fs_domain: complete
|
|
#
|
|
# one or both of these:
|
|
storage_raw_read_fixed_disk($1)
|
|
storage_raw_write_fixed_disk($1)
|
|
|
|
#
|
|
# privfd: complete
|
|
#
|
|
domain_wide_inherit_fd($1)
|
|
|
|
#
|
|
# privlog: complete
|
|
#
|
|
logging_send_syslog_msg($1)
|
|
|
|
#
|
|
# privmail:
|
|
#
|
|
mta_send_mail($1)
|
|
# this needs more work:
|
|
allow mta_user_agent $1:fd use;
|
|
allow mta_user_agent $1:process sigchld;
|
|
allow mta_user_agent $1:fifo_file { read write };
|
|
|
|
#
|
|
# privmodule: complete
|
|
#
|
|
modutils_domtrans_insmod($1)
|
|
|
|
#
|
|
# privowner: complete
|
|
#
|
|
domain_obj_id_change_exempt($1)
|
|
|
|
#
|
|
# privrole: complete
|
|
#
|
|
domain_role_change_exempt($1)
|
|
|
|
#
|
|
# privuser: complete
|
|
#
|
|
domain_subj_id_change_exempt($1)
|
|
|
|
########################################
|
|
#
|
|
# Access macros
|
|
#
|
|
|
|
#
|
|
# access_terminal():
|
|
#
|
|
allow $1 $2_tty_device_t:chr_file { read write getattr ioctl };
|
|
allow $1 devtty_t:chr_file { read write getattr ioctl };
|
|
allow $1 devpts_t:dir { read search getattr };
|
|
allow $1 $2_devpts_t:chr_file { read write getattr ioctl };
|
|
|
|
#
|
|
# append_log_domain():
|
|
#
|
|
type $1_log_t;
|
|
logging_log_file($1_log_t)
|
|
allow $1_t var_log_t:dir ra_dir_perms;
|
|
allow $1_t $1_log_t:file { create ra_file_perms };
|
|
type_transition $1_t var_log_t:file $1_log_t;
|
|
|
|
#
|
|
# append_logdir_domain():
|
|
#
|
|
type $1_log_t;
|
|
logging_log_file($1_log_t)
|
|
allow $1_t var_log_t:dir ra_dir_perms;
|
|
allow $1_t $1_log_t:dir { setattr ra_dir_perms };
|
|
allow $1_t $1_log_t:file { create ra_file_perms };
|
|
type_transition $1_t var_log_t:file $1_log_t;
|
|
|
|
#
|
|
# application_domain():
|
|
#
|
|
type $1_t;
|
|
type $1_exec_t;
|
|
domain_type($1_t)
|
|
domain_entry_file($1_t,$1_exec_t)
|
|
role sysadm_r types $1_t;
|
|
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
|
|
libs_use_ld_so($1_t)
|
|
libs_use_shared_libs($1_t)
|
|
|
|
#
|
|
# base_can_network($1,$2):
|
|
#
|
|
allow $1 self:$2_socket connected_socket_perms;
|
|
corenet_$2_sendrecv_all_if($1)
|
|
corenet_raw_sendrecv_all_if($1)
|
|
corenet_$2_sendrecv_all_nodes($1)
|
|
corenet_raw_sendrecv_all_nodes($1)
|
|
corenet_$2_sendrecv_all_ports($1)
|
|
corenet_$2_bind_all_nodes($1)
|
|
sysnet_read_config($1)
|
|
|
|
#
|
|
# base_can_network($1,$2,$3):
|
|
#
|
|
allow $1 self:$2_socket connected_socket_perms;
|
|
corenet_$2_sendrecv_all_if($1)
|
|
corenet_raw_sendrecv_all_if($1)
|
|
corenet_$2_sendrecv_all_nodes($1)
|
|
corenet_raw_sendrecv_all_nodes($1)
|
|
corenet_$2_bind_all_nodes($1)
|
|
corenet_$2_sendrecv_$3_port($1)
|
|
sysnet_read_config($1)
|
|
|
|
#
|
|
# base_file_read_access():
|
|
#
|
|
files_list_home($1)
|
|
files_read_usr_files($1)
|
|
allow $1 bin_t:dir r_dir_perms;
|
|
allow $1 bin_t:notdevfile_class_set r_file_perms;
|
|
allow $1 sbin_t:dir r_dir_perms;
|
|
allow $1 sbin_t:notdevfile_class_set r_file_perms;
|
|
kernel_read_kernel_sysctl($1)
|
|
seutil_read_config($1)
|
|
if (read_default_t) {
|
|
allow $1 default_t:dir r_dir_perms;
|
|
allow $1 default_t:notdevfile_class_set r_file_perms;
|
|
}
|
|
|
|
#
|
|
# base_pty_perms():
|
|
#
|
|
allow $1_t ptmx_t:chr_file rw_file_perms;
|
|
allow $1_t devpts_t:filesystem getattr;
|
|
allow $1_t devpts_t:dir { getattr read search };
|
|
dontaudit $1_t bsdpty_device_t:chr_file { getattr read write };
|
|
|
|
#
|
|
# can_create():
|
|
#
|
|
# for each i in $3
|
|
can_create_internal($1,$2,$i)
|
|
|
|
#
|
|
# can_create_internal($1,$2,dir):
|
|
#
|
|
allow $1 $2:$3 { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
|
|
|
#
|
|
# can_create_internal($1,$2,lnk_file):
|
|
#
|
|
allow $1 $2:$3 { create read getattr setattr link unlink rename };
|
|
|
|
#
|
|
# can_create_internal($1,$2,[file,chr_file,blk_file,sock_file,fifo_file]):
|
|
#
|
|
allow $1 $2:$3 { create ioctl read getattr lock write setattr append link unlink rename };
|
|
|
|
#
|
|
# can_create_other_pty(): complete
|
|
#
|
|
term_create_pty($1_t,$2_devpts_t)
|
|
allow $1_t $2_devpts_t:chr_file { setattr ioctl read getattr lock write append };
|
|
|
|
#
|
|
# can_create_pty(): complete
|
|
#
|
|
# $2 may require more conversion
|
|
type $1_devpts_t $2;
|
|
term_pty($1_devpts_t)
|
|
allow $1_t $1_devpts_t:chr_file { setattr ioctl read getattr lock write append };
|
|
term_create_pty($1_t,$1_devpts_t)
|
|
|
|
#
|
|
# can_exec_any(): complete
|
|
#
|
|
domain_exec_all_entry_files($1)
|
|
files_exec_generic_etc_files($1)
|
|
corecmd_exec_bin($1)
|
|
corecmd_exec_sbin($1)
|
|
libs_use_ld_so($1)
|
|
libs_use_shared_libs($1)
|
|
libs_exec_ld_so($1)
|
|
libs_exec_lib_files($1)
|
|
|
|
#
|
|
# can_getcon():
|
|
#
|
|
allow $1 self:process getattr;
|
|
kernel_read_system_state($1)
|
|
|
|
#
|
|
# can_getsecurity(): complete
|
|
#
|
|
selinux_get_fs_mount($1)
|
|
selinux_validate_context($1)
|
|
selinux_compute_access_vector($1)
|
|
selinux_compute_create_context($1)
|
|
selinux_compute_relabel_context($1)
|
|
selinux_compute_user_contexts($1)
|
|
|
|
#
|
|
# can_kerberos(): complete
|
|
#
|
|
optional_policy(`kerberos.te',`
|
|
kerberos_use($1)
|
|
')
|
|
|
|
#
|
|
# can_ldap(): complete
|
|
#
|
|
optional_policy(`ldap.te',`
|
|
allow $1 self:tcp_socket create_socket_perms;
|
|
corenet_tcp_sendrecv_all_if($1)
|
|
corenet_raw_sendrecv_all_if($1)
|
|
corenet_tcp_sendrecv_all_nodes($1)
|
|
corenet_raw_sendrecv_all_nodes($1)
|
|
corenet_tcp_sendrecv_ldap_port($1)
|
|
corenet_tcp_bind_all_nodes($1)
|
|
sysnet_read_config($1)
|
|
')
|
|
|
|
#
|
|
# can_loadpol(): complete
|
|
#
|
|
selinux_get_fs_mount($1)
|
|
selinux_load_policy($1)
|
|
|
|
#
|
|
# can_network():
|
|
#
|
|
can_network_tcp($1, `$2')
|
|
can_network_udp($1, `$2')
|
|
ifdef(`mount.te', `
|
|
allow $1 mount_t:udp_socket rw_socket_perms;
|
|
')
|
|
|
|
#
|
|
# can_network_client():
|
|
#
|
|
can_network_client_tcp($1, `$2')
|
|
can_network_udp($1, `$2')
|
|
|
|
#
|
|
# can_network_client_tcp($1): complete
|
|
#
|
|
allow $1 self:tcp_socket create_socket_perms;
|
|
corenet_tcp_sendrecv_all_if($1)
|
|
corenet_raw_sendrecv_all_if($1)
|
|
corenet_tcp_sendrecv_all_nodes($1)
|
|
corenet_raw_sendrecv_all_nodes($1)
|
|
corenet_tcp_sendrecv_all_ports($1)
|
|
corenet_tcp_bind_all_nodes($1)
|
|
sysnet_read_config($1)
|
|
|
|
#
|
|
# can_network_client_tcp($1,$2):
|
|
#
|
|
# remove _port_t from $2
|
|
allow $1 self:tcp_socket create_socket_perms;
|
|
corenet_tcp_sendrecv_all_if($1)
|
|
corenet_raw_sendrecv_all_if($1)
|
|
corenet_tcp_sendrecv_all_nodes($1)
|
|
corenet_raw_sendrecv_all_nodes($1)
|
|
corenet_tcp_sendrecv_$2_port($1)
|
|
corenet_tcp_bind_all_nodes($1)
|
|
sysnet_read_config($1)
|
|
|
|
#
|
|
# can_network_server():
|
|
#
|
|
allow $1 self:tcp_socket create_stream_socket_perms;
|
|
base_can_network($1, tcp, `$2')
|
|
|
|
#
|
|
# can_network_server_tcp():
|
|
#
|
|
allow $1 self:tcp_socket create_stream_socket_perms;
|
|
base_can_network($1, tcp, `$2')
|
|
|
|
#
|
|
# can_network_tcp(): complete
|
|
#
|
|
can_network_server_tcp($1, `$2')
|
|
can_network_client_tcp($1, `$2')
|
|
|
|
#
|
|
# can_network_udp(): complete
|
|
#
|
|
base_can_network($1, udp, `$2')
|
|
allow $1 self:udp_socket { connect };
|
|
|
|
#
|
|
# can_ps():
|
|
#
|
|
allow $1 $2:dir { search getattr read };
|
|
allow $1 $2:{ file lnk_file } { read getattr };
|
|
allow $1 $2:process getattr;
|
|
# We need to suppress this denial because procps tries to access
|
|
# /proc/pid/environ and this now triggers a ptrace check in recent kernels
|
|
# (2.4 and 2.6). Might want to change procps to not do this, or only if
|
|
# running in a privileged domain.
|
|
dontaudit $1 $2:process ptrace;
|
|
|
|
#
|
|
# can_ptrace():
|
|
#
|
|
allow $1 $2:process ptrace;
|
|
allow $2 $1:process sigchld;
|
|
|
|
#
|
|
# can_resolve(): complete
|
|
#
|
|
tunable_policy(`use_dns',`
|
|
allow $1 self:udp_socket create_socket_perms;
|
|
corenet_udp_sendrecv_all_if($1)
|
|
corenet_raw_sendrecv_all_if($1)
|
|
corenet_udp_sendrecv_all_nodes($1)
|
|
corenet_raw_sendrecv_all_nodes($1)
|
|
corenet_udp_sendrecv_dns_port($1)
|
|
corenet_udp_bind_all_nodes($1)
|
|
sysnet_read_config($1)
|
|
')
|
|
|
|
#
|
|
# can_setbool(): complete
|
|
#
|
|
selinux_get_fs_mount($1)
|
|
selinux_set_boolean($1)
|
|
|
|
#
|
|
# can_setcon(): complete
|
|
#
|
|
# get mount point is due to libselinux init
|
|
#
|
|
allow $1 self:process setcurrent;
|
|
selinux_get_fs_mount($1)
|
|
|
|
#
|
|
# can_setenforce(): complete
|
|
#
|
|
# get mount point is due to libselinux init
|
|
#
|
|
selinux_get_fs_mount($1)
|
|
selinux_set_enforce_mode($1)
|
|
|
|
#
|
|
# can_setexec(): complete
|
|
#
|
|
# get mount point is due to libselinux init
|
|
#
|
|
allow $1 self:process setexec;
|
|
selinux_get_fs_mount($1)
|
|
|
|
#
|
|
# can_setfscreate(): complete
|
|
#
|
|
# get mount point is due to libselinux init
|
|
#
|
|
allow $1 self:process setfscreate;
|
|
selinux_get_fs_mount($1)
|
|
|
|
#
|
|
# can_setsecparam(): complete
|
|
#
|
|
# get mount point is due to libselinux init
|
|
#
|
|
selinux_get_fs_mount($1)
|
|
kernel_setsecparam($1)
|
|
|
|
#
|
|
# can_sysctl(): complete
|
|
#
|
|
kernel_rw_all_sysctl($1)
|
|
|
|
#
|
|
# can_tcp_connect
|
|
#
|
|
allow $1 $2:tcp_socket { connectto recvfrom };
|
|
allow $2 $1:tcp_socket { acceptfrom recvfrom };
|
|
allow $2 kernel_t:tcp_socket recvfrom;
|
|
allow $1 kernel_t:tcp_socket recvfrom;
|
|
|
|
#
|
|
# can_udp_send():
|
|
#
|
|
allow $1 $2:udp_socket sendto;
|
|
allow $2 $1:udp_socket recvfrom;
|
|
|
|
#
|
|
# can_unix_connect():
|
|
#
|
|
allow $1 $2:unix_stream_socket connectto;
|
|
|
|
#
|
|
# can_unix_send():
|
|
#
|
|
allow $1 $2:unix_dgram_socket sendto;
|
|
|
|
#
|
|
# can_ypbind(): complete
|
|
#
|
|
optional_policy(`nis.te',`
|
|
nis_use_ypbind($1)
|
|
')
|
|
|
|
#
|
|
# create_append_log_file():
|
|
#
|
|
allow $1 $2:dir { read getattr search add_name write };
|
|
allow $1 $2:file { create ioctl getattr setattr append link };
|
|
|
|
#
|
|
# create_dir_file():
|
|
#
|
|
allow $1 $2:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
|
allow $1 $2:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
allow $1 $2:lnk_file { create read getattr setattr link unlink rename };
|
|
|
|
#
|
|
# create_dir_notdevfile():
|
|
#
|
|
allow $1 $2:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
|
allow $1 $2:{ file sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
|
|
allow $1 $2:lnk_file { create read getattr setattr link unlink rename };
|
|
|
|
#
|
|
# daemon_base_domain():
|
|
#
|
|
type $1_t;
|
|
type $1_exec_t;
|
|
init_daemon_domain($1_t,$1_exec_t)
|
|
role system_r types $1_t;
|
|
dontaudit $1_t self:capability sys_tty_config;
|
|
allow $1_t self:process { sigchld sigkill sigstop signull signal };
|
|
kernel_read_kernel_sysctl($1_t)
|
|
dev_read_sysfs($1_t)
|
|
fs_search_auto_mountpoints($1_t)
|
|
term_dontaudit_use_console($1_t)
|
|
domain_use_wide_inherit_fd($1_t)
|
|
init_use_fd($1_t)
|
|
init_use_script_pty($1_t)
|
|
libs_use_ld_so($1_t)
|
|
libs_use_shared_libs($1_t)
|
|
logging_send_syslog_msg($1_t)
|
|
userdom_dontaudit_use_unpriv_user_fd($1_t)
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_unallocated_tty($1_t)
|
|
term_dontaudit_use_generic_pty($1_t)
|
|
files_dontaudit_read_root_file($1_t)
|
|
')
|
|
optional_policy(`rhgb.te',`
|
|
rhgb_domain($1_t)
|
|
')
|
|
optional_policy(`selinux.te',`
|
|
seutil_newrole_sigchld($1_t)
|
|
')
|
|
optional_policy(`udev.te', `
|
|
udev_read_db($1_t)
|
|
')
|
|
allow $1_t proc_t:dir r_dir_perms;
|
|
allow $1_t proc_t:lnk_file read;
|
|
|
|
|
|
#
|
|
# daemon_domain():
|
|
#
|
|
type $1_t;
|
|
type $1_exec_t;
|
|
init_daemon_domain($1_t,$1_exec_t)
|
|
type $1_var_run_t;
|
|
files_pid_file($1_var_run_t)
|
|
dontaudit $1_t self:capability sys_tty_config;
|
|
allow $1_t $1_var_run_t:file { getattr create read write append setattr unlink };
|
|
files_create_pid($1_t,$1_var_run_t)
|
|
kernel_read_kernel_sysctl($1_t)
|
|
dev_read_sysfs($1_t)
|
|
fs_getattr_all_fs($1_t)
|
|
fs_search_auto_mountpoints($1_t)
|
|
term_dontaudit_use_console($1_t)
|
|
domain_use_wide_inherit_fd($1_t)
|
|
init_use_fd($1_t)
|
|
init_use_script_pty($1_t)
|
|
libs_use_ld_so($1_t)
|
|
libs_use_shared_libs($1_t)
|
|
logging_send_syslog_msg($1_t)
|
|
miscfiles_read_localization($1_t)
|
|
userdom_dontaudit_use_unpriv_user_fd($1_t)
|
|
ifdef(`targeted_policy', `
|
|
term_dontaudit_use_unallocated_tty($1_t)
|
|
term_dontaudit_use_generic_pty($1_t)
|
|
files_dontaudit_read_root_file($1_t)
|
|
')
|
|
optional_policy(`rhgb.te',`
|
|
rhgb_domain($1_t)
|
|
')
|
|
optional_policy(`selinux.te',`
|
|
seutil_newrole_sigchld($1_t)
|
|
')
|
|
optional_policy(`udev.te', `
|
|
udev_read_db($1_t)
|
|
')
|
|
allow $1_t proc_t:dir r_dir_perms;
|
|
allow $1_t proc_t:lnk_file read;
|
|
dontaudit $1_t sysadm_home_dir_t:dir search;
|
|
|
|
#
|
|
# daemon_sub_domain():
|
|
#
|
|
# $1 is the parent domain (or domains), $2_t is the child domain,
|
|
# and $3 is any attributes to apply to the child
|
|
type $2_t, domain, privlog, daemon $3;
|
|
type $2_exec_t, file_type, sysadmfile, exec_type;
|
|
role system_r types $2_t;
|
|
domain_auto_trans($1, $2_exec_t, $2_t)
|
|
allow $2_t $1:fd use;
|
|
allow $2_t $1:process sigchld;
|
|
allow $2_t self:process signal_perms;
|
|
libs_use_ld_so($2_t)
|
|
libs_use_shared_libs($2_t)
|
|
allow $2_t proc_t:dir r_dir_perms;
|
|
allow $2_t proc_t:lnk_file read;
|
|
allow $2_t device_t:dir getattr;
|
|
|
|
#
|
|
# etc_domain():
|
|
#
|
|
type $1_etc_t; #, usercanread;
|
|
files_file_type($1_etc_t)
|
|
allow $1_t $1_etc_t:file { getattr read };
|
|
|
|
#
|
|
# etcdir_domain():
|
|
#
|
|
type $1_etc_t; #, usercanread;
|
|
files_file_type($1_etc_t)
|
|
allow $1_t $1_etc_t:file r_file_perms;
|
|
allow $1_t $1_etc_t:dir r_dir_perms;
|
|
allow $1_t $1_etc_t:lnk_file { getattr read };
|
|
|
|
#
|
|
# file_type_auto_trans($1,$2,$3):
|
|
#
|
|
allow $1 $3:dir { read getattr lock search ioctl add_name remove_name write };
|
|
allow $1 $3:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
allow $1 $3:lnk_file { create read getattr setattr link unlink rename };
|
|
allow $1 $3:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
allow $1 $3:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
type_transition $1 $2:{ dir file lnk_file sock_file fifo_file } $3;
|
|
|
|
#
|
|
# file_type_auto_trans($1,$2,$3,$4):
|
|
#
|
|
allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write };
|
|
# for each i in $4:
|
|
can_create_internal($1,$3,$i)
|
|
type_transition $1 $2:$i $3;
|
|
|
|
#
|
|
# general_domain_access(): complete
|
|
#
|
|
allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
|
allow $1 self:fd use;
|
|
allow $1 self:fifo_file rw_file_perms;
|
|
allow $1 self:unix_dgram_socket create_socket_perms;
|
|
allow $1 self:unix_stream_socket create_stream_socket_perms;
|
|
allow $1 self:unix_dgram_socket sendto;
|
|
allow $1 self:unix_stream_socket connectto;
|
|
allow $1 self:shm create_shm_perms;
|
|
allow $1 self:sem create_sem_perms;
|
|
allow $1 self:msgq create_msgq_perms;
|
|
allow $1 self:msg { send receive };
|
|
fs_search_auto_mountpoints($1)
|
|
userdom_use_unpriv_user_fd($1)
|
|
optional_policy(`nis.te',`
|
|
nis_use_ypbind($1)
|
|
')
|
|
|
|
#
|
|
# general_proc_read_access(): complete
|
|
#
|
|
kernel_read_system_state($1)
|
|
kernel_read_sendrecv_state($1)
|
|
kernel_read_software_raid_state($1)
|
|
kernel_getattr_core($1)
|
|
kernel_getattr_message_if($1)
|
|
kernel_read_kernel_sysctl($1)
|
|
|
|
#
|
|
# home_domain():
|
|
#
|
|
|
|
#
|
|
# home_domain_access():
|
|
#
|
|
|
|
#
|
|
# home_domain_ro():
|
|
#
|
|
|
|
#
|
|
# home_domain_ro_access():
|
|
#
|
|
|
|
#
|
|
# in_user_role():
|
|
#
|
|
role user_r types $1;
|
|
role staff_r types $1;
|
|
|
|
#
|
|
# init_service_domain():
|
|
#
|
|
type $1_t;
|
|
type $1_exec_t;
|
|
init_daemon_domain($1_t,$1_exec_t)
|
|
dontaudit $1_t self:capability sys_tty_config;
|
|
dev_read_sysfs($1_t)
|
|
term_dontaudit_use_console($1_t)
|
|
init_use_fd($1_t)
|
|
libs_use_ld_so($1_t)
|
|
libs_use_shared_libs($1_t)
|
|
logging_send_syslog_msg($1_t)
|
|
tunable_policy(`targeted_policy', `
|
|
term_dontaudit_use_unallocated_tty($1_t)
|
|
term_dontaudit_use_generic_pty($1_t)
|
|
files_dontaudit_read_root_file($1_t)
|
|
')dnl end targeted_policy tunable
|
|
allow $1_t proc_t:dir r_dir_perms;
|
|
allow $1_t proc_t:lnk_file read;
|
|
optional_policy(`udev.te', `
|
|
udev_read_db($1_t)
|
|
')
|
|
allow $1_t autofs_t:dir { search getattr };
|
|
dontaudit $1_t unpriv_userdomain:fd use;
|
|
|
|
#
|
|
# inetd_child_domain():
|
|
#
|
|
type $1_t; #, nscd_client_domain;
|
|
type $1_exec_t;
|
|
inetd_(udp_|tcp_)?service_domain($1_t,$1_exec_t)
|
|
role system_r types $1_t;
|
|
type $1_tmp_t;
|
|
files_tmp_file($1_tmp_t)
|
|
type $1_var_run_t;
|
|
files_pid_file($1_var_run_t)
|
|
allow $1_t self:process signal_perms;
|
|
allow $1_t self:fifo_file rw_file_perms;
|
|
allow $1_t self:tcp_socket { listen accept connected_socket_perms }
|
|
# for identd
|
|
# cjp: this should probably only be inetd_child rules?
|
|
allow $1_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
allow $1_t self:capability { setuid setgid };
|
|
allow $1_t self:dir search;
|
|
allow $1_t self:{ lnk_file file } { getattr read };
|
|
#allow $1_t home_root_t:dir search;
|
|
#can_kerberos($1_t)
|
|
#end for identd
|
|
allow $1_t $1_tmp_t:dir create_dir_perms;
|
|
allow $1_t $1_tmp_t:file create_file_perms;
|
|
files_create_tmp_files($1_t, $1_tmp_t, { file dir })
|
|
allow $1_t $1_var_run_t:file create_file_perms;
|
|
files_create_pid($1_t,$1_var_run_t)
|
|
kernel_read_kernel_sysctl($1_t)
|
|
kernel_read_system_state($1_t)
|
|
kernel_read_network_state($1_t)
|
|
corenet_sendrecv_tcp_on_all_interfaces($1_t)
|
|
corenet_sendrecv_raw_on_all_interfaces($1_t)
|
|
corenet_sendrecv_tcp_on_all_nodes($1_t)
|
|
corenet_sendrecv_raw_on_all_nodes($1_t)
|
|
corenet_bind_tcp_on_all_nodes($1_t)
|
|
corenet_sendrecv_tcp_on_all_ports($1_t)
|
|
dev_read_urand($1_t)
|
|
fs_getattr_xattr_fs($1_t)
|
|
files_read_generic_etc_files($1_t)
|
|
libs_use_ld_so($1_t)
|
|
libs_use_shared_libs($1_t)
|
|
logging_send_syslog_msg($1_t)
|
|
miscfiles_read_localization($1_t)
|
|
sysnet_read_config($1_t)
|
|
optional_policy(`nis.te',`
|
|
nis_use_ypbind($1_t)
|
|
')
|
|
|
|
#
|
|
# legacy_domain(): complete
|
|
#
|
|
allow $1_t self:process execmem;
|
|
libs_legacy_use_shared_libs($1_t)
|
|
libs_legacy_use_ld_so($1_t)
|
|
|
|
#
|
|
# lock_domain(): complete
|
|
#
|
|
type $1_lock_t;
|
|
files_lock_file($1_lock_t)
|
|
allow $1_t $1_lock_t:file create_file_perms;
|
|
files_create_lock_file($1_t,$1_lock_t)
|
|
|
|
#
|
|
# log_domain(): complete
|
|
#
|
|
type $1_log_t;
|
|
logging_log_file($1_log_t)
|
|
allow $1_t $1_log_t:file create_file_perms;
|
|
logging_create_log($1_t,$1_log_t)
|
|
|
|
#
|
|
# logdir_domain(): complete
|
|
#
|
|
type $1_log_t;
|
|
logging_log_file($1_log_t)
|
|
allow $1_t $1_log_t:file create_file_perms;
|
|
allow $1_t $1_log_t:dir rw_dir_perms;
|
|
logging_search_logs($1_t,$1_log_t,{ file dir })
|
|
|
|
#
|
|
# mini_user_domain():
|
|
#
|
|
|
|
#
|
|
# network_home_dir():
|
|
#
|
|
create_dir_file($1, $2)
|
|
can_exec($1, $2)
|
|
allow $1 $2:{ sock_file fifo_file } { create ioctl read getattr lock write setattr append link unlink rename };
|
|
|
|
#
|
|
# pty_slave_label():
|
|
#
|
|
type $1_devpts_t, file_type, sysadmfile, ptyfile $2;
|
|
allow $1_devpts_t devpts_t:filesystem associate;
|
|
type_transition $1_t devpts_t:chr_file $1_devpts_t;
|
|
allow $1_t $1_devpts_t:chr_file { setattr rw_file_perms };
|
|
|
|
#
|
|
# r_dir_file():
|
|
#
|
|
allow $1 $2:dir { getattr read search };
|
|
allow $1 $2:file { read getattr };
|
|
allow $1 $2:lnk_file { getattr read };
|
|
|
|
#
|
|
# ra_dir_create_file():
|
|
#
|
|
allow $1 $2:dir ra_dir_perms;
|
|
allow $1 $2:file { create ra_file_perms };
|
|
allow $1 $2:lnk_file { create read getattr };
|
|
|
|
#
|
|
# ra_dir_file():
|
|
#
|
|
allow $1 $2:dir ra_dir_perms;
|
|
allow $1 $2:file ra_file_perms;
|
|
allow $1 $2:lnk_file { getattr read };
|
|
|
|
#
|
|
# read_locale(): complete
|
|
#
|
|
miscfiles_read_localization($1)
|
|
|
|
#
|
|
# read_sysctl($1): complete
|
|
#
|
|
kernel_read_kernel_sysctl($1)
|
|
|
|
#
|
|
# read_sysctl($1,full): complete
|
|
#
|
|
kernel_read_all_sysctl($1)
|
|
|
|
#
|
|
# rhgb_domain():
|
|
#
|
|
ifdef(`rhgb.te', `
|
|
allow $1 rhgb_t:process sigchld;
|
|
allow $1 rhgb_t:fd use;
|
|
allow $1 rhgb_t:fifo_file { read write };
|
|
')
|
|
|
|
#
|
|
# rw_dir_create_file():
|
|
#
|
|
allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write };
|
|
allow $1 $2:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
allow $1 $2:lnk_file { create read getattr setattr link unlink rename };
|
|
|
|
#
|
|
# rw_dir_file():
|
|
#
|
|
allow $1 $2:dir { read getattr lock search ioctl add_name remove_name write };
|
|
allow $1 $2:file rw_file_perms;
|
|
allow $1 $2:lnk_file { getattr read };
|
|
|
|
#
|
|
# system_domain():
|
|
#
|
|
type $1_t;
|
|
domain_type($1_t)
|
|
role system_r types $1_t;
|
|
type $1_exec_t;
|
|
domain_entry_file($1_t,$1_exec_t)
|
|
libs_use_ld_so($1_t)
|
|
libs_use_shared_libs($1_t)
|
|
logging_send_syslog_msg($1_t)
|
|
allow $1_t etc_t:dir r_dir_perms;
|
|
|
|
#
|
|
# tmp_domain(): complete
|
|
#
|
|
# $2 may need more handling
|
|
#
|
|
type $1_tmp_t $2;
|
|
files_tmp_file($1_tmp_t)
|
|
# no class specified:
|
|
allow $1_t $1_tmp_t:dir create_dir_perms;
|
|
allow $1_t $1_tmp_t:file create_file_perms;
|
|
files_create_tmp_files($1_t, $1_tmp_t, { file dir })
|
|
# class specified:
|
|
files_create_tmp_files($1_t, $1_tmp_t, $3)
|
|
# $3 manage object perms here
|
|
|
|
#
|
|
# tmp_domain($1,$2,$3): complete
|
|
#
|
|
# $2 may need more handling
|
|
#
|
|
type $1_tmp_t $2;
|
|
files_tmp_file($1_tmp_t)
|
|
files_create_tmp_files($1_t, $1_tmp_t, $3)
|
|
allow $1_t $1_tmp_t:$3 manage_obj_perms;
|
|
|
|
#
|
|
# tmpfs_domain(): complete
|
|
#
|
|
type $1_tmpfs_t;
|
|
files_tmpfs_file($1_tmpfs_t)
|
|
allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
|
allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
|
allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
|
filesystem_create_private_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
|
|
|
#
|
|
# unconfined_domain():
|
|
#
|
|
|
|
#
|
|
# user_application_domain():
|
|
#
|
|
type $1_t, domain, privlog $2;
|
|
type $1_exec_t, file_type, sysadmfile, exec_type;
|
|
role sysadm_r types $1_t;
|
|
domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
|
|
libs_use_ld_so($1_t)
|
|
libs_use_shared_libs($1_t)
|
|
in_user_role($1_t)
|
|
domain_auto_trans(userdomain, $1_exec_t, $1_t)
|
|
|
|
#
|
|
# uses_authbind():
|
|
#
|
|
domain_auto_trans($1, authbind_exec_t, authbind_t)
|
|
allow authbind_t $1:process sigchld;
|
|
allow authbind_t $1:fd use;
|
|
allow authbind_t $1:{ tcp_socket udp_socket } rw_socket_perms;
|
|
|
|
#
|
|
# var_lib_domain():
|
|
#
|
|
type $1_var_lib_t, file_type, sysadmfile;
|
|
typealias $1_var_lib_t alias var_lib_$1_t;
|
|
file_type_auto_trans($1_t, var_lib_t, $1_var_lib_t, file)
|
|
allow $1_t $1_var_lib_t:dir rw_dir_perms;
|
|
|
|
#
|
|
# var_run_domain($1):
|
|
#
|
|
type $1_var_run_t;
|
|
files_pid_file($1_var_run_t)
|
|
allow $1_t $1_var_run_t:file create_file_perms;
|
|
files_create_pid($1_t,$1_var_run_t)
|
|
|
|
#
|
|
# var_run_domain($1,$2):
|
|
#
|
|
type $1_var_run_t, file_type, sysadmfile, pidfile;
|
|
file_type_auto_trans($1_t, var_run_t, $1_var_run_t, $2)
|
|
allow $1_t var_t:dir search;
|
|
allow $1_t $1_var_run_t:dir { read getattr lock search ioctl add_name remove_name write };
|