78 lines
2.2 KiB
Plaintext
78 lines
2.2 KiB
Plaintext
#DESC LOCATE - Security Enhanced version of the GNU Locate
|
|
#
|
|
# Author: Dan Walsh <dwalsh@redhat.com>
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the locate_t domain.
|
|
#
|
|
# locate_exec_t is the type of the locate executable.
|
|
#
|
|
daemon_base_domain(locate)
|
|
role system_r types locate_t;
|
|
role sysadm_r types locate_t;
|
|
allow locate_t fs_t:filesystem getattr;
|
|
|
|
ifdef(`crond.te', `
|
|
system_crond_entry(locate_exec_t, locate_t)
|
|
allow system_crond_t locate_log_t:dir rw_dir_perms;
|
|
allow system_crond_t locate_log_t:file { create append getattr };
|
|
allow system_crond_t locate_etc_t:file { getattr read };
|
|
')
|
|
|
|
allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;
|
|
|
|
allow locate_t { fs_type file_type }:dir r_dir_perms;
|
|
dontaudit locate_t sysctl_t:dir getattr;
|
|
allow locate_t file_type:lnk_file r_file_perms;
|
|
allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
|
|
dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
|
|
dontaudit locate_t security_t:dir getattr;
|
|
dontaudit locate_t shadow_t:file getattr;
|
|
|
|
allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr;
|
|
allow locate_t unlabeled_t:dir_file_class_set getattr;
|
|
allow locate_t unlabeled_t:dir read;
|
|
|
|
logdir_domain(locate)
|
|
etcdir_domain(locate)
|
|
|
|
type locate_var_lib_t, file_type, sysadmfile;
|
|
typealias locate_var_lib_t alias var_lib_locate_t;
|
|
|
|
create_dir_file(locate_t, locate_var_lib_t)
|
|
dontaudit locate_t sysadmfile:file getattr;
|
|
|
|
allow locate_t proc_t:file { getattr read };
|
|
allow locate_t self:unix_stream_socket create_socket_perms;
|
|
#
|
|
# Need to be able to exec renice
|
|
#
|
|
can_exec(locate_t, bin_t)
|
|
|
|
dontaudit locate_t rpc_pipefs_t:dir r_dir_perms;
|
|
dontaudit locate_t rpc_pipefs_t:file getattr;
|
|
|
|
#
|
|
# Read Mtab file
|
|
#
|
|
allow locate_t etc_runtime_t:file { getattr read };
|
|
|
|
#
|
|
# Read nsswitch file
|
|
#
|
|
allow locate_t etc_t:file { getattr read };
|
|
dontaudit locate_t self:capability dac_override;
|
|
allow locate_t self:capability dac_read_search;
|
|
|
|
# sysadm_t runs locate in his own domain.
|
|
# We use a type alias to simplify the rest of the policy,
|
|
# which often refers to $1_locate_t for the user domains.
|
|
typealias sysadm_t alias sysadm_locate_t;
|
|
|
|
allow locate_t userdomain:fd use;
|
|
ifdef(`cardmgr.te', `
|
|
allow locate_t cardmgr_var_run_t:chr_file getattr;
|
|
')
|