RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-20 18:17:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Move modules to contrib submodule.

Browse Source
This commit is contained in:
Chris PeBenito 2011-09-09 10:10:03 -04:00
parent f07bc3f973
commit 09248fa0db
889 changed files with 10 additions and 82223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
policy/modules/admin/acct.fc
View File

@ -1,9 +0,0 @@
/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0)
/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
/usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
/var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
/var/log/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)

80
policy/modules/admin/acct.if
View File

@ -1,80 +0,0 @@
## <summary>Berkeley process accounting</summary>
########################################
## <summary>
## Transition to the accounting management domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`acct_domtrans',`
gen_require(`
type acct_t, acct_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, acct_exec_t, acct_t)
')
########################################
## <summary>
## Execute accounting management tools in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`acct_exec',`
gen_require(`
type acct_exec_t;
')
corecmd_search_bin($1)
can_exec($1, acct_exec_t)
')
########################################
## <summary>
## Execute accounting management data in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: this is added for logrotate, and does
# not make sense to me.
interface(`acct_exec_data',`
gen_require(`
type acct_data_t;
')
files_search_var($1)
can_exec($1, acct_data_t)
')
########################################
## <summary>
## Create, read, write, and delete process accounting data.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`acct_manage_data',`
gen_require(`
type acct_data_t;
')
files_search_var($1)
manage_files_pattern($1, acct_data_t, acct_data_t)
manage_lnk_files_pattern($1, acct_data_t, acct_data_t)
')

89
policy/modules/admin/acct.te
View File

@ -1,89 +0,0 @@
policy_module(acct, 1.5.0)
########################################
#
# Declarations
#
type acct_t;
type acct_exec_t;
init_system_domain(acct_t, acct_exec_t)
type acct_data_t;
logging_log_file(acct_data_t)
########################################
#
# Local Policy
#
# gzip needs chown capability for some reason
allow acct_t self:capability { sys_pacct chown fsetid };
# not sure why we need kill, the command "last" is reported as using it
dontaudit acct_t self:capability { kill sys_tty_config };
allow acct_t self:fifo_file rw_fifo_file_perms;
allow acct_t self:process signal_perms;
manage_files_pattern(acct_t, acct_data_t, acct_data_t)
manage_lnk_files_pattern(acct_t, acct_data_t, acct_data_t)
can_exec(acct_t, acct_exec_t)
kernel_list_proc(acct_t)
kernel_read_system_state(acct_t)
kernel_read_kernel_sysctls(acct_t)
dev_read_sysfs(acct_t)
# for SSP
dev_read_urand(acct_t)
fs_search_auto_mountpoints(acct_t)
fs_getattr_xattr_fs(acct_t)
term_dontaudit_use_console(acct_t)
term_dontaudit_use_generic_ptys(acct_t)
corecmd_exec_bin(acct_t)
corecmd_exec_shell(acct_t)
domain_use_interactive_fds(acct_t)
files_read_etc_files(acct_t)
files_read_etc_runtime_files(acct_t)
files_list_usr(acct_t)
# for nscd
files_dontaudit_search_pids(acct_t)
init_use_fds(acct_t)
init_use_script_ptys(acct_t)
init_exec_script_files(acct_t)
logging_send_syslog_msg(acct_t)
miscfiles_read_localization(acct_t)
userdom_dontaudit_use_unpriv_user_fds(acct_t)
userdom_dontaudit_search_user_home_dirs(acct_t)
optional_policy(`
optional_policy(`
# for monthly cron job
auth_log_filetrans_login_records(acct_t)
auth_manage_login_records(acct_t)
')
cron_system_entry(acct_t, acct_exec_t)
')
optional_policy(`
nscd_socket_use(acct_t)
')
optional_policy(`
seutil_sigchld_newrole(acct_t)
')
optional_policy(`
udev_read_db(acct_t)
')

20
policy/modules/admin/alsa.fc
View File

@ -1,20 +0,0 @@
HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)

208
policy/modules/admin/alsa.if
View File

@ -1,208 +0,0 @@
## <summary>Ainit ALSA configuration tool.</summary>
########################################
## <summary>
## Execute a domain transition to run Alsa.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`alsa_domtrans',`
gen_require(`
type alsa_t, alsa_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, alsa_exec_t, alsa_t)
')
########################################
## <summary>
## Execute a domain transition to run
## Alsa, and allow the specified role
## the Alsa domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`alsa_run',`
gen_require(`
type alsa_t;
')
alsa_domtrans($1)
role $2 types alsa_t;
')
########################################
## <summary>
## Read and write Alsa semaphores.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_rw_semaphores',`
gen_require(`
type alsa_t;
')
allow $1 alsa_t:sem rw_sem_perms;
')
########################################
## <summary>
## Read and write Alsa shared memory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_rw_shared_mem',`
gen_require(`
type alsa_t;
')
allow $1 alsa_t:shm rw_shm_perms;
')
########################################
## <summary>
## Read writable Alsa config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_read_rw_config',`
gen_require(`
type alsa_etc_rw_t;
')
files_search_etc($1)
allow $1 alsa_etc_rw_t:dir list_dir_perms;
read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
ifdef(`distro_debian',`
files_search_usr($1)
')
')
########################################
## <summary>
## Manage writable Alsa config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_manage_rw_config',`
gen_require(`
type alsa_etc_rw_t;
')
files_search_etc($1)
allow $1 alsa_etc_rw_t:dir list_dir_perms;
manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
ifdef(`distro_debian',`
files_search_usr($1)
')
')
########################################
## <summary>
## Manage alsa home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_manage_home_files',`
gen_require(`
type alsa_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file manage_file_perms;
')
########################################
## <summary>
## Read Alsa home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_read_home_files',`
gen_require(`
type alsa_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file read_file_perms;
')
########################################
## <summary>
## Relabel alsa home files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_relabel_home_files',`
gen_require(`
type alsa_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 alsa_home_t:file relabel_file_perms;
')
########################################
## <summary>
## Read Alsa lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`alsa_read_lib',`
gen_require(`
type alsa_var_lib_t;
')
files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')

84
policy/modules/admin/alsa.te
View File

@ -1,84 +0,0 @@
policy_module(alsa, 1.11.0)
########################################
#
# Declarations
#
type alsa_t;
type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role system_r types alsa_t;
type alsa_etc_rw_t;
files_config_file(alsa_etc_rw_t)
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
########################################
#
# Local policy
#
allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
dontaudit alsa_t self:capability sys_admin;
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
allow alsa_t alsa_home_t:file read_file_perms;
manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
can_exec(alsa_t, alsa_exec_t)
manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
files_search_var_lib(alsa_t)
kernel_read_system_state(alsa_t)
dev_read_sound(alsa_t)
dev_write_sound(alsa_t)
dev_read_sysfs(alsa_t)
corecmd_exec_bin(alsa_t)
files_read_etc_files(alsa_t)
files_read_usr_files(alsa_t)
term_dontaudit_use_console(alsa_t)
term_dontaudit_use_generic_ptys(alsa_t)
term_dontaudit_use_all_ptys(alsa_t)
auth_use_nsswitch(alsa_t)
init_use_fds(alsa_t)
logging_send_syslog_msg(alsa_t)
miscfiles_read_localization(alsa_t)
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
optional_policy(`
hal_use_fds(alsa_t)
hal_write_log(alsa_t)
')

26
policy/modules/admin/amanda.fc
View File

@ -1,26 +0,0 @@
/etc/amanda(/.*)? gen_context(system_u:object_r:amanda_config_t,s0)
/etc/amanda/.*/tapelist(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/etc/amandates gen_context(system_u:object_r:amanda_amandates_t,s0)
/etc/dumpdates gen_context(system_u:object_r:amanda_dumpdates_t,s0)
# empty m4 string so the index macro is not invoked
/etc/amanda/.*/index`'(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/root/restore -d gen_context(system_u:object_r:amanda_recover_dir_t,s0)
/usr/lib(64)?/amanda -d gen_context(system_u:object_r:amanda_usr_lib_t,s0)
/usr/lib(64)?/amanda/.+ -- gen_context(system_u:object_r:amanda_exec_t,s0)
/usr/lib(64)?/amanda/amandad -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amidxtaped -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/lib(64)?/amanda/amindexd -- gen_context(system_u:object_r:amanda_inetd_exec_t,s0)
/usr/sbin/amrecover -- gen_context(system_u:object_r:amanda_recover_exec_t,s0)
/var/lib/amanda -d gen_context(system_u:object_r:amanda_var_lib_t,s0)
/var/lib/amanda/[^/]+(/.*)? gen_context(system_u:object_r:amanda_data_t,s0)
/var/lib/amanda/[^/]*/log(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)
/var/lib/amanda/\.amandahosts -- gen_context(system_u:object_r:amanda_config_t,s0)
/var/lib/amanda/gnutar-lists(/.*)? gen_context(system_u:object_r:amanda_gnutarlists_t,s0)
# the null string in here because index is a m4 builtin function
/var/lib/amanda/[^/]+/index`'(/.*)? gen_context(system_u:object_r:amanda_var_lib_t,s0)
/var/log/amanda(/.*)? gen_context(system_u:object_r:amanda_log_t,s0)

161
policy/modules/admin/amanda.if
View File

@ -1,161 +0,0 @@
## <summary>Advanced Maryland Automatic Network Disk Archiver.</summary>
########################################
## <summary>
## Execute a domain transition to run
## Amanda recover.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`amanda_domtrans_recover',`
gen_require(`
type amanda_recover_t, amanda_recover_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, amanda_recover_exec_t, amanda_recover_t)
')
########################################
## <summary>
## Execute a domain transition to run
## Amanda recover, and allow the specified
## role the Amanda recover domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`amanda_run_recover',`
gen_require(`
type amanda_recover_t;
')
amanda_domtrans_recover($1)
role $2 types amanda_recover_t;
')
########################################
## <summary>
## Search Amanda library directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`amanda_search_lib',`
gen_require(`
type amanda_usr_lib_t;
')
files_search_usr($1)
allow $1 amanda_usr_lib_t:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to read /etc/dumpdates.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`amanda_dontaudit_read_dumpdates',`
gen_require(`
type amanda_dumpdates_t;
')
dontaudit $1 amanda_dumpdates_t:file { getattr read };
')
########################################
## <summary>
## Read and write /etc/dumpdates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`amanda_rw_dumpdates_files',`
gen_require(`
type amanda_dumpdates_t;
')
files_search_etc($1)
allow $1 amanda_dumpdates_t:file rw_file_perms;
')
########################################
## <summary>
## Search Amanda library directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`amanda_manage_lib',`
gen_require(`
type amanda_usr_lib_t;
')
files_search_usr($1)
allow $1 amanda_usr_lib_t:dir manage_dir_perms;
')
########################################
## <summary>
## Read and append amanda logs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`amanda_append_log_files',`
gen_require(`
type amanda_log_t;
')
logging_search_logs($1)
allow $1 amanda_log_t:file { read_file_perms append_file_perms };
')
#######################################
## <summary>
## Search Amanda var library directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`amanda_search_var_lib',`
gen_require(`
type amanda_var_lib_t;
')
files_search_var_lib($1)
allow $1 amanda_var_lib_t:dir search_dir_perms;
')

211
policy/modules/admin/amanda.te
View File

@ -1,211 +0,0 @@
policy_module(amanda, 1.13.0)
#######################################
#
# Declarations
#
type amanda_t;
type amanda_inetd_exec_t;
inetd_service_domain(amanda_t, amanda_inetd_exec_t)
role system_r types amanda_t;
type amanda_exec_t;
domain_entry_file(amanda_t, amanda_exec_t)
type amanda_log_t;
logging_log_file(amanda_log_t)
type amanda_config_t;
files_type(amanda_config_t)
type amanda_usr_lib_t;
files_type(amanda_usr_lib_t)
type amanda_var_lib_t;
files_type(amanda_var_lib_t)
type amanda_gnutarlists_t;
files_type(amanda_gnutarlists_t)
type amanda_tmp_t;
files_tmp_file(amanda_tmp_t)
type amanda_amandates_t;
files_type(amanda_amandates_t)
type amanda_dumpdates_t;
files_type(amanda_dumpdates_t)
type amanda_data_t;
files_type(amanda_data_t)
type amanda_recover_t;
type amanda_recover_exec_t;
application_domain(amanda_recover_t, amanda_recover_exec_t)
role system_r types amanda_recover_t;
type amanda_recover_dir_t;
files_type(amanda_recover_dir_t)
optional_policy(`
prelink_object_file(amanda_usr_lib_t)
')
########################################
#
# Amanda local policy
#
allow amanda_t self:capability { chown dac_override setuid kill };
allow amanda_t self:process { setpgid signal };
allow amanda_t self:fifo_file rw_fifo_file_perms;
allow amanda_t self:unix_stream_socket create_stream_socket_perms;
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
allow amanda_t self:udp_socket create_socket_perms;
allow amanda_t amanda_amandates_t:file rw_file_perms;
allow amanda_t amanda_config_t:file read_file_perms;
manage_dirs_pattern(amanda_t, amanda_data_t, amanda_data_t)
manage_files_pattern(amanda_t, amanda_data_t, amanda_data_t)
filetrans_pattern(amanda_t, amanda_config_t, amanda_data_t, { file dir })
allow amanda_t amanda_dumpdates_t:file rw_file_perms;
can_exec(amanda_t, amanda_exec_t)
can_exec(amanda_t, amanda_inetd_exec_t)
allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_lnk_file_perms;
manage_dirs_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
manage_files_pattern(amanda_t, amanda_var_lib_t, amanda_var_lib_t)
manage_files_pattern(amanda_t, amanda_log_t, amanda_log_t)
manage_dirs_pattern(amanda_t, amanda_log_t, amanda_log_t)
logging_log_filetrans(amanda_t, amanda_log_t, { file dir })
manage_files_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
manage_dirs_pattern(amanda_t, amanda_tmp_t, amanda_tmp_t)
files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
kernel_read_system_state(amanda_t)
kernel_read_kernel_sysctls(amanda_t)
kernel_dontaudit_getattr_unlabeled_files(amanda_t)
kernel_dontaudit_read_proc_symlinks(amanda_t)
corecmd_exec_shell(amanda_t)
corecmd_exec_bin(amanda_t)
corenet_all_recvfrom_unlabeled(amanda_t)
corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_generic_if(amanda_t)
corenet_udp_sendrecv_generic_if(amanda_t)
corenet_raw_sendrecv_generic_if(amanda_t)
corenet_tcp_sendrecv_generic_node(amanda_t)
corenet_udp_sendrecv_generic_node(amanda_t)
corenet_raw_sendrecv_generic_node(amanda_t)
corenet_tcp_sendrecv_all_ports(amanda_t)
corenet_udp_sendrecv_all_ports(amanda_t)
corenet_tcp_bind_generic_node(amanda_t)
corenet_udp_bind_generic_node(amanda_t)
corenet_tcp_bind_all_rpc_ports(amanda_t)
corenet_tcp_bind_generic_port(amanda_t)
corenet_dontaudit_tcp_bind_all_ports(amanda_t)
dev_getattr_all_blk_files(amanda_t)
dev_getattr_all_chr_files(amanda_t)
files_read_etc_files(amanda_t)
files_read_etc_runtime_files(amanda_t)
files_list_all(amanda_t)
files_read_all_files(amanda_t)
files_read_all_symlinks(amanda_t)
files_read_all_blk_files(amanda_t)
files_read_all_chr_files(amanda_t)
files_getattr_all_pipes(amanda_t)
files_getattr_all_sockets(amanda_t)
fs_getattr_xattr_fs(amanda_t)
fs_list_all(amanda_t)
storage_raw_read_fixed_disk(amanda_t)
storage_read_tape(amanda_t)
storage_write_tape(amanda_t)
auth_use_nsswitch(amanda_t)
auth_read_shadow(amanda_t)
logging_send_syslog_msg(amanda_t)
########################################
#
# Amanda recover local policy
#
allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file rw_fifo_file_perms;
allow amanda_recover_t self:unix_stream_socket { connect create read write };
allow amanda_recover_t self:tcp_socket create_stream_socket_perms;
allow amanda_recover_t self:udp_socket create_socket_perms;
manage_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_log_t, amanda_log_t)
manage_dirs_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_fifo_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
manage_sock_files_pattern(amanda_recover_t, amanda_recover_dir_t, amanda_recover_dir_t)
userdom_user_home_dir_filetrans(amanda_recover_t, amanda_recover_dir_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_lnk_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_fifo_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
manage_sock_files_pattern(amanda_recover_t, amanda_tmp_t, amanda_tmp_t)
files_tmp_filetrans(amanda_recover_t, amanda_tmp_t, { dir file lnk_file sock_file fifo_file })
kernel_read_system_state(amanda_recover_t)
kernel_read_kernel_sysctls(amanda_recover_t)
corecmd_exec_shell(amanda_recover_t)
corecmd_exec_bin(amanda_recover_t)
corenet_all_recvfrom_unlabeled(amanda_recover_t)
corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_generic_if(amanda_recover_t)
corenet_udp_sendrecv_generic_if(amanda_recover_t)
corenet_tcp_sendrecv_generic_node(amanda_recover_t)
corenet_udp_sendrecv_generic_node(amanda_recover_t)
corenet_tcp_sendrecv_all_ports(amanda_recover_t)
corenet_udp_sendrecv_all_ports(amanda_recover_t)
corenet_tcp_bind_generic_node(amanda_recover_t)
corenet_udp_bind_generic_node(amanda_recover_t)
corenet_tcp_bind_reserved_port(amanda_recover_t)
corenet_tcp_connect_amanda_port(amanda_recover_t)
corenet_sendrecv_amanda_client_packets(amanda_recover_t)
domain_use_interactive_fds(amanda_recover_t)
files_read_etc_files(amanda_recover_t)
files_read_etc_runtime_files(amanda_recover_t)
files_search_tmp(amanda_recover_t)
files_search_pids(amanda_recover_t)
auth_use_nsswitch(amanda_recover_t)
fstools_domtrans(amanda_t)
fstools_signal(amanda_t)
logging_search_logs(amanda_recover_t)
miscfiles_read_localization(amanda_recover_t)
userdom_use_user_terminals(amanda_recover_t)
userdom_search_user_home_content(amanda_recover_t)

1
policy/modules/admin/amtu.fc
View File

@ -1 +0,0 @@
/usr/bin/amtu -- gen_context(system_u:object_r:amtu_exec_t,s0)

46
policy/modules/admin/amtu.if
View File

@ -1,46 +0,0 @@
## <summary>Abstract Machine Test Utility.</summary>
########################################
## <summary>
## Execute a domain transition to run Amtu.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`amtu_domtrans',`
gen_require(`
type amtu_t, amtu_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, amtu_exec_t, amtu_t)
')
########################################
## <summary>
## Execute a domain transition to run
## Amtu, and allow the specified role
## the Amtu domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`amtu_run',`
gen_require(`
type amtu_t;
')
amtu_domtrans($1)
role $2 types amtu_t;
')

34
policy/modules/admin/amtu.te
View File

@ -1,34 +0,0 @@
policy_module(amtu, 1.2.0)
########################################
#
# Declarations
#
type amtu_t;
type amtu_exec_t;
domain_type(amtu_t)
domain_entry_file(amtu_t, amtu_exec_t)
########################################
#
# amtu local policy
#
kernel_read_system_state(amtu_t)
files_manage_boot_files(amtu_t)
files_read_etc_runtime_files(amtu_t)
files_read_etc_files(amtu_t)
logging_send_audit_msgs(amtu_t)
userdom_use_user_terminals(amtu_t)
optional_policy(`
nscd_dontaudit_search_pid(amtu_t)
')
optional_policy(`
seutil_use_newrole_fds(amtu_t)
')

1
policy/modules/admin/anaconda.fc
View File

@ -1 +0,0 @@
# No file context specifications.

1
policy/modules/admin/anaconda.if
View File

@ -1 +0,0 @@
## <summary>Anaconda installer.</summary>

59
policy/modules/admin/anaconda.te
View File

@ -1,59 +0,0 @@
policy_module(anaconda, 1.6.0)
########################################
#
# Declarations
#
type anaconda_t;
type anaconda_exec_t;
domain_type(anaconda_t)
domain_obj_id_change_exemption(anaconda_t)
role system_r types anaconda_t;
########################################
#
# Local policy
#
allow anaconda_t self:process execmem;
kernel_domtrans_to(anaconda_t, anaconda_exec_t)
init_domtrans_script(anaconda_t)
libs_domtrans_ldconfig(anaconda_t)
logging_send_syslog_msg(anaconda_t)
modutils_domtrans_insmod(anaconda_t)
modutils_domtrans_depmod(anaconda_t)
seutil_domtrans_semanage(anaconda_t)
userdom_user_home_dir_filetrans_user_home_content(anaconda_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
kudzu_domtrans(anaconda_t)
')
optional_policy(`
rpm_domtrans(anaconda_t)
rpm_domtrans_script(anaconda_t)
')
optional_policy(`
ssh_domtrans_keygen(anaconda_t)
')
optional_policy(`
udev_domtrans(anaconda_t)
')
optional_policy(`
unconfined_domain(anaconda_t)
')
optional_policy(`
usermanage_domtrans_admin_passwd(anaconda_t)
')

21
policy/modules/admin/apt.fc
View File

@ -1,21 +0,0 @@
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
# apt-shell is redhat specific
/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
# other package managers
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
# package cache repository
/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
# package list repository
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
# aptitude lock
/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
# aptitude log
/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
# dpkg terminal log
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)

225
policy/modules/admin/apt.if
View File

@ -1,225 +0,0 @@
## <summary>APT advanced package tool.</summary>
########################################
## <summary>
## Execute apt programs in the apt domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`apt_domtrans',`
gen_require(`
type apt_t, apt_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, apt_exec_t, apt_t)
')
########################################
## <summary>
## Execute apt programs in the apt domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the apt domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`apt_run',`
gen_require(`
type apt_t;
')
apt_domtrans($1)
role $2 types apt_t;
# TODO: likely have to add dpkg_run here.
')
########################################
## <summary>
## Inherit and use file descriptors from apt.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_use_fds',`
gen_require(`
type apt_t;
')
allow $1 apt_t:fd use;
# TODO: enforce dpkg_use_fd?
')
########################################
## <summary>
## Do not audit attempts to use file descriptors from apt.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apt_dontaudit_use_fds',`
gen_require(`
type apt_t;
')
dontaudit $1 apt_t:fd use;
')
########################################
## <summary>
## Read from an unnamed apt pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_read_pipes',`
gen_require(`
type apt_t;
')
allow $1 apt_t:fifo_file read_fifo_file_perms;
# TODO: enforce dpkg_read_pipes?
')
########################################
## <summary>
## Read and write an unnamed apt pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_rw_pipes',`
gen_require(`
type apt_t;
')
allow $1 apt_t:fifo_file rw_file_perms;
# TODO: enforce dpkg_rw_pipes?
')
########################################
## <summary>
## Read from and write to apt ptys.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_use_ptys',`
gen_require(`
type apt_devpts_t;
')
allow $1 apt_devpts_t:chr_file rw_term_perms;
')
########################################
## <summary>
## Read the apt package cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_read_cache',`
gen_require(`
type apt_var_cache_t;
')
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
dontaudit $1 apt_var_cache_t:dir write;
allow $1 apt_var_cache_t:file read_file_perms;
')
########################################
## <summary>
## Read the apt package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_read_db',`
gen_require(`
type apt_var_lib_t;
')
files_search_var_lib($1)
allow $1 apt_var_lib_t:dir list_dir_perms;
read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete the apt package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apt_manage_db',`
gen_require(`
type apt_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
# cjp: shouldnt this be manage_lnk_files?
rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete the apt package database.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`apt_dontaudit_manage_db',`
gen_require(`
type apt_var_lib_t;
')
dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
dontaudit $1 apt_var_lib_t:file manage_file_perms;
dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
')

162
policy/modules/admin/apt.te
View File

@ -1,162 +0,0 @@
policy_module(apt, 1.6.0)
########################################
#
# Declarations
#
type apt_t;
type apt_exec_t;
init_system_domain(apt_t, apt_exec_t)
domain_system_change_exemption(apt_t)
role system_r types apt_t;
# pseudo terminal for running dpkg
type apt_devpts_t;
term_pty(apt_devpts_t)
# aptitude lock file
type apt_lock_t;
files_lock_file(apt_lock_t)
type apt_tmp_t;
files_tmp_file(apt_tmp_t)
type apt_tmpfs_t;
files_tmpfs_file(apt_tmpfs_t)
# package cache
type apt_var_cache_t alias var_cache_apt_t;
files_type(apt_var_cache_t)
# status files
type apt_var_lib_t alias var_lib_apt_t;
files_type(apt_var_lib_t)
# aptitude log file
type apt_var_log_t;
logging_log_file(apt_var_log_t)
########################################
#
# apt Local policy
#
allow apt_t self:capability { chown dac_override fowner fsetid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
allow apt_t self:unix_dgram_socket create_socket_perms;
allow apt_t self:unix_stream_socket rw_stream_socket_perms;
allow apt_t self:unix_dgram_socket sendto;
allow apt_t self:unix_stream_socket connectto;
allow apt_t self:udp_socket { connect create_socket_perms };
allow apt_t self:tcp_socket create_stream_socket_perms;
allow apt_t self:shm create_shm_perms;
allow apt_t self:sem create_sem_perms;
allow apt_t self:msgq create_msgq_perms;
allow apt_t self:msg { send receive };
# Run update
allow apt_t self:netlink_route_socket r_netlink_socket_perms;
# lock files
allow apt_t apt_lock_t:dir manage_dir_perms;
allow apt_t apt_lock_t:file manage_file_perms;
files_lock_filetrans(apt_t, apt_lock_t, {dir file})
manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
# Access /var/cache/apt files
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
# Access /var/lib/apt files
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
# log files
allow apt_t apt_var_log_t:file manage_file_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
kernel_read_system_state(apt_t)
kernel_read_kernel_sysctls(apt_t)
# to launch dpkg-preconfigure
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
corenet_all_recvfrom_unlabeled(apt_t)
corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_generic_if(apt_t)
corenet_udp_sendrecv_generic_if(apt_t)
corenet_tcp_sendrecv_generic_node(apt_t)
corenet_udp_sendrecv_generic_node(apt_t)
corenet_tcp_sendrecv_all_ports(apt_t)
corenet_udp_sendrecv_all_ports(apt_t)
# TODO: really allow all these?
corenet_tcp_bind_generic_node(apt_t)
corenet_udp_bind_generic_node(apt_t)
corenet_tcp_connect_all_ports(apt_t)
corenet_sendrecv_all_client_packets(apt_t)
dev_read_urand(apt_t)
domain_getattr_all_domains(apt_t)
domain_use_interactive_fds(apt_t)
files_exec_usr_files(apt_t)
files_read_etc_files(apt_t)
files_read_etc_runtime_files(apt_t)
fs_getattr_all_fs(apt_t)
term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
term_use_all_terms(apt_t)
libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
logging_send_syslog_msg(apt_t)
miscfiles_read_localization(apt_t)
seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
userdom_use_user_terminals(apt_t)
# with boolean, for cron-apt and such?
#optional_policy(`
# cron_system_entry(apt_t,apt_exec_t)
#')
optional_policy(`
# dpkg interaction
dpkg_read_db(apt_t)
dpkg_domtrans(apt_t)
dpkg_lock_db(apt_t)
')
optional_policy(`
nis_use_ypbind(apt_t)
')
optional_policy(`
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')
optional_policy(`
unconfined_domain(apt_t)
')

13
policy/modules/admin/backup.fc
View File

@ -1,13 +0,0 @@
# backup
# label programs that do backups to other files on disk (IE a cron job that
# calls tar) in backup_exec_t and label the directory for storing them as
# backup_store_t, Debian uses /var/backups
#/usr/local/bin/backup-script -- gen_context(system_u:object_r:backup_exec_t,s0)
ifdef(`distro_debian',`
/etc/cron.daily/aptitude -- gen_context(system_u:object_r:backup_exec_t,s0)
/etc/cron.daily/standard -- gen_context(system_u:object_r:backup_exec_t,s0)
')
/var/backups(/.*)? gen_context(system_u:object_r:backup_store_t,s0)

45
policy/modules/admin/backup.if
View File

@ -1,45 +0,0 @@
## <summary>System backup scripts</summary>
########################################
## <summary>
## Execute backup in the backup domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`backup_domtrans',`
gen_require(`
type backup_t, backup_exec_t;
')
domtrans_pattern($1, backup_exec_t, backup_t)
')
########################################
## <summary>
## Execute backup in the backup domain, and
## allow the specified role the backup domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`backup_run',`
gen_require(`
type backup_t;
')
backup_domtrans($1)
role $2 types backup_t;
')

85
policy/modules/admin/backup.te
View File

@ -1,85 +0,0 @@
policy_module(backup, 1.5.0)
########################################
#
# Declarations
#
type backup_t;
type backup_exec_t;
domain_type(backup_t)
domain_entry_file(backup_t, backup_exec_t)
role system_r types backup_t;
type backup_store_t;
files_type(backup_store_t)
########################################
#
# Local policy
#
allow backup_t self:capability dac_override;
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
allow backup_t self:udp_socket create_socket_perms;
allow backup_t backup_store_t:file setattr;
manage_files_pattern(backup_t, backup_store_t, backup_store_t)
rw_files_pattern(backup_t, backup_store_t, backup_store_t)
read_lnk_files_pattern(backup_t, backup_store_t, backup_store_t)
kernel_read_system_state(backup_t)
kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
corecmd_exec_shell(backup_t)
corenet_all_recvfrom_unlabeled(backup_t)
corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_udp_sendrecv_generic_if(backup_t)
corenet_raw_sendrecv_generic_if(backup_t)
corenet_tcp_sendrecv_generic_node(backup_t)
corenet_udp_sendrecv_generic_node(backup_t)
corenet_raw_sendrecv_generic_node(backup_t)
corenet_tcp_sendrecv_all_ports(backup_t)
corenet_udp_sendrecv_all_ports(backup_t)
corenet_tcp_connect_all_ports(backup_t)
corenet_sendrecv_all_client_packets(backup_t)
dev_getattr_all_blk_files(backup_t)
dev_getattr_all_chr_files(backup_t)
# for SSP
dev_read_urand(backup_t)
domain_use_interactive_fds(backup_t)
files_read_all_files(backup_t)
files_read_all_symlinks(backup_t)
files_getattr_all_pipes(backup_t)
files_getattr_all_sockets(backup_t)
fs_getattr_xattr_fs(backup_t)
fs_list_all(backup_t)
auth_read_shadow(backup_t)
logging_send_syslog_msg(backup_t)
sysnet_read_config(backup_t)
userdom_use_user_terminals(backup_t)
optional_policy(`
cron_system_entry(backup_t, backup_exec_t)
')
optional_policy(`
hostname_exec(backup_t)
')
optional_policy(`
nis_use_ypbind(backup_t)
')

1
policy/modules/admin/brctl.fc
View File

@ -1 +0,0 @@
/usr/sbin/brctl -- gen_context(system_u:object_r:brctl_exec_t,s0)

20
policy/modules/admin/brctl.if
View File

@ -1,20 +0,0 @@
## <summary>Utilities for configuring the linux ethernet bridge</summary>
########################################
## <summary>
## Execute a domain transition to run brctl.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`brctl_domtrans',`
gen_require(`
type brctl_t, brctl_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, brctl_exec_t, brctl_t)
')

44
policy/modules/admin/brctl.te
View File

@ -1,44 +0,0 @@
policy_module(brctl, 1.6.0)
########################################
#
# Declarations
#
type brctl_t;
type brctl_exec_t;
init_system_domain(brctl_t, brctl_exec_t)
########################################
#
# brctl local policy
#
allow brctl_t self:capability net_admin;
allow brctl_t self:fifo_file rw_fifo_file_perms;
allow brctl_t self:unix_stream_socket create_stream_socket_perms;
allow brctl_t self:unix_dgram_socket create_socket_perms;
allow brctl_t self:tcp_socket create_socket_perms;
kernel_request_load_module(brctl_t)
kernel_read_network_state(brctl_t)
kernel_read_sysctl(brctl_t)
corenet_rw_tun_tap_dev(brctl_t)
dev_rw_sysfs(brctl_t)
dev_write_sysfs_dirs(brctl_t)
# Init script handling
domain_use_interactive_fds(brctl_t)
files_read_etc_files(brctl_t)
term_dontaudit_use_console(brctl_t)
miscfiles_read_localization(brctl_t)
optional_policy(`
xen_append_log(brctl_t)
xen_dontaudit_rw_unix_stream_sockets(brctl_t)
')

1
policy/modules/admin/certwatch.fc
View File

@ -1 +0,0 @@
/usr/bin/certwatch -- gen_context(system_u:object_r:certwatch_exec_t,s0)

78
policy/modules/admin/certwatch.if
View File

@ -1,78 +0,0 @@
## <summary>Digital Certificate Tracking</summary>
########################################
## <summary>
## Domain transition to certwatch.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`certwatch_domtrans',`
gen_require(`
type certwatch_exec_t, certwatch_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, certwatch_exec_t, certwatch_t)
')
########################################
## <summary>
## Execute certwatch in the certwatch domain, and
## allow the specified role the certwatch domain,
## and use the caller's terminal. Has a sigchld
## backchannel.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`certwatch_run',`
gen_require(`
type certwatch_t;
')
certwatch_domtrans($1)
role $2 types certwatch_t;
')
########################################
## <summary>
## Execute certwatch in the certwatch domain, and
## allow the specified role the certwatch domain,
## and use the caller's terminal. Has a sigchld
## backchannel. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow the certwatch domain to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`certwatach_run',`
refpolicywarn(`$0($*) has been deprecated, please use certwatch_run() instead.')
certwatch_run($*)
')

53
policy/modules/admin/certwatch.te
View File

@ -1,53 +0,0 @@
policy_module(certwatch, 1.7.0)
########################################
#
# Declarations
#
type certwatch_t;
type certwatch_exec_t;
application_domain(certwatch_t, certwatch_exec_t)
role system_r types certwatch_t;
########################################
#
# Local policy
#
allow certwatch_t self:capability sys_nice;
allow certwatch_t self:process { setsched getsched };
dev_read_urand(certwatch_t)
files_read_etc_files(certwatch_t)
files_read_usr_files(certwatch_t)
files_read_usr_symlinks(certwatch_t)
files_list_tmp(certwatch_t)
fs_list_inotifyfs(certwatch_t)
auth_manage_cache(certwatch_t)
auth_var_filetrans_cache(certwatch_t)
logging_send_syslog_msg(certwatch_t)
miscfiles_read_all_certs(certwatch_t)
miscfiles_read_localization(certwatch_t)
userdom_use_user_terminals(certwatch_t)
userdom_dontaudit_list_user_home_dirs(certwatch_t)
optional_policy(`
apache_exec_modules(certwatch_t)
apache_read_config(certwatch_t)
')
optional_policy(`
cron_system_entry(certwatch_t, certwatch_exec_t)
')
optional_policy(`
pcscd_domtrans(certwatch_t)
pcscd_stream_connect(certwatch_t)
pcscd_read_pub_files(certwatch_t)
')

4
policy/modules/admin/ddcprobe.fc
View File

@ -1,4 +0,0 @@
#
# /usr
#
/usr/sbin/ddcprobe -- gen_context(system_u:object_r:ddcprobe_exec_t,s0)

45
policy/modules/admin/ddcprobe.if
View File

@ -1,45 +0,0 @@
## <summary>ddcprobe retrieves monitor and graphics card information</summary>
########################################
## <summary>
## Execute ddcprobe in the ddcprobe domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`ddcprobe_domtrans',`
gen_require(`
type ddcprobe_t, ddcprobe_exec_t;
')
domtrans_pattern($1, ddcprobe_exec_t, ddcprobe_t)
')
########################################
## <summary>
## Execute ddcprobe in the ddcprobe domain, and
## allow the specified role the ddcprobe domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role to be authenticated for ddcprobe domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`ddcprobe_run',`
gen_require(`
type ddcprobe_t;
')
ddcprobe_domtrans($1)
role $2 types ddcprobe_t;
')

51
policy/modules/admin/ddcprobe.te
View File

@ -1,51 +0,0 @@
policy_module(ddcprobe, 1.2.0)
########################################
#
# Declarations
#
type ddcprobe_t;
type ddcprobe_exec_t;
application_domain(ddcprobe_t, ddcprobe_exec_t)
role system_r types ddcprobe_t;
########################################
#
# Local policy
#
allow ddcprobe_t self:capability { sys_rawio sys_admin };
allow ddcprobe_t self:process execmem;
kernel_read_system_state(ddcprobe_t)
kernel_read_kernel_sysctls(ddcprobe_t)
kernel_change_ring_buffer_level(ddcprobe_t)
files_search_kernel_modules(ddcprobe_t)
corecmd_list_bin(ddcprobe_t)
corecmd_exec_bin(ddcprobe_t)
dev_read_urand(ddcprobe_t)
dev_read_raw_memory(ddcprobe_t)
dev_wx_raw_memory(ddcprobe_t)
files_read_etc_files(ddcprobe_t)
files_read_etc_runtime_files(ddcprobe_t)
files_read_usr_files(ddcprobe_t)
term_use_all_ttys(ddcprobe_t)
term_use_all_ptys(ddcprobe_t)
libs_read_lib_files(ddcprobe_t)
miscfiles_read_localization(ddcprobe_t)
modutils_read_module_deps(ddcprobe_t)
userdom_use_user_terminals(ddcprobe_t)
userdom_use_all_users_fds(ddcprobe_t)
#reh why? this does not seem even necessary to function properly
kudzu_getattr_exec_files(ddcprobe_t)

4
policy/modules/admin/dmidecode.fc
View File

@ -1,4 +0,0 @@
/usr/sbin/dmidecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
/usr/sbin/ownership -- gen_context(system_u:object_r:dmidecode_exec_t,s0)
/usr/sbin/vpddecode -- gen_context(system_u:object_r:dmidecode_exec_t,s0)

50
policy/modules/admin/dmidecode.if
View File

@ -1,50 +0,0 @@
## <summary>Decode DMI data for x86/ia64 bioses.</summary>
########################################
## <summary>
## Execute dmidecode in the dmidecode domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dmidecode_domtrans',`
gen_require(`
type dmidecode_t, dmidecode_exec_t;
')
domain_auto_trans($1, dmidecode_exec_t, dmidecode_t)
allow $1 dmidecode_t:fd use;
allow dmidecode_t $1:fd use;
allow dmidecode_t $1:fifo_file rw_file_perms;
allow dmidecode_t $1:process sigchld;
')
########################################
## <summary>
## Execute dmidecode in the dmidecode domain, and
## allow the specified role the dmidecode domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dmidecode_run',`
gen_require(`
type dmidecode_t;
')
dmidecode_domtrans($1)
role $2 types dmidecode_t;
')

30
policy/modules/admin/dmidecode.te
View File

@ -1,30 +0,0 @@
policy_module(dmidecode, 1.4.0)
########################################
#
# Declarations
#
type dmidecode_t;
type dmidecode_exec_t;
application_domain(dmidecode_t, dmidecode_exec_t)
role system_r types dmidecode_t;
########################################
#
# Local policy
#
allow dmidecode_t self:capability sys_rawio;
dev_read_sysfs(dmidecode_t)
# Allow dmidecode to read /dev/mem
dev_read_raw_memory(dmidecode_t)
mls_file_read_all_levels(dmidecode_t)
files_list_usr(dmidecode_t)
locallogin_use_fds(dmidecode_t)
userdom_use_user_terminals(dmidecode_t)

12
policy/modules/admin/dpkg.fc
View File

@ -1,12 +0,0 @@
# Debian package manager
/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
# not sure if dselect should be in apt instead?
/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
# lockfile is treated specially, since used by apt, too
/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0)
/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)

226
policy/modules/admin/dpkg.if
View File

@ -1,226 +0,0 @@
## <summary>Policy for the Debian package manager.</summary>
# TODO: need debconf policy
# TODO: need install-menu policy
########################################
## <summary>
## Execute dpkg programs in the dpkg domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dpkg_domtrans',`
gen_require(`
type dpkg_t, dpkg_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, dpkg_exec_t, dpkg_t)
')
########################################
## <summary>
## Execute dpkg_script programs in the dpkg_script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dpkg_domtrans_script',`
gen_require(`
type dpkg_script_t;
')
# transition to dpkg script:
corecmd_shell_domtrans($1, dpkg_script_t)
allow dpkg_script_t $1:fd use;
allow dpkg_script_t $1:fifo_file rw_file_perms;
allow dpkg_script_t $1:process sigchld;
')
########################################
## <summary>
## Execute dpkg programs in the dpkg domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the dpkg domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`dpkg_run',`
gen_require(`
type dpkg_t, dpkg_script_t;
')
dpkg_domtrans($1)
role $2 types dpkg_t;
role $2 types dpkg_script_t;
seutil_run_loadpolicy(dpkg_script_t, $2)
')
########################################
## <summary>
## Inherit and use file descriptors from dpkg.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_use_fds',`
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fd use;
')
########################################
## <summary>
## Read from an unnamed dpkg pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_read_pipes',`
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Read and write an unnamed dpkg pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_rw_pipes',`
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Inherit and use file descriptors from dpkg scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_use_script_fds',`
gen_require(`
type dpkg_script_t;
')
allow $1 dpkg_script_t:fd use;
')
########################################
## <summary>
## Read the dpkg package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_read_db',`
gen_require(`
type dpkg_var_lib_t;
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir list_dir_perms;
read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete the dpkg package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_manage_db',`
gen_require(`
type dpkg_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete the dpkg package database.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dpkg_dontaudit_manage_db',`
gen_require(`
type dpkg_var_lib_t;
')
dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms;
')
########################################
## <summary>
## Lock the dpkg package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_lock_db',`
gen_require(`
type dpkg_lock_t, dpkg_var_lib_t;
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir list_dir_perms;
allow $1 dpkg_lock_t:file manage_file_perms;
')

338
policy/modules/admin/dpkg.te
View File

@ -1,338 +0,0 @@
policy_module(dpkg, 1.8.0)
########################################
#
# Declarations
#
type dpkg_t;
type dpkg_exec_t;
# dpkg can start/stop services
init_system_domain(dpkg_t, dpkg_exec_t)
# dpkg can change file labels, roles, IO
domain_obj_id_change_exemption(dpkg_t)
domain_role_change_exemption(dpkg_t)
domain_system_change_exemption(dpkg_t)
domain_interactive_fd(dpkg_t)
role system_r types dpkg_t;
# lockfile
type dpkg_lock_t;
files_type(dpkg_lock_t)
type dpkg_tmp_t;
files_tmp_file(dpkg_tmp_t)
type dpkg_tmpfs_t;
files_tmpfs_file(dpkg_tmpfs_t)
# status files
type dpkg_var_lib_t alias var_lib_dpkg_t;
files_type(dpkg_var_lib_t)
# package scripts
type dpkg_script_t;
domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
role system_r types dpkg_script_t;
type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)
type dpkg_script_tmpfs_t;
files_tmpfs_file(dpkg_script_tmpfs_t)
########################################
#
# dpkg Local policy
#
allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_t self:unix_dgram_socket sendto;
allow dpkg_t self:unix_stream_socket connectto;
allow dpkg_t self:udp_socket { connect create_socket_perms };
allow dpkg_t self:tcp_socket create_stream_socket_perms;
allow dpkg_t self:shm create_shm_perms;
allow dpkg_t self:sem create_sem_perms;
allow dpkg_t self:msgq create_msgq_perms;
allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
# Access /var/lib/dpkg files
manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)
corecmd_exec_all_executables(dpkg_t)
# TODO: do we really need all networking?
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
corenet_raw_sendrecv_generic_if(dpkg_t)
corenet_udp_sendrecv_generic_if(dpkg_t)
corenet_tcp_sendrecv_generic_node(dpkg_t)
corenet_raw_sendrecv_generic_node(dpkg_t)
corenet_udp_sendrecv_generic_node(dpkg_t)
corenet_tcp_sendrecv_all_ports(dpkg_t)
corenet_udp_sendrecv_all_ports(dpkg_t)
corenet_tcp_connect_all_ports(dpkg_t)
corenet_sendrecv_all_client_packets(dpkg_t)
dev_list_sysfs(dpkg_t)
dev_list_usbfs(dpkg_t)
dev_read_urand(dpkg_t)
#devices_manage_all_device_types(dpkg_t)
domain_read_all_domains_state(dpkg_t)
domain_getattr_all_domains(dpkg_t)
domain_dontaudit_ptrace_all_domains(dpkg_t)
domain_use_interactive_fds(dpkg_t)
domain_dontaudit_getattr_all_pipes(dpkg_t)
domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
fs_manage_nfs_dirs(dpkg_t)
fs_manage_nfs_files(dpkg_t)
fs_manage_nfs_symlinks(dpkg_t)
fs_getattr_all_fs(dpkg_t)
fs_search_auto_mountpoints(dpkg_t)
mls_file_read_all_levels(dpkg_t)
mls_file_write_all_levels(dpkg_t)
mls_file_upgrade(dpkg_t)
selinux_get_fs_mount(dpkg_t)
selinux_validate_context(dpkg_t)
selinux_compute_access_vector(dpkg_t)
selinux_compute_create_context(dpkg_t)
selinux_compute_relabel_context(dpkg_t)
selinux_compute_user_contexts(dpkg_t)
storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)
auth_relabel_all_files_except_auth_files(dpkg_t)
auth_manage_all_files_except_auth_files(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)
files_exec_etc_files(dpkg_t)
init_domtrans_script(dpkg_t)
init_use_script_ptys(dpkg_t)
libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
libs_domtrans_ldconfig(dpkg_t)
logging_send_syslog_msg(dpkg_t)
# allow compiling and loading new policy
seutil_manage_src_policy(dpkg_t)
seutil_manage_bin_policy(dpkg_t)
sysnet_read_config(dpkg_t)
userdom_use_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)
# transition to dpkg script:
dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
optional_policy(`
apt_use_ptys(dpkg_t)
')
# TODO: allow?
#optional_policy(`
# cron_system_entry(dpkg_t,dpkg_exec_t)
#')
optional_policy(`
nis_use_ypbind(dpkg_t)
')
optional_policy(`
unconfined_domain(dpkg_t)
')
# TODO: the following was copied from dpkg_script_t, and could probably
# be removed again when dpkg_script_t is actually used...
domain_signal_all_domains(dpkg_t)
domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
modutils_domtrans_depmod(dpkg_t)
modutils_domtrans_insmod(dpkg_t)
seutil_domtrans_loadpolicy(dpkg_t)
seutil_domtrans_setfiles(dpkg_t)
userdom_use_all_users_fds(dpkg_t)
optional_policy(`
mta_send_mail(dpkg_t)
')
optional_policy(`
usermanage_domtrans_groupadd(dpkg_t)
usermanage_domtrans_useradd(dpkg_t)
')
########################################
#
# dpkg-script Local policy
#
# TODO: actually use dpkg_script_t
allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_script_t self:unix_dgram_socket sendto;
allow dpkg_script_t self:unix_stream_socket connectto;
allow dpkg_script_t self:shm create_shm_perms;
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };
allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# ideally we would not need this
dev_manage_generic_blk_files(dpkg_script_t)
dev_manage_generic_chr_files(dpkg_script_t)
dev_manage_all_blk_files(dpkg_script_t)
dev_manage_all_chr_files(dpkg_script_t)
domain_read_all_domains_state(dpkg_script_t)
domain_getattr_all_domains(dpkg_script_t)
domain_dontaudit_ptrace_all_domains(dpkg_script_t)
domain_use_interactive_fds(dpkg_script_t)
domain_signal_all_domains(dpkg_script_t)
domain_signull_all_domains(dpkg_script_t)
files_exec_etc_files(dpkg_script_t)
files_read_etc_runtime_files(dpkg_script_t)
files_exec_usr_files(dpkg_script_t)
fs_manage_nfs_files(dpkg_script_t)
fs_getattr_nfs(dpkg_script_t)
# why is this not using mount?
fs_getattr_xattr_fs(dpkg_script_t)
fs_mount_xattr_fs(dpkg_script_t)
fs_unmount_xattr_fs(dpkg_script_t)
fs_search_auto_mountpoints(dpkg_script_t)
mls_file_read_all_levels(dpkg_script_t)
mls_file_write_all_levels(dpkg_script_t)
selinux_get_fs_mount(dpkg_script_t)
selinux_validate_context(dpkg_script_t)
selinux_compute_access_vector(dpkg_script_t)
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)
storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)
term_use_all_terms(dpkg_script_t)
auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
auth_manage_all_files_except_auth_files(dpkg_script_t)
init_domtrans_script(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
libs_domtrans_ldconfig(dpkg_script_t)
logging_send_syslog_msg(dpkg_script_t)
miscfiles_read_localization(dpkg_script_t)
modutils_domtrans_depmod(dpkg_script_t)
modutils_domtrans_insmod(dpkg_script_t)
seutil_domtrans_loadpolicy(dpkg_script_t)
seutil_domtrans_setfiles(dpkg_script_t)
userdom_use_all_users_fds(dpkg_script_t)
tunable_policy(`allow_execmem',`
allow dpkg_script_t self:process execmem;
')
optional_policy(`
apt_rw_pipes(dpkg_script_t)
apt_use_fds(dpkg_script_t)
')
optional_policy(`
bootloader_domtrans(dpkg_script_t)
')
optional_policy(`
mta_send_mail(dpkg_script_t)
')
optional_policy(`
nis_use_ypbind(dpkg_script_t)
')
optional_policy(`
unconfined_domain(dpkg_script_t)
')
optional_policy(`
usermanage_domtrans_groupadd(dpkg_script_t)
usermanage_domtrans_useradd(dpkg_script_t)
')

3
policy/modules/admin/firstboot.fc
View File

@ -1,3 +0,0 @@
/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0)
/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0)

157
policy/modules/admin/firstboot.if
View File

@ -1,157 +0,0 @@
## <summary>
## Final system configuration run during the first boot
## after installation of Red Hat/Fedora systems.
## </summary>
########################################
## <summary>
## Execute firstboot in the firstboot domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`firstboot_domtrans',`
gen_require(`
type firstboot_t, firstboot_exec_t;
')
domtrans_pattern($1, firstboot_exec_t, firstboot_t)
')
########################################
## <summary>
## Execute firstboot in the firstboot domain, and
## allow the specified role the firstboot domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`firstboot_run',`
gen_require(`
type firstboot_t;
')
firstboot_domtrans($1)
role $2 types firstboot_t;
')
########################################
## <summary>
## Inherit and use a file descriptor from firstboot.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`firstboot_use_fds',`
gen_require(`
type firstboot_t;
')
allow $1 firstboot_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit a
## file descriptor from firstboot.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`firstboot_dontaudit_use_fds',`
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:fd use;
')
########################################
## <summary>
## Write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`firstboot_write_pipes',`
gen_require(`
type firstboot_t;
')
allow $1 firstboot_t:fifo_file write;
')
########################################
## <summary>
## Read and Write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`firstboot_rw_pipes',`
gen_require(`
type firstboot_t;
')
allow $1 firstboot_t:fifo_file { read write };
')
########################################
## <summary>
## Do not audit attemps to read and write to a firstboot unnamed pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`firstboot_dontaudit_rw_pipes',`
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:fifo_file { read write };
')
########################################
## <summary>
## Do not audit attemps to read and write to a firstboot
## unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`firstboot_dontaudit_rw_stream_sockets',`
gen_require(`
type firstboot_t;
')
dontaudit $1 firstboot_t:unix_stream_socket { read write };
')

135
policy/modules/admin/firstboot.te
View File

@ -1,135 +0,0 @@
policy_module(firstboot, 1.12.0)
gen_require(`
class passwd rootok;
')
########################################
#
# Declarations
#
type firstboot_t;
type firstboot_exec_t;
init_system_domain(firstboot_t, firstboot_exec_t)
domain_obj_id_change_exemption(firstboot_t)
domain_subj_id_change_exemption(firstboot_t)
role system_r types firstboot_t;
type firstboot_etc_t;
files_config_file(firstboot_etc_t)
########################################
#
# Local policy
#
allow firstboot_t self:capability { dac_override setgid };
allow firstboot_t self:process setfscreate;
allow firstboot_t self:fifo_file rw_fifo_file_perms;
allow firstboot_t self:tcp_socket create_stream_socket_perms;
allow firstboot_t self:unix_stream_socket { connect create };
allow firstboot_t self:passwd rootok;
allow firstboot_t firstboot_etc_t:file read_file_perms;
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
corenet_all_recvfrom_unlabeled(firstboot_t)
corenet_all_recvfrom_netlabel(firstboot_t)
corenet_tcp_sendrecv_generic_if(firstboot_t)
corenet_tcp_sendrecv_generic_node(firstboot_t)
corenet_tcp_sendrecv_all_ports(firstboot_t)
dev_read_urand(firstboot_t)
selinux_get_fs_mount(firstboot_t)
selinux_validate_context(firstboot_t)
selinux_compute_access_vector(firstboot_t)
selinux_compute_create_context(firstboot_t)
selinux_compute_relabel_context(firstboot_t)
selinux_compute_user_contexts(firstboot_t)
auth_dontaudit_getattr_shadow(firstboot_t)
corecmd_exec_all_executables(firstboot_t)
files_exec_etc_files(firstboot_t)
files_manage_etc_files(firstboot_t)
files_manage_etc_runtime_files(firstboot_t)
files_read_usr_files(firstboot_t)
files_manage_var_dirs(firstboot_t)
files_manage_var_files(firstboot_t)
files_manage_var_symlinks(firstboot_t)
init_domtrans_script(firstboot_t)
init_rw_utmp(firstboot_t)
libs_exec_ld_so(firstboot_t)
libs_exec_lib_files(firstboot_t)
locallogin_use_fds(firstboot_t)
logging_send_syslog_msg(firstboot_t)
miscfiles_read_localization(firstboot_t)
modutils_domtrans_insmod(firstboot_t)
modutils_domtrans_depmod(firstboot_t)
modutils_read_module_config(firstboot_t)
modutils_read_module_deps(firstboot_t)
userdom_use_user_terminals(firstboot_t)
# Add/remove user home directories
userdom_manage_user_home_content_dirs(firstboot_t)
userdom_manage_user_home_content_files(firstboot_t)
userdom_manage_user_home_content_symlinks(firstboot_t)
userdom_manage_user_home_content_pipes(firstboot_t)
userdom_manage_user_home_content_sockets(firstboot_t)
userdom_home_filetrans_user_home_dir(firstboot_t)
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file })
optional_policy(`
consoletype_domtrans(firstboot_t)
')
optional_policy(`
dbus_system_bus_client(firstboot_t)
optional_policy(`
hal_dbus_chat(firstboot_t)
')
')
optional_policy(`
nis_use_ypbind(firstboot_t)
')
optional_policy(`
samba_rw_config(firstboot_t)
')
optional_policy(`
unconfined_domtrans(firstboot_t)
# The big hammer
unconfined_domain(firstboot_t)
')
optional_policy(`
usermanage_domtrans_chfn(firstboot_t)
usermanage_domtrans_groupadd(firstboot_t)
usermanage_domtrans_passwd(firstboot_t)
usermanage_domtrans_useradd(firstboot_t)
usermanage_domtrans_admin_passwd(firstboot_t)
')
optional_policy(`
gnome_manage_config(firstboot_t)
')
optional_policy(`
xserver_domtrans(firstboot_t)
xserver_rw_shm(firstboot_t)
xserver_unconfined(firstboot_t)
')

5
policy/modules/admin/kdump.fc
View File

@ -1,5 +0,0 @@
/etc/kdump\.conf -- gen_context(system_u:object_r:kdump_etc_t,s0)
/etc/rc\.d/init\.d/kdump -- gen_context(system_u:object_r:kdump_initrc_exec_t,s0)
/sbin/kdump -- gen_context(system_u:object_r:kdump_exec_t,s0)
/sbin/kexec -- gen_context(system_u:object_r:kdump_exec_t,s0)

111
policy/modules/admin/kdump.if
View File

@ -1,111 +0,0 @@
## <summary>Kernel crash dumping mechanism</summary>
######################################
## <summary>
## Execute kdump in the kdump domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`kdump_domtrans',`
gen_require(`
type kdump_t, kdump_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, kdump_exec_t, kdump_t)
')
#######################################
## <summary>
## Execute kdump in the kdump domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`kdump_initrc_domtrans',`
gen_require(`
type kdump_initrc_exec_t;
')
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
')
#####################################
## <summary>
## Read kdump configuration file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kdump_read_config',`
gen_require(`
type kdump_etc_t;
')
files_search_etc($1)
allow $1 kdump_etc_t:file read_file_perms;
')
####################################
## <summary>
## Manage kdump configuration file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kdump_manage_config',`
gen_require(`
type kdump_etc_t;
')
files_search_etc($1)
allow $1 kdump_etc_t:file manage_file_perms;
')
######################################
## <summary>
## All of the rules required to administrate
## an kdump environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the kdump domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`kdump_admin',`
gen_require(`
type kdump_t, kdump_etc_t;
type kdump_initrc_exec_t;
')
allow $1 kdump_t:process { ptrace signal_perms };
ps_process_pattern($1, kdump_t)
init_labeled_script_domtrans($1, kdump_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 kdump_initrc_exec_t system_r;
allow $2 system_r;
files_search_etc($1)
admin_pattern($1, kdump_etc_t)
')

38
policy/modules/admin/kdump.te
View File

@ -1,38 +0,0 @@
policy_module(kdump, 1.2.0)
#######################################
#
# Declarations
#
type kdump_t;
type kdump_exec_t;
init_system_domain(kdump_t, kdump_exec_t)
type kdump_etc_t;
files_config_file(kdump_etc_t)
type kdump_initrc_exec_t;
init_script_file(kdump_initrc_exec_t)
#####################################
#
# kdump local policy
#
allow kdump_t self:capability { sys_boot dac_override };
read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t)
files_read_etc_runtime_files(kdump_t)
files_read_kernel_img(kdump_t)
kernel_read_system_state(kdump_t)
kernel_read_core_if(kdump_t)
kernel_read_debugfs(kdump_t)
kernel_request_load_module(kdump_t)
dev_read_framebuffer(kdump_t)
dev_read_sysfs(kdump_t)
term_use_console(kdump_t)

6
policy/modules/admin/kismet.fc
View File

@ -1,6 +0,0 @@
HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0)
/usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
/var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
/var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
/var/run/kismet_server.pid -- gen_context(system_u:object_r:kismet_var_run_t,s0)

247
policy/modules/admin/kismet.if
View File

@ -1,247 +0,0 @@
## <summary>Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system.</summary>
########################################
## <summary>
## Execute a domain transition to run kismet.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`kismet_domtrans',`
gen_require(`
type kismet_t, kismet_exec_t;
')
domtrans_pattern($1, kismet_exec_t, kismet_t)
allow kismet_t $1:process signull;
')
########################################
## <summary>
## Execute kismet in the kismet domain, and
## allow the specified role the kismet domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`kismet_run',`
gen_require(`
type kismet_t;
')
kismet_domtrans($1)
role $2 types kismet_t;
')
########################################
## <summary>
## Read kismet PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_read_pid_files',`
gen_require(`
type kismet_var_run_t;
')
allow $1 kismet_var_run_t:file read_file_perms;
files_search_pids($1)
')
########################################
## <summary>
## Manage kismet var_run files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_manage_pid_files',`
gen_require(`
type kismet_var_run_t;
')
allow $1 kismet_var_run_t:file manage_file_perms;
files_search_pids($1)
')
########################################
## <summary>
## Search kismet lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_search_lib',`
gen_require(`
type kismet_var_lib_t;
')
allow $1 kismet_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Read kismet lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_read_lib_files',`
gen_require(`
type kismet_var_lib_t;
')
allow $1 kismet_var_lib_t:file read_file_perms;
allow $1 kismet_var_lib_t:dir list_dir_perms;
files_search_var_lib($1)
')
########################################
## <summary>
## Create, read, write, and delete
## kismet lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_manage_lib_files',`
gen_require(`
type kismet_var_lib_t;
')
manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
files_search_var_lib($1)
')
########################################
## <summary>
## Manage kismet var_lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_manage_lib',`
gen_require(`
type kismet_var_lib_t;
')
manage_dirs_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
manage_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
manage_lnk_files_pattern($1, kismet_var_lib_t, kismet_var_lib_t)
')
########################################
## <summary>
## Allow the specified domain to read kismet's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kismet_read_log',`
gen_require(`
type kismet_log_t;
')
logging_search_logs($1)
read_files_pattern($1, kismet_log_t, kismet_log_t)
')
########################################
## <summary>
## Allow the specified domain to append
## kismet log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_append_log',`
gen_require(`
type kismet_log_t;
')
logging_search_logs($1)
append_files_pattern($1, kismet_log_t, kismet_log_t)
')
########################################
## <summary>
## Allow domain to manage kismet log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kismet_manage_log',`
gen_require(`
type kismet_log_t;
')
manage_dirs_pattern($1, kismet_log_t, kismet_log_t)
manage_files_pattern($1, kismet_log_t, kismet_log_t)
manage_lnk_files_pattern($1, kismet_log_t, kismet_log_t)
logging_search_logs($1)
')
########################################
## <summary>
## All of the rules required to administrate an kismet environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kismet_admin',`
gen_require(`
type kismet_t;
')
ps_process_pattern($1, kismet_t)
allow $1 kismet_t:process { ptrace signal_perms };
kismet_manage_pid_files($1)
kismet_manage_lib($1)
kismet_manage_log($1)
')

101
policy/modules/admin/kismet.te
View File

@ -1,101 +0,0 @@
policy_module(kismet, 1.6.0)
########################################
#
# Declarations
#
type kismet_t;
type kismet_exec_t;
application_domain(kismet_t, kismet_exec_t)
role system_r types kismet_t;
type kismet_home_t;
userdom_user_home_content(kismet_home_t)
type kismet_log_t;
logging_log_file(kismet_log_t)
type kismet_tmp_t;
files_tmp_file(kismet_tmp_t)
type kismet_tmpfs_t;
files_tmp_file(kismet_tmpfs_t)
type kismet_var_lib_t;
files_type(kismet_var_lib_t)
type kismet_var_run_t;
files_pid_file(kismet_var_run_t)
########################################
#
# kismet local policy
#
allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
allow kismet_t self:process signal_perms;
allow kismet_t self:fifo_file rw_file_perms;
allow kismet_t self:packet_socket create_socket_perms;
allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
allow kismet_t self:unix_stream_socket create_stream_socket_perms;
allow kismet_t self:tcp_socket create_stream_socket_perms;
manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
userdom_search_user_home_dirs(kismet_t)
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
allow kismet_t kismet_log_t:dir setattr;
logging_log_filetrans(kismet_t, kismet_log_t, { file dir })
manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
manage_sock_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir sock_file })
manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file })
allow kismet_t kismet_var_lib_t:file manage_file_perms;
allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
allow kismet_t kismet_var_run_t:file manage_file_perms;
allow kismet_t kismet_var_run_t:dir manage_dir_perms;
files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
kernel_search_debugfs(kismet_t)
kernel_read_system_state(kismet_t)
kernel_read_network_state(kismet_t)
corecmd_exec_bin(kismet_t)
corenet_all_recvfrom_unlabeled(kismet_t)
corenet_all_recvfrom_netlabel(kismet_t)
corenet_tcp_sendrecv_generic_if(kismet_t)
corenet_tcp_sendrecv_generic_node(kismet_t)
corenet_tcp_sendrecv_all_ports(kismet_t)
corenet_tcp_bind_generic_node(kismet_t)
corenet_tcp_bind_kismet_port(kismet_t)
corenet_tcp_connect_kismet_port(kismet_t)
corenet_tcp_connect_pulseaudio_port(kismet_t)
auth_use_nsswitch(kismet_t)
files_read_etc_files(kismet_t)
files_read_usr_files(kismet_t)
miscfiles_read_localization(kismet_t)
userdom_use_user_terminals(kismet_t)
userdom_read_user_tmpfs_files(kismet_t)
optional_policy(`
dbus_system_bus_client(kismet_t)
networkmanager_dbus_chat(kismet_t)
')

5
policy/modules/admin/kudzu.fc
View File

@ -1,5 +0,0 @@
/sbin/kmodule -- gen_context(system_u:object_r:kudzu_exec_t,s0)
/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)
/usr/sbin/kudzu -- gen_context(system_u:object_r:kudzu_exec_t,s0)

64
policy/modules/admin/kudzu.if
View File

@ -1,64 +0,0 @@
## <summary>Hardware detection and configuration tools</summary>
########################################
## <summary>
## Execute kudzu in the kudzu domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`kudzu_domtrans',`
gen_require(`
type kudzu_t, kudzu_exec_t;
')
domtrans_pattern($1, kudzu_exec_t, kudzu_t)
')
########################################
## <summary>
## Execute kudzu in the kudzu domain, and
## allow the specified role the kudzu domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kudzu_run',`
gen_require(`
type kudzu_t;
')
kudzu_domtrans($1)
role $2 types kudzu_t;
')
########################################
## <summary>
## Get attributes of kudzu executable.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: added for ddcprobe
interface(`kudzu_getattr_exec_files',`
gen_require(`
type kudzu_exec_t;
')
allow $1 kudzu_exec_t:file getattr;
')

145
policy/modules/admin/kudzu.te
View File

@ -1,145 +0,0 @@
policy_module(kudzu, 1.8.0)
########################################
#
# Declarations
#
type kudzu_t;
type kudzu_exec_t;
init_system_domain(kudzu_t, kudzu_exec_t)
type kudzu_tmp_t;
files_tmp_file(kudzu_tmp_t)
type kudzu_var_run_t;
files_pid_file(kudzu_var_run_t)
########################################
#
# Local policy
#
allow kudzu_t self:capability { dac_override sys_admin sys_ptrace sys_rawio net_admin sys_tty_config mknod };
dontaudit kudzu_t self:capability sys_tty_config;
allow kudzu_t self:process { signal_perms execmem };
allow kudzu_t self:fifo_file rw_fifo_file_perms;
allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow kudzu_t self:unix_dgram_socket create_socket_perms;
allow kudzu_t self:udp_socket { create ioctl };
manage_dirs_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
manage_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
manage_chr_files_pattern(kudzu_t, kudzu_tmp_t, kudzu_tmp_t)
files_tmp_filetrans(kudzu_t, kudzu_tmp_t, { file dir chr_file })
manage_dirs_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
manage_files_pattern(kudzu_t, kudzu_var_run_t, kudzu_var_run_t)
files_pid_filetrans(kudzu_t, kudzu_var_run_t, file)
kernel_change_ring_buffer_level(kudzu_t)
kernel_list_proc(kudzu_t)
kernel_read_device_sysctls(kudzu_t)
kernel_read_kernel_sysctls(kudzu_t)
kernel_read_proc_symlinks(kudzu_t)
kernel_read_network_state(kudzu_t)
kernel_read_system_state(kudzu_t)
kernel_rw_hotplug_sysctls(kudzu_t)
kernel_rw_kernel_sysctl(kudzu_t)
files_read_kernel_modules(kudzu_t)
dev_list_sysfs(kudzu_t)
dev_read_usbfs(kudzu_t)
dev_read_sysfs(kudzu_t)
dev_rx_raw_memory(kudzu_t)
dev_wx_raw_memory(kudzu_t)
dev_rw_mouse(kudzu_t)
dev_rwx_zero(kudzu_t)
fs_search_auto_mountpoints(kudzu_t)
fs_search_ramfs(kudzu_t)
fs_write_ramfs_sockets(kudzu_t)
mls_file_read_all_levels(kudzu_t)
mls_file_write_all_levels(kudzu_t)
storage_read_scsi_generic(kudzu_t)
storage_read_tape(kudzu_t)
storage_raw_write_fixed_disk(kudzu_t)
storage_raw_write_removable_device(kudzu_t)
storage_raw_read_fixed_disk(kudzu_t)
storage_raw_read_removable_device(kudzu_t)
term_dontaudit_use_console(kudzu_t)
# so it can write messages to the console
term_use_unallocated_ttys(kudzu_t)
corecmd_exec_all_executables(kudzu_t)
domain_use_interactive_fds(kudzu_t)
files_search_var(kudzu_t)
files_search_locks(kudzu_t)
files_manage_etc_files(kudzu_t)
files_manage_etc_runtime_files(kudzu_t)
files_etc_filetrans_etc_runtime(kudzu_t, file)
files_manage_mnt_files(kudzu_t)
files_manage_mnt_symlinks(kudzu_t)
files_dontaudit_search_src(kudzu_t)
# Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
files_read_usr_files(kudzu_t)
# for /etc/sysconfig/hwconf - probably need a new type
files_rw_etc_runtime_files(kudzu_t)
# for file systems that are not yet mounted
files_dontaudit_search_isid_type_dirs(kudzu_t)
init_use_fds(kudzu_t)
init_use_script_ptys(kudzu_t)
init_stream_connect_script(kudzu_t)
init_read_state(kudzu_t)
init_ptrace(kudzu_t)
# kudzu will telinit to make init re-read
# the inittab after configuring serial consoles
init_telinit(kudzu_t)
# Read /usr/lib/gconv/gconv-modules.*
libs_read_lib_files(kudzu_t)
logging_send_syslog_msg(kudzu_t)
miscfiles_read_hwdata(kudzu_t)
miscfiles_read_localization(kudzu_t)
modutils_read_module_config(kudzu_t)
modutils_read_module_deps(kudzu_t)
modutils_rename_module_config(kudzu_t)
modutils_delete_module_config(kudzu_t)
modutils_domtrans_insmod(kudzu_t)
sysnet_read_config(kudzu_t)
userdom_use_user_terminals(kudzu_t)
userdom_dontaudit_use_unpriv_user_fds(kudzu_t)
userdom_search_user_home_dirs(kudzu_t)
optional_policy(`
gpm_getattr_gpmctl(kudzu_t)
')
optional_policy(`
nscd_socket_use(kudzu_t)
')
optional_policy(`
seutil_sigchld_newrole(kudzu_t)
')
optional_policy(`
udev_read_db(kudzu_t)
')
optional_policy(`
unconfined_domtrans(kudzu_t)
unconfined_domain(kudzu_t)
')

9
policy/modules/admin/logrotate.fc
View File

@ -1,9 +0,0 @@
/etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
/usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
ifdef(`distro_debian', `
/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
', `
/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
')

120
policy/modules/admin/logrotate.if
View File

@ -1,120 +0,0 @@
## <summary>Rotate and archive system logs</summary>
########################################
## <summary>
## Execute logrotate in the logrotate domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`logrotate_domtrans',`
gen_require(`
type logrotate_t, logrotate_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, logrotate_exec_t, logrotate_t)
')
########################################
## <summary>
## Execute logrotate in the logrotate domain, and
## allow the specified role the logrotate domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`logrotate_run',`
gen_require(`
type logrotate_t;
')
logrotate_domtrans($1)
role $2 types logrotate_t;
')
########################################
## <summary>
## Execute logrotate in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logrotate_exec',`
gen_require(`
type logrotate_exec_t;
')
corecmd_search_bin($1)
can_exec($1, logrotate_exec_t)
')
########################################
## <summary>
## Inherit and use logrotate file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logrotate_use_fds',`
gen_require(`
type logrotate_t;
')
allow $1 logrotate_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to inherit logrotate file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`logrotate_dontaudit_use_fds',`
gen_require(`
type logrotate_t;
')
dontaudit $1 logrotate_t:fd use;
')
########################################
## <summary>
## Read a logrotate temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logrotate_read_tmp_files',`
gen_require(`
type logrotate_tmp_t;
')
files_search_tmp($1)
allow $1 logrotate_tmp_t:file read_file_perms;
')

230
policy/modules/admin/logrotate.te
View File

@ -1,230 +0,0 @@
policy_module(logrotate, 1.14.0)
########################################
#
# Declarations
#
type logrotate_t;
domain_type(logrotate_t)
domain_obj_id_change_exemption(logrotate_t)
domain_system_change_exemption(logrotate_t)
role system_r types logrotate_t;
type logrotate_exec_t;
domain_entry_file(logrotate_t, logrotate_exec_t)
type logrotate_lock_t;
files_lock_file(logrotate_lock_t)
type logrotate_tmp_t;
files_tmp_file(logrotate_tmp_t)
type logrotate_var_lib_t;
files_type(logrotate_var_lib_t)
########################################
#
# Local policy
#
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
# for mailx
dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
# Set a context other than the default one for newly created files.
allow logrotate_t self:process setfscreate;
allow logrotate_t self:fd use;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
allow logrotate_t self:unix_dgram_socket create_socket_perms;
allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
allow logrotate_t self:unix_dgram_socket sendto;
allow logrotate_t self:unix_stream_socket connectto;
allow logrotate_t self:shm create_shm_perms;
allow logrotate_t self:sem create_sem_perms;
allow logrotate_t self:msgq create_msgq_perms;
allow logrotate_t self:msg { send receive };
allow logrotate_t logrotate_lock_t:file manage_file_perms;
files_lock_filetrans(logrotate_t, logrotate_lock_t, file)
can_exec(logrotate_t, logrotate_tmp_t)
manage_dirs_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
manage_files_pattern(logrotate_t, logrotate_tmp_t, logrotate_tmp_t)
files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
# for /var/lib/logrotate.status and /var/lib/logcheck
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctls(logrotate_t)
dev_read_urand(logrotate_t)
fs_search_auto_mountpoints(logrotate_t)
fs_getattr_xattr_fs(logrotate_t)
fs_list_inotifyfs(logrotate_t)
mls_file_read_all_levels(logrotate_t)
mls_file_write_all_levels(logrotate_t)
mls_file_upgrade(logrotate_t)
selinux_get_fs_mount(logrotate_t)
selinux_get_enforce_mode(logrotate_t)
auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
# Run helper programs.
corecmd_exec_bin(logrotate_t)
corecmd_exec_shell(logrotate_t)
domain_signal_all_domains(logrotate_t)
domain_use_interactive_fds(logrotate_t)
domain_getattr_all_entry_files(logrotate_t)
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logrotate_t)
files_read_usr_files(logrotate_t)
files_read_etc_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
files_search_all(logrotate_t)
files_read_var_lib_files(logrotate_t)
# Write to /var/spool/slrnpull - should be moved into its own type.
files_manage_generic_spool(logrotate_t)
files_manage_generic_spool_dirs(logrotate_t)
files_getattr_generic_locks(logrotate_t)
# cjp: why is this needed?
init_domtrans_script(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
userdom_use_user_terminals(logrotate_t)
userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
mta_send_mail(logrotate_t)
ifdef(`distro_debian', `
allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
# for savelog
can_exec(logrotate_t, logrotate_exec_t)
# for syslogd-listfiles
logging_read_syslog_config(logrotate_t)
# for "test -x /sbin/syslogd"
logging_check_exec_syslog(logrotate_t)
')
optional_policy(`
abrt_cache_manage(logrotate_t)
')
optional_policy(`
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
acct_exec_data(logrotate_t)
')
optional_policy(`
apache_read_config(logrotate_t)
apache_domtrans(logrotate_t)
apache_signull(logrotate_t)
')
optional_policy(`
asterisk_domtrans(logrotate_t)
')
optional_policy(`
bind_manage_cache(logrotate_t)
')
optional_policy(`
consoletype_exec(logrotate_t)
')
optional_policy(`
cups_domtrans(logrotate_t)
')
optional_policy(`
fail2ban_stream_connect(logrotate_t)
')
optional_policy(`
hostname_exec(logrotate_t)
')
optional_policy(`
icecast_signal(logrotate_t)
')
optional_policy(`
mailman_domtrans(logrotate_t)
mailman_search_data(logrotate_t)
mailman_manage_log(logrotate_t)
')
optional_policy(`
munin_read_config(logrotate_t)
munin_stream_connect(logrotate_t)
munin_search_lib(logrotate_t)
')
optional_policy(`
mysql_read_config(logrotate_t)
mysql_search_db(logrotate_t)
mysql_stream_connect(logrotate_t)
')
optional_policy(`
psad_domtrans(logrotate_t)
')
optional_policy(`
samba_exec_log(logrotate_t)
')
optional_policy(`
sssd_domtrans(logrotate_t)
')
optional_policy(`
slrnpull_manage_spool(logrotate_t)
')
optional_policy(`
squid_domtrans(logrotate_t)
')
optional_policy(`
#Red Hat bug 564565
su_exec(logrotate_t)
')
optional_policy(`
varnishd_manage_log(logrotate_t)
')

7
policy/modules/admin/logwatch.fc
View File

@ -1,7 +0,0 @@
/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)

38
policy/modules/admin/logwatch.if
View File

@ -1,38 +0,0 @@
## <summary>System log analyzer and reporter</summary>
########################################
## <summary>
## Read logwatch temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logwatch_read_tmp_files',`
gen_require(`
type logwatch_tmp_t;
')
files_search_tmp($1)
allow $1 logwatch_tmp_t:file read_file_perms;
')
########################################
## <summary>
## Search logwatch cache directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logwatch_search_cache_dir',`
gen_require(`
type logwatch_cache_t;
')
allow $1 logwatch_cache_t:dir search_dir_perms;
')

147
policy/modules/admin/logwatch.te
View File

@ -1,147 +0,0 @@
policy_module(logwatch, 1.11.0)
#################################
#
# Declarations
#
type logwatch_t;
type logwatch_exec_t;
application_domain(logwatch_t, logwatch_exec_t)
role system_r types logwatch_t;
type logwatch_cache_t;
files_type(logwatch_cache_t)
type logwatch_lock_t;
files_lock_file(logwatch_lock_t)
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
########################################
#
# Local policy
#
allow logwatch_t self:capability { dac_override dac_read_search setgid };
allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_file_perms;
allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t)
allow logwatch_t logwatch_lock_t:file manage_file_perms;
files_lock_filetrans(logwatch_t, logwatch_lock_t, file)
manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t)
files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
kernel_read_net_sysctls(logwatch_t)
kernel_read_network_state(logwatch_t)
corecmd_exec_bin(logwatch_t)
corecmd_exec_shell(logwatch_t)
dev_read_urand(logwatch_t)
dev_read_sysfs(logwatch_t)
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logwatch_t)
files_list_var(logwatch_t)
files_read_var_symlinks(logwatch_t)
files_read_etc_files(logwatch_t)
files_read_etc_runtime_files(logwatch_t)
files_read_usr_files(logwatch_t)
files_search_spool(logwatch_t)
files_search_mnt(logwatch_t)
files_dontaudit_search_home(logwatch_t)
files_dontaudit_search_boot(logwatch_t)
# Execs df and if file system mounted with a context avc raised
files_dontaudit_search_all_dirs(logwatch_t)
fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
fs_list_inotifyfs(logwatch_t)
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
auth_use_nsswitch(logwatch_t)
auth_dontaudit_read_shadow(logwatch_t)
init_read_utmp(logwatch_t)
init_dontaudit_write_utmp(logwatch_t)
libs_read_lib_files(logwatch_t)
logging_read_all_logs(logwatch_t)
logging_send_syslog_msg(logwatch_t)
miscfiles_read_localization(logwatch_t)
selinux_dontaudit_getattr_dir(logwatch_t)
sysnet_dns_name_resolve(logwatch_t)
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
mta_send_mail(logwatch_t)
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
files_getattr_all_file_type_fs(logwatch_t)
')
tunable_policy(`use_nfs_home_dirs',`
fs_list_nfs(logwatch_t)
')
tunable_policy(`use_samba_home_dirs',`
fs_list_cifs(logwatch_t)
')
optional_policy(`
apache_read_log(logwatch_t)
')
optional_policy(`
avahi_dontaudit_search_pid(logwatch_t)
')
optional_policy(`
bind_read_config(logwatch_t)
bind_read_zone(logwatch_t)
')
optional_policy(`
cron_system_entry(logwatch_t, logwatch_exec_t)
')
optional_policy(`
hostname_exec(logwatch_t)
')
optional_policy(`
mta_getattr_spool(logwatch_t)
')
optional_policy(`
ntp_domtrans(logwatch_t)
')
optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
optional_policy(`
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')

1
policy/modules/admin/mcelog.fc
View File

@ -1 +0,0 @@
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)

20
policy/modules/admin/mcelog.if
View File

@ -1,20 +0,0 @@
## <summary>policy for mcelog</summary>
########################################
## <summary>
## Execute a domain transition to run mcelog.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`mcelog_domtrans',`
gen_require(`
type mcelog_t, mcelog_exec_t;
')
domtrans_pattern($1, mcelog_exec_t, mcelog_t)
')

32
policy/modules/admin/mcelog.te
View File

@ -1,32 +0,0 @@
policy_module(mcelog, 1.1.0)
########################################
#
# Declarations
#
type mcelog_t;
type mcelog_exec_t;
application_domain(mcelog_t, mcelog_exec_t)
cron_system_entry(mcelog_t, mcelog_exec_t)
########################################
#
# mcelog local policy
#
allow mcelog_t self:capability sys_admin;
kernel_read_system_state(mcelog_t)
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
files_read_etc_files(mcelog_t)
# for /dev/mem access
mls_file_read_all_levels(mcelog_t)
logging_send_syslog_msg(mcelog_t)
miscfiles_read_localization(mcelog_t)

18
policy/modules/admin/mrtg.fc
View File

@ -1,18 +0,0 @@
#
# /etc
#
/etc/mrtg.* gen_context(system_u:object_r:mrtg_etc_t,s0)
#
# /usr
#
/usr/bin/mrtg -- gen_context(system_u:object_r:mrtg_exec_t,s0)
/etc/mrtg/mrtg\.ok -- gen_context(system_u:object_r:mrtg_lock_t,s0)
#
# /var
#
/var/lib/mrtg(/.*)? gen_context(system_u:object_r:mrtg_var_lib_t,s0)
/var/lock/mrtg(/.*)? gen_context(system_u:object_r:mrtg_lock_t,s0)
/var/log/mrtg(/.*)? gen_context(system_u:object_r:mrtg_log_t,s0)
/var/run/mrtg\.pid gen_context(system_u:object_r:mrtg_var_run_t,s0)

20
policy/modules/admin/mrtg.if
View File

@ -1,20 +0,0 @@
## <summary>Network traffic graphing</summary>
########################################
## <summary>
## Create and append mrtg logs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`mrtg_append_create_logs',`
gen_require(`
type mrtg_log_t;
')
append_files_pattern($1, mrtg_log_t, mrtg_log_t)
create_files_pattern($1, mrtg_log_t, mrtg_log_t)
')

160
policy/modules/admin/mrtg.te
View File

@ -1,160 +0,0 @@
policy_module(mrtg, 1.8.0)
########################################
#
# Declarations
#
type mrtg_t;
type mrtg_exec_t;
init_system_domain(mrtg_t, mrtg_exec_t)
type mrtg_etc_t;
files_config_file(mrtg_etc_t)
type mrtg_lock_t;
files_lock_file(mrtg_lock_t)
type mrtg_log_t;
logging_log_file(mrtg_log_t)
type mrtg_var_lib_t;
files_type(mrtg_var_lib_t)
type mrtg_var_run_t;
files_pid_file(mrtg_var_run_t)
########################################
#
# Local policy
#
allow mrtg_t self:capability { setgid setuid chown };
dontaudit mrtg_t self:capability sys_tty_config;
allow mrtg_t self:process signal_perms;
allow mrtg_t self:fifo_file rw_fifo_file_perms;
allow mrtg_t self:unix_stream_socket create_socket_perms;
allow mrtg_t self:tcp_socket create_socket_perms;
allow mrtg_t self:udp_socket create_socket_perms;
allow mrtg_t mrtg_etc_t:dir list_dir_perms;
read_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
read_lnk_files_pattern(mrtg_t, mrtg_etc_t, mrtg_etc_t)
dontaudit mrtg_t mrtg_etc_t:dir write;
dontaudit mrtg_t mrtg_etc_t:file { write ioctl };
manage_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
manage_lnk_files_pattern(mrtg_t, mrtg_lock_t, mrtg_lock_t)
manage_files_pattern(mrtg_t, mrtg_log_t, mrtg_log_t)
logging_log_filetrans(mrtg_t, mrtg_log_t, { file dir })
manage_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
manage_lnk_files_pattern(mrtg_t, mrtg_var_lib_t, mrtg_var_lib_t)
allow mrtg_t mrtg_var_run_t:file manage_file_perms;
files_pid_filetrans(mrtg_t, mrtg_var_run_t, file)
kernel_read_system_state(mrtg_t)
kernel_read_network_state(mrtg_t)
kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
corenet_all_recvfrom_unlabeled(mrtg_t)
corenet_all_recvfrom_netlabel(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
corenet_udp_sendrecv_generic_if(mrtg_t)
corenet_tcp_sendrecv_generic_node(mrtg_t)
corenet_udp_sendrecv_generic_node(mrtg_t)
corenet_tcp_sendrecv_all_ports(mrtg_t)
corenet_udp_sendrecv_all_ports(mrtg_t)
corenet_tcp_connect_all_ports(mrtg_t)
corenet_sendrecv_all_client_packets(mrtg_t)
dev_read_sysfs(mrtg_t)
dev_read_urand(mrtg_t)
domain_use_interactive_fds(mrtg_t)
domain_dontaudit_search_all_domains_state(mrtg_t)
files_read_usr_files(mrtg_t)
files_search_var(mrtg_t)
files_search_locks(mrtg_t)
files_search_var_lib(mrtg_t)
files_search_spool(mrtg_t)
files_getattr_tmp_dirs(mrtg_t)
# for uptime
files_read_etc_runtime_files(mrtg_t)
# read config files
files_read_etc_files(mrtg_t)
fs_search_auto_mountpoints(mrtg_t)
fs_getattr_xattr_fs(mrtg_t)
fs_list_inotifyfs(mrtg_t)
term_dontaudit_use_console(mrtg_t)
init_use_fds(mrtg_t)
init_use_script_ptys(mrtg_t)
# for uptime
init_read_utmp(mrtg_t)
init_dontaudit_write_utmp(mrtg_t)
auth_use_nsswitch(mrtg_t)
libs_read_lib_files(mrtg_t)
logging_send_syslog_msg(mrtg_t)
miscfiles_read_localization(mrtg_t)
selinux_dontaudit_getattr_dir(mrtg_t)
userdom_use_user_terminals(mrtg_t)
userdom_dontaudit_read_user_home_content_files(mrtg_t)
userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
netutils_domtrans_ping(mrtg_t)
ifdef(`enable_mls',`
corenet_udp_sendrecv_lo_if(mrtg_t)
')
ifdef(`distro_redhat',`
allow mrtg_t mrtg_lock_t:file manage_file_perms;
filetrans_pattern(mrtg_t, mrtg_etc_t, mrtg_lock_t, file)
')
optional_policy(`
apache_manage_sys_content(mrtg_t)
')
optional_policy(`
cron_system_entry(mrtg_t, mrtg_exec_t)
')
optional_policy(`
hostname_exec(mrtg_t)
')
optional_policy(`
hddtemp_domtrans(mrtg_t)
')
optional_policy(`
seutil_sigchld_newrole(mrtg_t)
')
optional_policy(`
quota_dontaudit_getattr_db(mrtg_t)
')
optional_policy(`
snmp_read_snmp_var_lib_files(mrtg_t)
')
optional_policy(`
udev_read_db(mrtg_t)
')

1
policy/modules/admin/ncftool.fc
View File

@ -1 +0,0 @@
/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)

48
policy/modules/admin/ncftool.if
View File

@ -1,48 +0,0 @@
## <summary>Netcf network configuration tool (ncftool).</summary>
########################################
## <summary>
## Execute a domain transition to run ncftool.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`ncftool_domtrans',`
gen_require(`
type ncftool_t, ncftool_exec_t;
')
domtrans_pattern($1, ncftool_exec_t, ncftool_t)
')
########################################
## <summary>
## Execute ncftool in the ncftool domain, and
## allow the specified role the ncftool domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the ncftool domain.
## </summary>
## </param>
#
interface(`ncftool_run',`
gen_require(`
type ncftool_t;
')
ncftool_domtrans($1)
role $2 types ncftool_t;
optional_policy(`
brctl_run(ncftool_t, $2)
')
')

78
policy/modules/admin/ncftool.te
View File

@ -1,78 +0,0 @@
policy_module(ncftool, 1.0.0)
########################################
#
# Declarations
#
type ncftool_t;
type ncftool_exec_t;
application_domain(ncftool_t, ncftool_exec_t)
domain_obj_id_change_exemption(ncftool_t)
domain_system_change_exemption(ncftool_t)
role system_r types ncftool_t;
########################################
#
# ncftool local policy
#
allow ncftool_t self:capability { net_admin sys_ptrace };
allow ncftool_t self:process signal;
allow ncftool_t self:fifo_file manage_fifo_file_perms;
allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
allow ncftool_t self:tcp_socket create_stream_socket_perms;
allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
kernel_read_kernel_sysctls(ncftool_t)
kernel_read_modprobe_sysctls(ncftool_t)
kernel_read_network_state(ncftool_t)
kernel_read_system_state(ncftool_t)
kernel_request_load_module(ncftool_t)
kernel_rw_net_sysctls(ncftool_t)
corecmd_exec_bin(ncftool_t)
corecmd_exec_shell(ncftool_t)
domain_read_all_domains_state(ncftool_t)
dev_read_sysfs(ncftool_t)
files_read_etc_files(ncftool_t)
files_read_etc_runtime_files(ncftool_t)
files_read_usr_files(ncftool_t)
miscfiles_read_localization(ncftool_t)
sysnet_delete_dhcpc_pid(ncftool_t)
sysnet_domtrans_dhcpc(ncftool_t)
sysnet_domtrans_ifconfig(ncftool_t)
sysnet_etc_filetrans_config(ncftool_t)
sysnet_manage_config(ncftool_t)
sysnet_read_dhcpc_state(ncftool_t)
sysnet_read_dhcpc_pid(ncftool_t)
sysnet_signal_dhcpc(ncftool_t)
userdom_use_user_terminals(ncftool_t)
userdom_read_user_tmp_files(ncftool_t)
optional_policy(`
consoletype_exec(ncftool_t)
')
optional_policy(`
dbus_system_bus_client(ncftool_t)
')
optional_policy(`
iptables_initrc_domtrans(ncftool_t)
')
optional_policy(`
modutils_read_module_config(ncftool_t)
modutils_domtrans_insmod(ncftool_t)
')
optional_policy(`
netutils_domtrans(ncftool_t)
')

11
policy/modules/admin/passenger.fc
View File

@ -1,11 +0,0 @@
/usr/lib/ruby/gems/.*/passenger-.*/ext/apache2/ApplicationPoolServerExecutable -- gen_context(system_u:object_r:passenger_exec_t,s0)
/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerWatchdog -- gen_context(system_u:object_r:passenger_exec_t,s0)
/usr/lib/ruby/gems/.*/passenger-.*/agents/PassengerLoggingAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
/usr/lib/ruby/gems/.*/passenger-.*/agents/apache2/PassengerHelperAgent -- gen_context(system_u:object_r:passenger_exec_t,s0)
/var/lib/passenger(/.*)? gen_context(system_u:object_r:passenger_var_lib_t,s0)
/var/log/passenger(/.*)? gen_context(system_u:object_r:passenger_log_t,s0)
/var/log/passenger.* -- gen_context(system_u:object_r:passenger_log_t,s0)
/var/run/passenger(/.*)? gen_context(system_u:object_r:passenger_var_run_t,s0)

39
policy/modules/admin/passenger.if
View File

@ -1,39 +0,0 @@
## <summary>Ruby on rails deployment for Apache and Nginx servers.</summary>
######################################
## <summary>
## Execute passenger in the passenger domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`passenger_domtrans',`
gen_require(`
type passenger_t, passenger_exec_t;
')
domtrans_pattern($1, passenger_exec_t, passenger_t)
')
########################################
## <summary>
## Read passenger lib files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`passenger_read_lib_files',`
gen_require(`
type passenger_var_lib_t;
')
read_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
read_lnk_files_pattern($1, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib($1)
')

77
policy/modules/admin/passenger.te
View File

@ -1,77 +0,0 @@
policy_module(passanger, 1.0.0)
########################################
#
# Declarations
#
type passenger_t;
type passenger_exec_t;
domain_type(passenger_t)
domain_entry_file(passenger_t, passenger_exec_t)
role system_r types passenger_t;
type passenger_log_t;
logging_log_file(passenger_log_t)
type passenger_tmp_t;
files_tmp_file(passenger_tmp_t)
type passenger_var_lib_t;
files_type(passenger_var_lib_t)
type passenger_var_run_t;
files_pid_file(passenger_var_run_t)
########################################
#
# passanger local policy
#
allow passenger_t self:capability { chown dac_override fsetid fowner kill setuid setgid sys_nice };
allow passenger_t self:process { setpgid setsched sigkill signal };
allow passenger_t self:fifo_file rw_fifo_file_perms;
allow passenger_t self:unix_stream_socket { create_stream_socket_perms connectto };
can_exec(passenger_t, passenger_exec_t)
manage_dirs_pattern(passenger_t, passenger_log_t, passenger_log_t)
manage_files_pattern(passenger_t, passenger_log_t, passenger_log_t)
logging_log_filetrans(passenger_t, passenger_log_t, file)
manage_dirs_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
manage_files_pattern(passenger_t, passenger_var_lib_t, passenger_var_lib_t)
files_search_var_lib(passenger_t)
manage_dirs_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_fifo_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
manage_sock_files_pattern(passenger_t, passenger_var_run_t, passenger_var_run_t)
files_pid_filetrans(passenger_t, passenger_var_run_t, { file dir sock_file })
kernel_read_system_state(passenger_t)
kernel_read_kernel_sysctls(passenger_t)
corenet_all_recvfrom_netlabel(passenger_t)
corenet_all_recvfrom_unlabeled(passenger_t)
corenet_tcp_sendrecv_generic_if(passenger_t)
corenet_tcp_sendrecv_generic_node(passenger_t)
corenet_tcp_connect_http_port(passenger_t)
corecmd_exec_bin(passenger_t)
corecmd_exec_shell(passenger_t)
dev_read_urand(passenger_t)
files_read_etc_files(passenger_t)
auth_use_nsswitch(passenger_t)
miscfiles_read_localization(passenger_t)
userdom_dontaudit_use_user_terminals(passenger_t)
optional_policy(`
apache_append_log(passenger_t)
apache_read_sys_content(passenger_t)
')

33
policy/modules/admin/portage.fc
View File

@ -1,33 +0,0 @@
/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
/var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
/var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0)
/var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
/var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
/var/tmp/binpkgs(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
/var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)

316
policy/modules/admin/portage.if
View File

@ -1,316 +0,0 @@
## <summary>
## Portage Package Management System. The primary package management and
## distribution system for Gentoo.
## </summary>
########################################
## <summary>
## Execute emerge in the portage domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`portage_domtrans',`
gen_require(`
type portage_t, portage_exec_t;
type portage_fetch_t, portage_fetch_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
# transition to portage
domtrans_pattern($1, portage_exec_t, portage_t)
domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
')
########################################
## <summary>
## Execute emerge in the portage domain, and
## allow the specified role the portage domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the portage domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`portage_run',`
gen_require(`
type portage_t, portage_fetch_t, portage_sandbox_t;
')
portage_domtrans($1)
role $2 types { portage_t portage_fetch_t portage_sandbox_t };
')
########################################
## <summary>
## Template for portage sandbox.
## </summary>
## <desc>
## <p>
## Template for portage sandbox. Portage
## does all compiling in the sandbox.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain Allowed Access
## </summary>
## </param>
#
interface(`portage_compile_domain',`
gen_require(`
class dbus send_msg;
type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
type portage_tmpfs_t;
')
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
allow $1 self:fd use;
allow $1 self:fifo_file rw_fifo_file_perms;
allow $1 self:shm create_shm_perms;
allow $1 self:sem create_sem_perms;
allow $1 self:msgq create_msgq_perms;
allow $1 self:msg { send receive };
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 self:unix_dgram_socket sendto;
allow $1 self:unix_stream_socket connectto;
# really shouldnt need this
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
# misc networking stuff (esp needed for compiling perl):
allow $1 self:rawip_socket { create ioctl };
# needed for merging dbus:
allow $1 self:netlink_selinux_socket { bind create read };
allow $1 self:dbus send_msg;
allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1, portage_devpts_t)
# write compile logs
allow $1 portage_log_t:dir setattr;
allow $1 portage_log_t:file { write_file_perms setattr };
# Support live ebuilds (-9999)
manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
# run scripts out of the build directory
can_exec(portage_sandbox_t, portage_tmp_t)
manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t)
manage_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)
manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
# SELinux-enabled programs running in the sandbox
allow $1 portage_tmp_t:file relabel_file_perms;
manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
kernel_read_system_state($1)
kernel_read_network_state($1)
kernel_read_software_raid_state($1)
kernel_getattr_core_if($1)
kernel_getattr_message_if($1)
kernel_read_kernel_sysctls($1)
corecmd_exec_all_executables($1)
# really shouldnt need this but some packages test
# network access, such as during configure
# also distcc--need to reinvestigate confining distcc client
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_raw_sendrecv_generic_if($1)
corenet_tcp_sendrecv_generic_node($1)
corenet_udp_sendrecv_generic_node($1)
corenet_raw_sendrecv_generic_node($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_udp_sendrecv_all_ports($1)
corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_distccd_port($1)
dev_read_sysfs($1)
dev_read_rand($1)
dev_read_urand($1)
domain_use_interactive_fds($1)
domain_dontaudit_read_all_domains_state($1)
# SELinux-aware installs doing relabels in the sandbox
domain_obj_id_change_exemption($1)
files_exec_etc_files($1)
files_exec_usr_src_files($1)
fs_getattr_xattr_fs($1)
fs_list_noxattr_fs($1)
fs_read_noxattr_fs_files($1)
fs_read_noxattr_fs_symlinks($1)
fs_search_auto_mountpoints($1)
selinux_validate_context($1)
# needed for merging dbus:
selinux_compute_access_vector($1)
auth_read_all_dirs_except_auth_files($1)
auth_read_all_files_except_auth_files($1)
auth_read_all_symlinks_except_auth_files($1)
libs_exec_lib_files($1)
# some config scripts use ldd
libs_exec_ld_so($1)
# this violates the idea of sandbox, but
# regular sandbox allows it
libs_domtrans_ldconfig($1)
logging_send_syslog_msg($1)
userdom_use_user_terminals($1)
# SELinux-enabled programs running in the sandbox
seutil_libselinux_linked($1)
tunable_policy(`portage_use_nfs',`
fs_getattr_nfs($1)
fs_manage_nfs_dirs($1)
fs_manage_nfs_files($1)
fs_manage_nfs_symlinks($1)
')
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
optional_policy(`
allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
')
') dnl end TODO
')
########################################
## <summary>
## Execute gcc-config in the gcc_config domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`portage_domtrans_gcc_config',`
gen_require(`
type gcc_config_t, gcc_config_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)
')
########################################
## <summary>
## Execute gcc-config in the gcc_config domain, and
## allow the specified role the gcc_config domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the gcc_config domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`portage_run_gcc_config',`
gen_require(`
type gcc_config_t;
')
portage_domtrans_gcc_config($1)
role $2 types gcc_config_t;
')
########################################
## <summary>
## Do not audit attempts to use
## portage file descriptors.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`portage_dontaudit_use_fds',`
gen_require(`
type portage_t;
')
dontaudit $1 portage_t:fd use;
')
########################################
## <summary>
## Do not audit attempts to search the
## portage temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`portage_dontaudit_search_tmp',`
gen_require(`
type portage_tmp_t;
')
dontaudit $1 portage_tmp_t:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to read and write
## the portage temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`portage_dontaudit_rw_tmp_files',`
gen_require(`
type portage_tmp_t;
')
dontaudit $1 portage_tmp_t:file rw_file_perms;
')

326
policy/modules/admin/portage.te
View File

@ -1,326 +0,0 @@
policy_module(portage, 1.11.2)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow the portage domains to use NFS mounts (regular nfs_t)
## </p>
## </desc>
gen_tunable(portage_use_nfs, false)
type gcc_config_t;
type gcc_config_exec_t;
application_domain(gcc_config_t, gcc_config_exec_t)
# constraining type
type portage_t;
type portage_exec_t;
application_domain(portage_t, portage_exec_t)
domain_obj_id_change_exemption(portage_t)
rsync_entry_type(portage_t)
corecmd_shell_entry_type(portage_t)
# portage compile sandbox domain
type portage_sandbox_t;
application_domain(portage_sandbox_t, portage_exec_t)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t)
# portage package fetching domain
type portage_fetch_t;
type portage_fetch_exec_t;
application_domain(portage_fetch_t, portage_fetch_exec_t)
corecmd_shell_entry_type(portage_fetch_t)
rsync_entry_type(portage_fetch_t)
type portage_devpts_t;
term_pty(portage_devpts_t)
type portage_ebuild_t;
files_type(portage_ebuild_t)
type portage_fetch_tmp_t;
files_tmp_file(portage_fetch_tmp_t)
type portage_db_t;
files_type(portage_db_t)
type portage_conf_t;
files_type(portage_conf_t)
type portage_cache_t;
files_type(portage_cache_t)
type portage_gpg_t;
files_type(portage_gpg_t)
type portage_log_t;
logging_log_file(portage_log_t)
type portage_srcrepo_t;
files_type(portage_srcrepo_t)
type portage_tmp_t;
files_tmp_file(portage_tmp_t)
type portage_tmpfs_t;
files_tmpfs_file(portage_tmpfs_t)
########################################
#
# gcc-config policy
#
allow gcc_config_t self:capability { chown fsetid };
allow gcc_config_t self:fifo_file rw_file_perms;
manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)
read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
allow gcc_config_t portage_exec_t:file mmap_file_perms;
kernel_read_system_state(gcc_config_t)
kernel_read_kernel_sysctls(gcc_config_t)
corecmd_exec_shell(gcc_config_t)
corecmd_exec_bin(gcc_config_t)
corecmd_manage_bin_files(gcc_config_t)
domain_use_interactive_fds(gcc_config_t)
files_manage_etc_files(gcc_config_t)
files_rw_etc_runtime_files(gcc_config_t)
files_read_usr_files(gcc_config_t)
files_search_var_lib(gcc_config_t)
files_search_pids(gcc_config_t)
# complains loudly about not being able to list
# the directory it is being run from
files_list_all(gcc_config_t)
# seems to be ok without this
init_dontaudit_read_script_status_files(gcc_config_t)
libs_read_lib_files(gcc_config_t)
libs_domtrans_ldconfig(gcc_config_t)
libs_manage_shared_libs(gcc_config_t)
# gcc-config creates a temp dir for the libs
libs_manage_lib_dirs(gcc_config_t)
logging_send_syslog_msg(gcc_config_t)
miscfiles_read_localization(gcc_config_t)
userdom_use_user_terminals(gcc_config_t)
consoletype_exec(gcc_config_t)
ifdef(`distro_gentoo',`
init_exec_rc(gcc_config_t)
')
optional_policy(`
seutil_use_newrole_fds(gcc_config_t)
')
########################################
#
# Portage Merging Rules
#
# - setfscreate for merging to live fs
# - setexec to run portage fetch
allow portage_t self:process { setfscreate setexec };
# - kill for mysql merging, at least
allow portage_t self:capability { sys_nice kill setfcap };
# user post-sync scripts
can_exec(portage_t, portage_conf_t)
allow portage_t portage_log_t:file manage_file_perms;
logging_log_filetrans(portage_t, portage_log_t, file)
allow portage_t { portage_fetch_t portage_sandbox_t }:process signal;
# transition for rsync and wget
corecmd_shell_spec_domtrans(portage_t, portage_fetch_t)
rsync_entry_domtrans(portage_t, portage_fetch_t)
allow portage_fetch_t portage_t:fd use;
allow portage_fetch_t portage_t:fifo_file rw_file_perms;
allow portage_fetch_t portage_t:process sigchld;
# transition to sandbox for compiling
domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
allow portage_sandbox_t portage_t:fd use;
allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
allow portage_sandbox_t portage_t:process sigchld;
allow portage_sandbox_t self:process ptrace;
# run scripts out of the build directory
can_exec(portage_t, portage_tmp_t)
# merging baselayout will need this:
kernel_write_proc_files(portage_t)
domain_dontaudit_read_all_domains_state(portage_t)
# modify any files in the system
files_manage_all_files(portage_t)
selinux_get_fs_mount(portage_t)
auth_manage_shadow(portage_t)
# merging baselayout will need this:
init_exec(portage_t)
# run setfiles -r
seutil_domtrans_setfiles(portage_t)
# run semodule
seutil_domtrans_semanage(portage_t)
portage_domtrans_gcc_config(portage_t)
# if sesandbox is disabled, compiling is performed in this domain
portage_compile_domain(portage_t)
optional_policy(`
bootloader_domtrans(portage_t)
')
optional_policy(`
cron_system_entry(portage_t, portage_exec_t)
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
')
optional_policy(`
modutils_domtrans_depmod(portage_t)
modutils_domtrans_update_mods(portage_t)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
optional_policy(`
usermanage_domtrans_groupadd(portage_t)
usermanage_domtrans_useradd(portage_t)
')
ifdef(`TODO',`
# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr;
dontaudit portage_t device_type:chr_file read_chr_file_perms;
dontaudit portage_t device_type:blk_file read_blk_file_perms;
')
##########################################
#
# Portage fetch domain
# - for rsync and distfile fetching
#
allow portage_fetch_t self:process signal;
allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t portage_conf_t:dir list_dir_perms;
allow portage_fetch_t portage_gpg_t:dir rw_dir_perms;
allow portage_fetch_t portage_gpg_t:file manage_file_perms;
allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
allow portage_fetch_t portage_tmp_t:file manage_file_perms;
read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctls(portage_fetch_t)
corecmd_exec_bin(portage_fetch_t)
corecmd_exec_shell(portage_fetch_t)
corenet_all_recvfrom_unlabeled(portage_fetch_t)
corenet_all_recvfrom_netlabel(portage_fetch_t)
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
corenet_tcp_sendrecv_generic_node(portage_fetch_t)
corenet_tcp_sendrecv_all_ports(portage_fetch_t)
corenet_tcp_connect_http_cache_port(portage_fetch_t)
corenet_tcp_connect_git_port(portage_fetch_t)
corenet_tcp_connect_rsync_port(portage_fetch_t)
corenet_sendrecv_http_client_packets(portage_fetch_t)
corenet_sendrecv_http_cache_client_packets(portage_fetch_t)
corenet_sendrecv_git_client_packets(portage_fetch_t)
corenet_sendrecv_rsync_client_packets(portage_fetch_t)
# would rather not connect to unspecified ports, but
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
dev_dontaudit_read_rand(portage_fetch_t)
domain_use_interactive_fds(portage_fetch_t)
files_read_etc_files(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
files_read_usr_files(portage_fetch_t)
files_search_var_lib(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
logging_list_logs(portage_fetch_t)
term_search_ptys(portage_fetch_t)
miscfiles_read_localization(portage_fetch_t)
sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)
userdom_use_user_terminals(portage_fetch_t)
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
rsync_exec(portage_fetch_t)
ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
')
tunable_policy(`portage_use_nfs',`
fs_getattr_nfs(portage_fetch_t)
fs_manage_nfs_dirs(portage_fetch_t)
fs_manage_nfs_files(portage_fetch_t)
fs_manage_nfs_symlinks(portage_fetch_t)
')
optional_policy(`
gpg_exec(portage_fetch_t)
')
##########################################
#
# Portage sandbox domain
# - SELinux-enforced sandbox
#
portage_compile_domain(portage_sandbox_t)
ifdef(`hide_broken_symptoms',`
# leaked descriptors
dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
')

11
policy/modules/admin/prelink.fc
View File

@ -1,11 +0,0 @@
/etc/cron\.daily/prelink -- gen_context(system_u:object_r:prelink_cron_system_exec_t,s0)
/etc/prelink\.cache -- gen_context(system_u:object_r:prelink_cache_t,s0)
/usr/sbin/prelink(\.bin)? -- gen_context(system_u:object_r:prelink_exec_t,s0)
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
/var/lib/prelink(/.*)? gen_context(system_u:object_r:prelink_var_lib_t,s0)

204
policy/modules/admin/prelink.if
View File

@ -1,204 +0,0 @@
## <summary>Prelink ELF shared library mappings.</summary>
########################################
## <summary>
## Execute the prelink program in the prelink domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`prelink_domtrans',`
gen_require(`
type prelink_t, prelink_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, prelink_exec_t, prelink_t)
ifdef(`hide_broken_symptoms', `
dontaudit prelink_t $1:socket_class_set { read write };
dontaudit prelink_t $1:fifo_file setattr;
')
')
########################################
## <summary>
## Execute the prelink program in the current domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_exec',`
gen_require(`
type prelink_exec_t;
')
corecmd_search_bin($1)
can_exec($1, prelink_exec_t)
')
########################################
## <summary>
## Execute the prelink program in the prelink domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the prelink domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`prelink_run',`
gen_require(`
type prelink_t;
')
prelink_domtrans($1)
role $2 types prelink_t;
')
########################################
## <summary>
## Make the specified file type prelinkable.
## </summary>
## <param name="file_type">
## <summary>
## File type to be prelinked.
## </summary>
## </param>
#
# cjp: added for misc non-entrypoint objects
interface(`prelink_object_file',`
gen_require(`
attribute prelink_object;
')
typeattribute $1 prelink_object;
')
########################################
## <summary>
## Read the prelink cache.
## </summary>
## <param name="file_type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_read_cache',`
gen_require(`
type prelink_cache_t;
')
files_search_etc($1)
allow $1 prelink_cache_t:file read_file_perms;
')
########################################
## <summary>
## Delete the prelink cache.
## </summary>
## <param name="file_type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_delete_cache',`
gen_require(`
type prelink_cache_t;
')
allow $1 prelink_cache_t:file unlink;
files_rw_etc_dirs($1)
')
########################################
## <summary>
## Create, read, write, and delete
## prelink log files.
## </summary>
## <param name="file_type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_manage_log',`
gen_require(`
type prelink_log_t;
')
logging_search_logs($1)
manage_files_pattern($1, prelink_log_t, prelink_log_t)
')
########################################
## <summary>
## Create, read, write, and delete
## prelink var_lib files.
## </summary>
## <param name="file_type">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_manage_lib',`
gen_require(`
type prelink_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
########################################
## <summary>
## Relabel from files in the /boot directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_relabelfrom_lib',`
gen_require(`
type prelink_var_lib_t;
')
files_search_var_lib($1)
relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')
########################################
## <summary>
## Relabel from files in the /boot directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`prelink_relabel_lib',`
gen_require(`
type prelink_var_lib_t;
')
files_search_var_lib($1)
relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
')

164
policy/modules/admin/prelink.te
View File

@ -1,164 +0,0 @@
policy_module(prelink, 1.10.0)
########################################
#
# Declarations
attribute prelink_object;
type prelink_t;
type prelink_exec_t;
init_system_domain(prelink_t, prelink_exec_t)
domain_obj_id_change_exemption(prelink_t)
type prelink_cache_t;
files_type(prelink_cache_t)
type prelink_cron_system_t;
type prelink_cron_system_exec_t;
domain_type(prelink_cron_system_t)
domain_entry_file(prelink_cron_system_t, prelink_cron_system_exec_t)
type prelink_log_t;
logging_log_file(prelink_log_t)
type prelink_tmp_t;
files_tmp_file(prelink_tmp_t)
type prelink_tmpfs_t;
files_tmpfs_file(prelink_tmpfs_t)
type prelink_var_lib_t;
files_type(prelink_var_lib_t)
########################################
#
# Local policy
#
allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
allow prelink_t self:process { execheap execmem execstack signal };
allow prelink_t self:fifo_file rw_fifo_file_perms;
allow prelink_t prelink_cache_t:file manage_file_perms;
files_etc_filetrans(prelink_t, prelink_cache_t, file)
allow prelink_t prelink_log_t:dir setattr;
create_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
logging_log_filetrans(prelink_t, prelink_log_t, file)
allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
allow prelink_t prelink_tmpfs_t:file { manage_file_perms execute relabelfrom execmod };
fs_tmpfs_filetrans(prelink_t, prelink_tmpfs_t, file)
manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
relabel_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_t, prelink_var_lib_t, { dir file })
# prelink misc objects that are not system
# libraries or entrypoints
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
kernel_read_system_state(prelink_t)
kernel_read_kernel_sysctls(prelink_t)
corecmd_manage_all_executables(prelink_t)
corecmd_relabel_all_executables(prelink_t)
corecmd_mmap_all_executables(prelink_t)
corecmd_read_bin_symlinks(prelink_t)
dev_read_urand(prelink_t)
files_list_all(prelink_t)
files_getattr_all_files(prelink_t)
files_write_non_security_dirs(prelink_t)
files_read_etc_files(prelink_t)
files_read_etc_runtime_files(prelink_t)
files_dontaudit_read_all_symlinks(prelink_t)
files_manage_usr_files(prelink_t)
files_manage_var_files(prelink_t)
files_relabelfrom_usr_files(prelink_t)
fs_getattr_xattr_fs(prelink_t)
selinux_get_enforce_mode(prelink_t)
libs_exec_ld_so(prelink_t)
libs_legacy_use_shared_libs(prelink_t)
libs_manage_ld_so(prelink_t)
libs_relabel_ld_so(prelink_t)
libs_manage_shared_libs(prelink_t)
libs_relabel_shared_libs(prelink_t)
libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)
userdom_use_user_terminals(prelink_t)
optional_policy(`
amanda_manage_lib(prelink_t)
')
optional_policy(`
cron_system_entry(prelink_t, prelink_exec_t)
')
optional_policy(`
rpm_manage_tmp_files(prelink_t)
')
optional_policy(`
unconfined_domain(prelink_t)
')
########################################
#
# Prelink Cron system Policy
#
optional_policy(`
allow prelink_cron_system_t self:capability setuid;
allow prelink_cron_system_t self:process { setsched setfscreate signal };
allow prelink_cron_system_t self:fifo_file rw_fifo_file_perms;
allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt };
read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t)
allow prelink_cron_system_t prelink_cache_t:file unlink;
domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t)
allow prelink_cron_system_t prelink_t:process noatsecure;
manage_files_pattern(prelink_cron_system_t, prelink_log_t, prelink_log_t)
manage_files_pattern(prelink_cron_system_t, prelink_var_lib_t, prelink_var_lib_t)
files_var_lib_filetrans(prelink_cron_system_t, prelink_var_lib_t, file)
allow prelink_cron_system_t prelink_var_lib_t:file { relabelfrom relabelto };
kernel_read_system_state(prelink_cron_system_t)
corecmd_exec_bin(prelink_cron_system_t)
corecmd_exec_shell(prelink_cron_system_t)
files_dontaudit_search_all_mountpoints(prelink_cron_system_t)
files_read_etc_files(prelink_cron_system_t)
files_search_var_lib(prelink_cron_system_t)
init_exec(prelink_cron_system_t)
libs_exec_ld_so(prelink_cron_system_t)
logging_search_logs(prelink_cron_system_t)
miscfiles_read_localization(prelink_cron_system_t)
cron_system_entry(prelink_cron_system_t, prelink_cron_system_exec_t)
optional_policy(`
rpm_read_db(prelink_cron_system_t)
')
')

19
policy/modules/admin/quota.fc
View File

@ -1,19 +0,0 @@
HOME_ROOT/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/boot/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/etc/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/sbin/quota(check|on) -- gen_context(system_u:object_r:quota_exec_t,s0)
/var/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
/var/lib/quota(/.*)? gen_context(system_u:object_r:quota_flag_t,s0)
/var/spool/a?quota\.(user|group) -- gen_context(system_u:object_r:quota_db_t,s0)
ifdef(`distro_redhat',`
/usr/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
',`
/sbin/convertquota -- gen_context(system_u:object_r:quota_exec_t,s0)
')

85
policy/modules/admin/quota.if
View File

@ -1,85 +0,0 @@
## <summary>File system quota management</summary>
########################################
## <summary>
## Execute quota management tools in the quota domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`quota_domtrans',`
gen_require(`
type quota_t, quota_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, quota_exec_t, quota_t)
')
########################################
## <summary>
## Execute quota management tools in the quota domain, and
## allow the specified role the quota domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`quota_run',`
gen_require(`
type quota_t;
')
quota_domtrans($1)
role $2 types quota_t;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of filesystem quota data files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`quota_dontaudit_getattr_db',`
gen_require(`
type quota_db_t;
')
dontaudit $1 quota_db_t:file getattr_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete quota
## flag files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`quota_manage_flags',`
gen_require(`
type quota_flag_t;
')
files_search_var_lib($1)
manage_files_pattern($1, quota_flag_t, quota_flag_t)
')

84
policy/modules/admin/quota.te
View File

@ -1,84 +0,0 @@
policy_module(quota, 1.5.0)
########################################
#
# Declarations
#
type quota_t;
type quota_exec_t;
init_system_domain(quota_t, quota_exec_t)
type quota_db_t;
files_type(quota_db_t)
type quota_flag_t;
files_type(quota_flag_t)
########################################
#
# Local policy
#
allow quota_t self:capability { sys_admin dac_override };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
# for /quota.*
allow quota_t quota_db_t:file { manage_file_perms quotaon };
files_root_filetrans(quota_t, quota_db_t, file)
files_boot_filetrans(quota_t, quota_db_t, file)
files_etc_filetrans(quota_t, quota_db_t, file)
files_tmp_filetrans(quota_t, quota_db_t, file)
files_home_filetrans(quota_t, quota_db_t, file)
files_usr_filetrans(quota_t, quota_db_t, file)
files_var_filetrans(quota_t, quota_db_t, file)
files_spool_filetrans(quota_t, quota_db_t, file)
kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
kernel_read_kernel_sysctls(quota_t)
kernel_setsched(quota_t)
dev_read_sysfs(quota_t)
dev_getattr_all_blk_files(quota_t)
dev_getattr_all_chr_files(quota_t)
fs_get_xattr_fs_quotas(quota_t)
fs_set_xattr_fs_quotas(quota_t)
fs_getattr_xattr_fs(quota_t)
fs_remount_xattr_fs(quota_t)
fs_search_auto_mountpoints(quota_t)
mls_file_read_all_levels(quota_t)
storage_raw_read_fixed_disk(quota_t)
term_dontaudit_use_console(quota_t)
domain_use_interactive_fds(quota_t)
files_list_all(quota_t)
files_read_all_files(quota_t)
files_read_all_symlinks(quota_t)
files_getattr_all_pipes(quota_t)
files_getattr_all_sockets(quota_t)
files_getattr_all_file_type_fs(quota_t)
# Read /etc/mtab.
files_read_etc_runtime_files(quota_t)
init_use_fds(quota_t)
init_use_script_ptys(quota_t)
logging_send_syslog_msg(quota_t)
userdom_use_user_terminals(quota_t)
userdom_dontaudit_use_unpriv_user_fds(quota_t)
optional_policy(`
seutil_sigchld_newrole(quota_t)
')
optional_policy(`
udev_read_db(quota_t)
')

3
policy/modules/admin/readahead.fc
View File

@ -1,3 +0,0 @@
/usr/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/sbin/readahead.* -- gen_context(system_u:object_r:readahead_exec_t,s0)
/var/lib/readahead(/.*)? gen_context(system_u:object_r:readahead_var_lib_t,s0)

1
policy/modules/admin/readahead.if
View File

@ -1 +0,0 @@
## <summary>Readahead, read files into page cache for improved performance</summary>

101
policy/modules/admin/readahead.te
View File

@ -1,101 +0,0 @@
policy_module(readahead, 1.12.0)
########################################
#
# Declarations
#
type readahead_t;
type readahead_exec_t;
init_daemon_domain(readahead_t, readahead_exec_t)
application_domain(readahead_t, readahead_exec_t)
type readahead_var_lib_t;
files_type(readahead_var_lib_t)
typealias readahead_var_lib_t alias readahead_etc_rw_t;
type readahead_var_run_t;
files_pid_file(readahead_var_run_t)
########################################
#
# Local policy
#
allow readahead_t self:capability { fowner dac_override dac_read_search };
dontaudit readahead_t self:capability { net_admin sys_tty_config };
allow readahead_t self:process { setsched signal_perms };
manage_dirs_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
manage_files_pattern(readahead_t, readahead_var_lib_t, readahead_var_lib_t)
files_search_var_lib(readahead_t)
manage_files_pattern(readahead_t, readahead_var_run_t, readahead_var_run_t)
files_pid_filetrans(readahead_t, readahead_var_run_t, file)
kernel_read_all_sysctls(readahead_t)
kernel_read_system_state(readahead_t)
kernel_dontaudit_getattr_core_if(readahead_t)
dev_read_sysfs(readahead_t)
dev_getattr_generic_chr_files(readahead_t)
dev_getattr_generic_blk_files(readahead_t)
dev_getattr_all_chr_files(readahead_t)
dev_getattr_all_blk_files(readahead_t)
dev_dontaudit_read_all_blk_files(readahead_t)
dev_dontaudit_getattr_memory_dev(readahead_t)
dev_dontaudit_getattr_nvram_dev(readahead_t)
# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(readahead_t)
domain_use_interactive_fds(readahead_t)
domain_read_all_domains_state(readahead_t)
files_list_non_security(readahead_t)
files_read_non_security_files(readahead_t)
files_create_boot_flag(readahead_t)
files_getattr_all_pipes(readahead_t)
files_dontaudit_getattr_all_sockets(readahead_t)
files_dontaudit_getattr_non_security_blk_files(readahead_t)
fs_getattr_all_fs(readahead_t)
fs_search_auto_mountpoints(readahead_t)
fs_getattr_all_pipes(readahead_t)
fs_getattr_all_files(readahead_t)
fs_read_cgroup_files(readahead_t)
fs_read_tmpfs_files(readahead_t)
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
fs_dontaudit_use_tmpfs_chr_dev(readahead_t)
mls_file_read_all_levels(readahead_t)
storage_raw_read_fixed_disk(readahead_t)
term_dontaudit_use_console(readahead_t)
auth_dontaudit_read_shadow(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
logging_send_syslog_msg(readahead_t)
logging_set_audit_parameters(readahead_t)
logging_dontaudit_search_audit_config(readahead_t)
miscfiles_read_localization(readahead_t)
userdom_dontaudit_use_unpriv_user_fds(readahead_t)
userdom_dontaudit_search_user_home_dirs(readahead_t)
optional_policy(`
cron_system_entry(readahead_t, readahead_exec_t)
')
optional_policy(`
seutil_sigchld_newrole(readahead_t)
')

52
policy/modules/admin/rpm.fc
View File

@ -1,52 +0,0 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
/usr/bin/fedora-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/rpmdev-rmdevelrpms -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pirut -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
# SuSE
ifdef(`distro_suse', `
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
/sbin/yast2 -- gen_context(system_u:object_r:rpm_exec_t,s0)
/var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/log/YaST2(/.*)? gen_context(system_u:object_r:rpm_log_t,s0)
')
ifdef(`enable_mls',`
/sbin/cpio -- gen_context(system_u:object_r:rpm_exec_t,s0)
')

578
policy/modules/admin/rpm.if
View File

@ -1,578 +0,0 @@
## <summary>Policy for the RPM package manager.</summary>
########################################
## <summary>
## Execute rpm programs in the rpm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
')
########################################
## <summary>
## Execute debuginfo_install programs in the rpm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_debuginfo_domtrans',`
gen_require(`
type rpm_t, debuginfo_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, debuginfo_exec_t, rpm_t)
')
########################################
## <summary>
## Execute rpm_script programs in the rpm_script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_domtrans_script',`
gen_require(`
type rpm_script_t;
')
# transition to rpm script:
corecmd_shell_domtrans($1, rpm_script_t)
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_file_perms;
allow rpm_script_t $1:process sigchld;
')
########################################
## <summary>
## Execute RPM programs in the RPM domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the RPM domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`rpm_run',`
gen_require(`
type rpm_t, rpm_script_t;
')
rpm_domtrans($1)
role $2 types { rpm_t rpm_script_t };
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
')
########################################
## <summary>
## Execute the rpm client in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_exec',`
gen_require(`
type rpm_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rpm_exec_t)
')
########################################
## <summary>
## Send a null signal to rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_signull',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:process signull;
')
########################################
## <summary>
## Inherit and use file descriptors from RPM.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_use_fds',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fd use;
')
########################################
## <summary>
## Read from an unnamed RPM pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_pipes',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Read and write an unnamed RPM pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_rw_pipes',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Send and receive messages from
## rpm over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_dbus_chat',`
gen_require(`
type rpm_t;
class dbus send_msg;
')
allow $1 rpm_t:dbus send_msg;
allow rpm_t $1:dbus send_msg;
')
########################################
## <summary>
## Do not audit attempts to send and
## receive messages from rpm over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpm_dontaudit_dbus_chat',`
gen_require(`
type rpm_t;
class dbus send_msg;
')
dontaudit $1 rpm_t:dbus send_msg;
dontaudit rpm_t $1:dbus send_msg;
')
########################################
## <summary>
## Send and receive messages from
## rpm_script over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_script_dbus_chat',`
gen_require(`
type rpm_script_t;
class dbus send_msg;
')
allow $1 rpm_script_t:dbus send_msg;
allow rpm_script_t $1:dbus send_msg;
')
########################################
## <summary>
## Search RPM log directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_search_log',`
gen_require(`
type rpm_log_t;
')
logging_search_logs($1)
allow $1 rpm_log_t:dir search_dir_perms;
')
#####################################
## <summary>
## Allow the specified domain to append
## to rpm log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_append_log',`
gen_require(`
type rpm_log_t;
')
logging_search_logs($1)
append_files_pattern($1, rpm_log_t, rpm_log_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_log',`
gen_require(`
type rpm_log_t;
')
logging_rw_generic_log_dirs($1)
allow $1 rpm_log_t:file manage_file_perms;
')
########################################
## <summary>
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_use_script_fds',`
gen_require(`
type rpm_script_t;
')
allow $1 rpm_script_t:fd use;
')
########################################
## <summary>
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_script_tmp_files',`
gen_require(`
type rpm_script_tmp_t;
')
files_search_tmp($1)
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
#####################################
## <summary>
## Allow the specified domain to append
## to rpm tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_append_tmp_files',`
gen_require(`
type rpm_tmp_t;
')
files_search_tmp($1)
append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
## <summary>
## Create, read, write, and delete RPM
## temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_tmp_files',`
gen_require(`
type rpm_tmp_t;
')
files_search_tmp($1)
manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
## <summary>
## Read RPM script temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_script_tmp_files',`
gen_require(`
type rpm_script_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
########################################
## <summary>
## Read the RPM cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_cache',`
gen_require(`
type rpm_var_cache_t;
')
files_search_var($1)
allow $1 rpm_var_cache_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_cache',`
gen_require(`
type rpm_var_cache_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
')
########################################
## <summary>
## Read the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_db',`
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################
## <summary>
## Delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_delete_db',`
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_db',`
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpm_dontaudit_manage_db',`
gen_require(`
type rpm_var_lib_t;
')
dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
#####################################
## <summary>
## Read rpm pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_pid_files',`
gen_require(`
type rpm_var_run_t;
')
read_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
files_search_pids($1)
')
#####################################
## <summary>
## Create, read, write, and delete rpm pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_pid_files',`
gen_require(`
type rpm_var_run_t;
')
manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
files_search_pids($1)
')
######################################
## <summary>
## Create files in /var/run with the rpm pid file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_pid_filetrans',`
gen_require(`
type rpm_var_run_t;
')
files_pid_filetrans($1, rpm_var_run_t, file)
')

395
policy/modules/admin/rpm.te
View File

@ -1,395 +0,0 @@
policy_module(rpm, 1.13.0)
########################################
#
# Declarations
#
type debuginfo_exec_t;
domain_entry_file(rpm_t, debuginfo_exec_t)
type rpm_t;
type rpm_exec_t;
init_system_domain(rpm_t, rpm_exec_t)
domain_obj_id_change_exemption(rpm_t)
domain_role_change_exemption(rpm_t)
domain_system_change_exemption(rpm_t)
domain_interactive_fd(rpm_t)
type rpm_file_t;
files_type(rpm_file_t)
type rpm_tmp_t;
files_tmp_file(rpm_tmp_t)
type rpm_tmpfs_t;
files_tmpfs_file(rpm_tmpfs_t)
type rpm_log_t;
logging_log_file(rpm_log_t)
type rpm_var_lib_t;
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
type rpm_var_cache_t;
files_type(rpm_var_cache_t)
type rpm_var_run_t;
files_pid_file(rpm_var_run_t)
type rpm_script_t;
type rpm_script_exec_t;
domain_obj_id_change_exemption(rpm_script_t)
domain_system_change_exemption(rpm_script_t)
corecmd_shell_entry_type(rpm_script_t)
corecmd_bin_entry_type(rpm_script_t)
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
role system_r types rpm_script_t;
type rpm_script_tmp_t;
files_tmp_file(rpm_script_tmp_t)
type rpm_script_tmpfs_t;
files_tmpfs_file(rpm_script_tmpfs_t)
########################################
#
# rpm Local policy
#
allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
allow rpm_t self:unix_dgram_socket create_socket_perms;
allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_t self:unix_dgram_socket sendto;
allow rpm_t self:unix_stream_socket connectto;
allow rpm_t self:udp_socket { connect };
allow rpm_t self:udp_socket create_socket_perms;
allow rpm_t self:tcp_socket create_stream_socket_perms;
allow rpm_t self:shm create_shm_perms;
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
can_exec(rpm_t, rpm_tmp_t)
manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
can_exec(rpm_t, rpm_tmpfs_t)
manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
# Access /var/lib/rpm files
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
files_pid_filetrans(rpm_t, rpm_var_run_t, file)
kernel_read_crypto_sysctls(rpm_t)
kernel_read_network_state(rpm_t)
kernel_read_system_state(rpm_t)
kernel_read_kernel_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
corenet_all_recvfrom_unlabeled(rpm_t)
corenet_all_recvfrom_netlabel(rpm_t)
corenet_tcp_sendrecv_generic_if(rpm_t)
corenet_raw_sendrecv_generic_if(rpm_t)
corenet_udp_sendrecv_generic_if(rpm_t)
corenet_tcp_sendrecv_generic_node(rpm_t)
corenet_raw_sendrecv_generic_node(rpm_t)
corenet_udp_sendrecv_generic_node(rpm_t)
corenet_tcp_sendrecv_all_ports(rpm_t)
corenet_udp_sendrecv_all_ports(rpm_t)
corenet_tcp_connect_all_ports(rpm_t)
corenet_sendrecv_all_client_packets(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
fs_getattr_all_dirs(rpm_t)
fs_list_inotifyfs(rpm_t)
fs_manage_nfs_dirs(rpm_t)
fs_manage_nfs_files(rpm_t)
fs_manage_nfs_symlinks(rpm_t)
fs_getattr_all_fs(rpm_t)
fs_search_auto_mountpoints(rpm_t)
mls_file_read_all_levels(rpm_t)
mls_file_write_all_levels(rpm_t)
mls_file_upgrade(rpm_t)
mls_file_downgrade(rpm_t)
selinux_get_fs_mount(rpm_t)
selinux_validate_context(rpm_t)
selinux_compute_access_vector(rpm_t)
selinux_compute_create_context(rpm_t)
selinux_compute_relabel_context(rpm_t)
selinux_compute_user_contexts(rpm_t)
storage_raw_write_fixed_disk(rpm_t)
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
term_list_ptys(rpm_t)
auth_relabel_all_files_except_auth_files(rpm_t)
auth_manage_all_files_except_auth_files(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
auth_use_nsswitch(rpm_t)
# transition to rpm script:
rpm_domtrans_script(rpm_t)
domain_read_all_domains_state(rpm_t)
domain_getattr_all_domains(rpm_t)
domain_dontaudit_ptrace_all_domains(rpm_t)
domain_use_interactive_fds(rpm_t)
domain_dontaudit_getattr_all_pipes(rpm_t)
domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
domain_dontaudit_getattr_all_udp_sockets(rpm_t)
domain_dontaudit_getattr_all_packet_sockets(rpm_t)
domain_dontaudit_getattr_all_raw_sockets(rpm_t)
domain_dontaudit_getattr_all_stream_sockets(rpm_t)
domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
init_use_script_ptys(rpm_t)
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
libs_domtrans_ldconfig(rpm_t)
logging_send_syslog_msg(rpm_t)
# allow compiling and loading new policy
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
userdom_use_user_terminals(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
optional_policy(`
cron_system_entry(rpm_t, rpm_exec_t)
')
optional_policy(`
dbus_system_domain(rpm_t, rpm_exec_t)
dbus_system_domain(rpm_t, debuginfo_exec_t)
optional_policy(`
hal_dbus_chat(rpm_t)
')
optional_policy(`
networkmanager_dbus_chat(rpm_t)
')
')
optional_policy(`
prelink_domtrans(rpm_t)
')
optional_policy(`
unconfined_domain(rpm_t)
# yum-updatesd requires this
unconfined_dbus_chat(rpm_t)
unconfined_dbus_chat(rpm_script_t)
')
########################################
#
# rpm-script Local policy
#
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_ptrace sys_rawio sys_nice mknod kill net_admin };
allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
allow rpm_script_t self:unix_dgram_socket sendto;
allow rpm_script_t self:unix_stream_socket connectto;
allow rpm_script_t self:shm create_shm_perms;
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
allow rpm_script_t rpm_tmp_t:file read_file_perms;
allow rpm_script_t rpm_script_tmp_t:dir mounton;
manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
can_exec(rpm_script_t, rpm_script_tmp_t)
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
can_exec(rpm_script_t, rpm_script_tmpfs_t)
kernel_read_crypto_sysctls(rpm_script_t)
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
kernel_read_network_state(rpm_script_t)
kernel_read_software_raid_state(rpm_script_t)
dev_list_sysfs(rpm_script_t)
# ideally we would not need this
dev_manage_generic_blk_files(rpm_script_t)
dev_manage_generic_chr_files(rpm_script_t)
dev_manage_all_blk_files(rpm_script_t)
dev_manage_all_chr_files(rpm_script_t)
fs_manage_nfs_files(rpm_script_t)
fs_getattr_nfs(rpm_script_t)
fs_search_all(rpm_script_t)
fs_getattr_all_fs(rpm_script_t)
# why is this not using mount?
fs_getattr_xattr_fs(rpm_script_t)
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
mls_file_read_all_levels(rpm_script_t)
mls_file_write_all_levels(rpm_script_t)
selinux_get_fs_mount(rpm_script_t)
selinux_validate_context(rpm_script_t)
selinux_compute_access_vector(rpm_script_t)
selinux_compute_create_context(rpm_script_t)
selinux_compute_relabel_context(rpm_script_t)
selinux_compute_user_contexts(rpm_script_t)
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
term_getattr_unallocated_ttys(rpm_script_t)
term_list_ptys(rpm_script_t)
term_use_all_terms(rpm_script_t)
auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
# ideally we would not need this
auth_manage_all_files_except_auth_files(rpm_script_t)
auth_relabel_shadow(rpm_script_t)
corecmd_exec_all_executables(rpm_script_t)
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
domain_dontaudit_ptrace_all_domains(rpm_script_t)
domain_use_interactive_fds(rpm_script_t)
domain_signal_all_domains(rpm_script_t)
domain_signull_all_domains(rpm_script_t)
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
files_relabel_all_files(rpm_script_t)
init_domtrans_script(rpm_script_t)
init_telinit(rpm_script_t)
libs_exec_ld_so(rpm_script_t)
libs_exec_lib_files(rpm_script_t)
libs_domtrans_ldconfig(rpm_script_t)
logging_send_syslog_msg(rpm_script_t)
miscfiles_read_localization(rpm_script_t)
modutils_domtrans_depmod(rpm_script_t)
modutils_domtrans_insmod(rpm_script_t)
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
userdom_use_all_users_fds(rpm_script_t)
ifdef(`distro_redhat',`
optional_policy(`
mta_send_mail(rpm_script_t)
')
')
tunable_policy(`allow_execmem',`
allow rpm_script_t self:process execmem;
')
optional_policy(`
bootloader_domtrans(rpm_script_t)
')
optional_policy(`
dbus_system_bus_client(rpm_script_t)
')
optional_policy(`
lvm_domtrans(rpm_script_t)
')
optional_policy(`
ntp_domtrans(rpm_script_t)
')
optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
optional_policy(`
udev_domtrans(rpm_script_t)
')
optional_policy(`
unconfined_domain(rpm_script_t)
unconfined_domtrans(rpm_script_t)
optional_policy(`
java_domtrans_unconfined(rpm_script_t)
')
optional_policy(`
mono_domtrans(rpm_script_t)
')
')
optional_policy(`
usermanage_domtrans_groupadd(rpm_script_t)
usermanage_domtrans_useradd(rpm_script_t)
')

4
policy/modules/admin/sectoolm.fc
View File

@ -1,4 +0,0 @@
/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)

2
policy/modules/admin/sectoolm.if
View File

@ -1,2 +0,0 @@
## <summary>Sectool security audit tool</summary>

106
policy/modules/admin/sectoolm.te
View File

@ -1,106 +0,0 @@
policy_module(sectoolm, 1.0.0)
########################################
#
# Declarations
#
type sectoolm_t;
type sectoolm_exec_t;
dbus_system_domain(sectoolm_t, sectoolm_exec_t)
type sectool_var_lib_t;
files_type(sectool_var_lib_t)
type sectool_var_log_t;
logging_log_file(sectool_var_log_t)
type sectool_tmp_t;
files_tmp_file(sectool_tmp_t)
########################################
#
# sectool local policy
#
allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
allow sectoolm_t self:process { getcap getsched signull setsched };
dontaudit sectoolm_t self:process { execstack execmem };
allow sectoolm_t self:fifo_file rw_fifo_file_perms;
allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir })
manage_files_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
manage_dirs_pattern(sectoolm_t, sectool_var_lib_t, sectool_var_lib_t)
files_var_lib_filetrans(sectoolm_t, sectool_var_lib_t, { file dir })
manage_files_pattern(sectoolm_t, sectool_var_log_t, sectool_var_log_t)
logging_log_filetrans(sectoolm_t, sectool_var_log_t, file)
kernel_read_net_sysctls(sectoolm_t)
kernel_read_network_state(sectoolm_t)
kernel_read_kernel_sysctls(sectoolm_t)
corecmd_exec_bin(sectoolm_t)
corecmd_exec_shell(sectoolm_t)
dev_read_sysfs(sectoolm_t)
dev_read_urand(sectoolm_t)
dev_getattr_all_blk_files(sectoolm_t)
dev_getattr_all_chr_files(sectoolm_t)
domain_getattr_all_domains(sectoolm_t)
domain_read_all_domains_state(sectoolm_t)
files_getattr_all_pipes(sectoolm_t)
files_getattr_all_sockets(sectoolm_t)
files_read_all_files(sectoolm_t)
files_read_all_symlinks(sectoolm_t)
fs_getattr_all_fs(sectoolm_t)
fs_list_noxattr_fs(sectoolm_t)
selinux_validate_context(sectoolm_t)
# tcp_wrappers test
application_exec_all(sectoolm_t)
auth_use_nsswitch(sectoolm_t)
# tests related to network
hostname_exec(sectoolm_t)
# tests related to network
iptables_domtrans(sectoolm_t)
libs_exec_ld_so(sectoolm_t)
logging_send_syslog_msg(sectoolm_t)
# tests related to network
sysnet_domtrans_ifconfig(sectoolm_t)
userdom_manage_user_tmp_sockets(sectoolm_t)
optional_policy(`
mount_exec(sectoolm_t)
')
optional_policy(`
policykit_dbus_chat(sectoolm_t)
')
# suid test using
# rpm -Vf option
optional_policy(`
prelink_domtrans(sectoolm_t)
')
optional_policy(`
rpm_exec(sectoolm_t)
rpm_dontaudit_manage_db(sectoolm_t)
')

16
policy/modules/admin/shorewall.fc
View File

@ -1,16 +0,0 @@
/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
/sbin/shorewall6? -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
/var/lib/shorewall6(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
/var/lock/subsys/shorewall -- gen_context(system_u:object_r:shorewall_lock_t,s0)
/var/log/shorewall.* gen_context(system_u:object_r:shorewall_log_t,s0)

202
policy/modules/admin/shorewall.if
View File

@ -1,202 +0,0 @@
## <summary>Shoreline Firewall high-level tool for configuring netfilter</summary>
########################################
## <summary>
## Execute a domain transition to run shorewall.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`shorewall_domtrans',`
gen_require(`
type shorewall_t, shorewall_exec_t;
')
domtrans_pattern($1, shorewall_exec_t, shorewall_t)
')
######################################
## <summary>
## Execute a domain transition to run shorewall.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`shorewall_lib_domtrans',`
gen_require(`
type shorewall_t, shorewall_var_lib_t;
')
domtrans_pattern($1, shorewall_var_lib_t, shorewall_t)
')
#######################################
## <summary>
## Read shorewall etc configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shorewall_read_config',`
gen_require(`
type shorewall_etc_t;
')
files_search_etc($1)
read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
')
#######################################
## <summary>
## Read shorewall PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shorewall_read_pid_files',`
gen_require(`
type shorewall_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
')
#######################################
## <summary>
## Read and write shorewall PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shorewall_rw_pid_files',`
gen_require(`
type shorewall_var_run_t;
')
files_search_pids($1)
rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
')
######################################
## <summary>
## Read shorewall /var/lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shorewall_read_lib_files',`
gen_require(`
type shorewall_t;
')
files_search_var_lib($1)
search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
')
#######################################
## <summary>
## Read and write shorewall /var/lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shorewall_rw_lib_files',`
gen_require(`
type shorewall_var_lib_t;
')
files_search_var_lib($1)
search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
')
#######################################
## <summary>
## Read shorewall tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shorewall_read_tmp_files',`
gen_require(`
type shorewall_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, shorewall_tmp_t, shorewall_tmp_t)
')
#######################################
## <summary>
## All of the rules required to administrate
## an shorewall environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the syslog domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`shorewall_admin',`
gen_require(`
type shorewall_t, shorewall_lock_t;
type shorewall_log_t;
type shorewall_initrc_exec_t, shorewall_var_lib_t;
type shorewall_tmp_t, shorewall_etc_t;
')
allow $1 shorewall_t:process { ptrace signal_perms };
ps_process_pattern($1, shorewall_t)
init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 shorewall_initrc_exec_t system_r;
allow $2 system_r;
files_list_etc($1)
admin_pattern($1, shorewall_etc_t)
files_list_locks($1)
admin_pattern($1, shorewall_lock_t)
logging_list_logs($1)
admin_pattern($1, shorewall_log_t)
files_list_var_lib($1)
admin_pattern($1, shorewall_var_lib_t)
files_list_tmp($1)
admin_pattern($1, shorewall_tmp_t)
')

108
policy/modules/admin/shorewall.te
View File

@ -1,108 +0,0 @@
policy_module(shorewall, 1.3.0)
########################################
#
# Declarations
#
type shorewall_t;
type shorewall_exec_t;
init_daemon_domain(shorewall_t, shorewall_exec_t)
type shorewall_initrc_exec_t;
init_script_file(shorewall_initrc_exec_t)
# etc files
type shorewall_etc_t;
files_config_file(shorewall_etc_t)
# lock files
type shorewall_lock_t;
files_lock_file(shorewall_lock_t)
# tmp files
type shorewall_tmp_t;
files_tmp_file(shorewall_tmp_t)
# var/lib files
type shorewall_var_lib_t;
files_type(shorewall_var_lib_t)
domain_entry_file(shorewall_t, shorewall_var_lib_t)
type shorewall_log_t;
logging_log_file(shorewall_log_t)
########################################
#
# shorewall local policy
#
allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
dontaudit shorewall_t self:capability sys_tty_config;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
manage_files_pattern(shorewall_t, shorewall_lock_t, shorewall_lock_t)
files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
manage_files_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
manage_dirs_pattern(shorewall_t, shorewall_log_t, shorewall_log_t)
logging_log_filetrans(shorewall_t, shorewall_log_t, { file dir })
manage_dirs_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
manage_files_pattern(shorewall_t, shorewall_tmp_t, shorewall_tmp_t)
files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
exec_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_dirs_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
manage_files_pattern(shorewall_t, shorewall_var_lib_t, shorewall_var_lib_t)
files_var_lib_filetrans(shorewall_t, shorewall_var_lib_t, { dir file })
allow shorewall_t shorewall_initrc_exec_t:file read_file_perms;
kernel_read_kernel_sysctls(shorewall_t)
kernel_read_network_state(shorewall_t)
kernel_read_system_state(shorewall_t)
kernel_rw_net_sysctls(shorewall_t)
corecmd_exec_bin(shorewall_t)
corecmd_exec_shell(shorewall_t)
dev_read_urand(shorewall_t)
domain_read_all_domains_state(shorewall_t)
files_getattr_kernel_modules(shorewall_t)
files_read_etc_files(shorewall_t)
files_read_usr_files(shorewall_t)
files_search_kernel_modules(shorewall_t)
fs_getattr_all_fs(shorewall_t)
init_rw_utmp(shorewall_t)
logging_send_syslog_msg(shorewall_t)
miscfiles_read_localization(shorewall_t)
sysnet_domtrans_ifconfig(shorewall_t)
userdom_dontaudit_list_user_home_dirs(shorewall_t)
optional_policy(`
hostname_exec(shorewall_t)
')
optional_policy(`
iptables_domtrans(shorewall_t)
')
optional_policy(`
modutils_domtrans_insmod(shorewall_t)
')
optional_policy(`
ulogd_search_log(shorewall_t)
')

7
policy/modules/admin/shutdown.fc
View File

@ -1,7 +0,0 @@
/etc/nologin -- gen_context(system_u:object_r:shutdown_etc_t,s0)
/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)

69
policy/modules/admin/shutdown.if
View File

@ -1,69 +0,0 @@
## <summary>System shutdown command</summary>
########################################
## <summary>
## Execute a domain transition to run shutdown.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`shutdown_domtrans',`
gen_require(`
type shutdown_t, shutdown_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, shutdown_exec_t, shutdown_t)
ifdef(`hide_broken_symptoms', `
dontaudit shutdown_t $1:socket_class_set { read write };
dontaudit shutdown_t $1:fifo_file { read write };
')
')
########################################
## <summary>
## Execute shutdown in the shutdown domain, and
## allow the specified role the shutdown domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`shutdown_run',`
gen_require(`
type shutdown_t;
')
shutdown_domtrans($1)
role $2 types shutdown_t;
')
########################################
## <summary>
## Get attributes of shutdown executable.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shutdown_getattr_exec_files',`
gen_require(`
type shutdown_exec_t;
')
corecmd_search_bin($1)
allow $1 shutdown_exec_t:file getattr_file_perms;
')

63
policy/modules/admin/shutdown.te
View File

@ -1,63 +0,0 @@
policy_module(shutdown, 1.1.0)
########################################
#
# Declarations
#
type shutdown_t;
type shutdown_exec_t;
application_domain(shutdown_t, shutdown_exec_t)
role system_r types shutdown_t;
type shutdown_etc_t;
files_config_file(shutdown_etc_t)
type shutdown_var_run_t;
files_pid_file(shutdown_var_run_t)
########################################
#
# shutdown local policy
#
allow shutdown_t self:capability { dac_override kill setuid sys_tty_config };
allow shutdown_t self:process { fork signal signull };
allow shutdown_t self:fifo_file manage_fifo_file_perms;
allow shutdown_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(shutdown_t, shutdown_etc_t, shutdown_etc_t)
files_etc_filetrans(shutdown_t, shutdown_etc_t, file)
manage_files_pattern(shutdown_t, shutdown_var_run_t, shutdown_var_run_t)
files_pid_filetrans(shutdown_t, shutdown_var_run_t, file)
domain_use_interactive_fds(shutdown_t)
files_read_etc_files(shutdown_t)
files_read_generic_pids(shutdown_t)
term_use_all_terms(shutdown_t)
auth_use_nsswitch(shutdown_t)
auth_write_login_records(shutdown_t)
init_dontaudit_write_utmp(shutdown_t)
init_read_utmp(shutdown_t)
init_stream_connect(shutdown_t)
init_telinit(shutdown_t)
logging_search_logs(shutdown_t)
logging_send_audit_msgs(shutdown_t)
miscfiles_read_localization(shutdown_t)
optional_policy(`
dbus_system_bus_client(shutdown_t)
dbus_connect_system_bus(shutdown_t)
')
optional_policy(`
xserver_dontaudit_write_log(shutdown_t)
')

2
policy/modules/admin/smoltclient.fc
View File

@ -1,2 +0,0 @@
/usr/share/smolt/client/sendProfile.py -- gen_context(system_u:object_r:smoltclient_exec_t,s0)

1
policy/modules/admin/smoltclient.if
View File

@ -1 +0,0 @@
## <summary>The Fedora hardware profiler client</summary>

68
policy/modules/admin/smoltclient.te
View File

@ -1,68 +0,0 @@
policy_module(smoltclient, 1.1.0)
########################################
#
# Declarations
#
type smoltclient_t;
type smoltclient_exec_t;
application_domain(smoltclient_t, smoltclient_exec_t)
cron_system_entry(smoltclient_t, smoltclient_exec_t)
type smoltclient_tmp_t;
files_tmp_file(smoltclient_tmp_t)
########################################
#
# Local policy
#
allow smoltclient_t self:process { setsched getsched };
allow smoltclient_t self:fifo_file rw_fifo_file_perms;
allow smoltclient_t self:tcp_socket create_socket_perms;
allow smoltclient_t self:udp_socket create_socket_perms;
can_exec(smoltclient_t, smoltclient_tmp_t)
manage_dirs_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
manage_files_pattern(smoltclient_t, smoltclient_tmp_t, smoltclient_tmp_t)
files_tmp_filetrans(smoltclient_t, smoltclient_tmp_t, { dir file })
kernel_read_system_state(smoltclient_t)
kernel_read_network_state(smoltclient_t)
kernel_read_kernel_sysctls(smoltclient_t)
corecmd_exec_bin(smoltclient_t)
corecmd_exec_shell(smoltclient_t)
corenet_tcp_connect_http_port(smoltclient_t)
dev_read_sysfs(smoltclient_t)
fs_getattr_all_fs(smoltclient_t)
fs_getattr_all_dirs(smoltclient_t)
fs_list_auto_mountpoints(smoltclient_t)
files_getattr_generic_locks(smoltclient_t)
files_read_etc_files(smoltclient_t)
files_read_usr_files(smoltclient_t)
auth_use_nsswitch(smoltclient_t)
logging_send_syslog_msg(smoltclient_t)
miscfiles_read_localization(smoltclient_t)
optional_policy(`
dbus_system_bus_client(smoltclient_t)
')
optional_policy(`
hal_dbus_chat(smoltclient_t)
')
optional_policy(`
rpm_exec(smoltclient_t)
rpm_read_db(smoltclient_t)
')

1
policy/modules/admin/sosreport.fc
View File

@ -1 +0,0 @@
/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)

129
policy/modules/admin/sosreport.if
View File

@ -1,129 +0,0 @@
## <summary>sosreport - Generate debugging information for system</summary>
########################################
## <summary>
## Execute a domain transition to run sosreport.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`sosreport_domtrans',`
gen_require(`
type sosreport_t, sosreport_exec_t;
')
domtrans_pattern($1, sosreport_exec_t, sosreport_t)
')
########################################
## <summary>
## Execute sosreport in the sosreport domain, and
## allow the specified role the sosreport domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`sosreport_run',`
gen_require(`
type sosreport_t;
')
sosreport_domtrans($1)
role $2 types sosreport_t;
')
########################################
## <summary>
## Role access for sosreport
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`sosreport_role',`
gen_require(`
type sosreport_t;
')
role $1 types sosreport_t;
sosreport_domtrans($2)
ps_process_pattern($2, sosreport_t)
allow $2 sosreport_t:process signal;
')
########################################
## <summary>
## Allow the specified domain to read
## sosreport tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sosreport_read_tmp_files',`
gen_require(`
type sosreport_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
')
########################################
## <summary>
## Append sosreport tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sosreport_append_tmp_files',`
gen_require(`
type sosreport_tmp_t;
')
append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
')
########################################
## <summary>
## Delete sosreport tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sosreport_delete_tmp_files',`
gen_require(`
type sosreport_tmp_t;
')
files_delete_tmp_dir_entry($1)
delete_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t)
')

148
policy/modules/admin/sosreport.te
View File

@ -1,148 +0,0 @@
policy_module(sosreport, 1.1.0)
########################################
#
# Declarations
#
type sosreport_t;
type sosreport_exec_t;
application_domain(sosreport_t, sosreport_exec_t)
role system_r types sosreport_t;
type sosreport_tmp_t;
files_tmp_file(sosreport_tmp_t)
type sosreport_tmpfs_t;
files_tmpfs_file(sosreport_tmpfs_t)
########################################
#
# sosreport local policy
#
allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override };
allow sosreport_t self:process { setsched signull };
allow sosreport_t self:fifo_file rw_fifo_file_perms;
allow sosreport_t self:tcp_socket create_stream_socket_perms;
allow sosreport_t self:udp_socket create_socket_perms;
allow sosreport_t self:unix_dgram_socket create_socket_perms;
allow sosreport_t self:netlink_route_socket r_netlink_socket_perms;
allow sosreport_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t)
fs_tmpfs_filetrans(sosreport_t, sosreport_tmpfs_t, file)
kernel_read_network_state(sosreport_t)
kernel_read_all_sysctls(sosreport_t)
kernel_read_software_raid_state(sosreport_t)
kernel_search_debugfs(sosreport_t)
kernel_read_messages(sosreport_t)
corecmd_exec_all_executables(sosreport_t)
dev_getattr_all_chr_files(sosreport_t)
dev_getattr_all_blk_files(sosreport_t)
dev_getattr_mtrr_dev(sosreport_t)
dev_read_rand(sosreport_t)
dev_read_urand(sosreport_t)
dev_read_raw_memory(sosreport_t)
dev_read_sysfs(sosreport_t)
domain_getattr_all_domains(sosreport_t)
domain_read_all_domains_state(sosreport_t)
domain_getattr_all_sockets(sosreport_t)
domain_getattr_all_pipes(sosreport_t)
domain_signull_all_domains(sosreport_t)
files_getattr_all_sockets(sosreport_t)
files_exec_etc_files(sosreport_t)
files_list_all(sosreport_t)
files_read_config_files(sosreport_t)
files_read_etc_files(sosreport_t)
files_read_generic_tmp_files(sosreport_t)
files_read_usr_files(sosreport_t)
files_read_var_lib_files(sosreport_t)
files_read_var_symlinks(sosreport_t)
files_read_kernel_modules(sosreport_t)
files_read_all_symlinks(sosreport_t)
# for blkid.tab
files_manage_etc_runtime_files(sosreport_t)
files_etc_filetrans_etc_runtime(sosreport_t, file)
fs_getattr_all_fs(sosreport_t)
fs_list_inotifyfs(sosreport_t)
# some config files do not have configfile attribute
# sosreport needs to read various files on system
auth_read_all_files_except_auth_files(sosreport_t)
auth_use_nsswitch(sosreport_t)
init_domtrans_script(sosreport_t)
libs_domtrans_ldconfig(sosreport_t)
logging_read_all_logs(sosreport_t)
logging_send_syslog_msg(sosreport_t)
miscfiles_read_localization(sosreport_t)
# needed by modinfo
modutils_read_module_deps(sosreport_t)
sysnet_read_config(sosreport_t)
optional_policy(`
abrt_manage_pid_files(sosreport_t)
')
optional_policy(`
cups_stream_connect(sosreport_t)
')
optional_policy(`
dmesg_domtrans(sosreport_t)
')
optional_policy(`
fstools_domtrans(sosreport_t)
')
optional_policy(`
dbus_system_bus_client(sosreport_t)
optional_policy(`
hal_dbus_chat(sosreport_t)
')
')
optional_policy(`
lvm_domtrans(sosreport_t)
')
optional_policy(`
mount_domtrans(sosreport_t)
')
optional_policy(`
pulseaudio_stream_connect(sosreport_t)
')
optional_policy(`
rpm_exec(sosreport_t)
rpm_dontaudit_manage_db(sosreport_t)
rpm_read_db(sosreport_t)
')
optional_policy(`
xserver_stream_connect(sosreport_t)
')
optional_policy(`
unconfined_domain(sosreport_t)
')

6
policy/modules/admin/sxid.fc
View File

@ -1,6 +0,0 @@
/usr/bin/sxid -- gen_context(system_u:object_r:sxid_exec_t,s0)
/usr/sbin/checksecurity\.se -- gen_context(system_u:object_r:sxid_exec_t,s0)
/var/log/setuid.* -- gen_context(system_u:object_r:sxid_log_t,s0)
/var/log/setuid\.today.* -- gen_context(system_u:object_r:sxid_log_t,s0)
/var/log/sxid\.log.* -- gen_context(system_u:object_r:sxid_log_t,s0)

22
policy/modules/admin/sxid.if
View File

@ -1,22 +0,0 @@
## <summary>SUID/SGID program monitoring</summary>
########################################
## <summary>
## Allow the specified domain to read
## sxid log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`sxid_read_log',`
gen_require(`
type sxid_log_t;
')
logging_search_logs($1)
allow $1 sxid_log_t:file read_file_perms;
')

97
policy/modules/admin/sxid.te
View File

@ -1,97 +0,0 @@
policy_module(sxid, 1.6.0)
########################################
#
# Declarations
#
type sxid_t;
type sxid_exec_t;
application_domain(sxid_t, sxid_exec_t)
type sxid_log_t;
logging_log_file(sxid_log_t)
type sxid_tmp_t;
files_tmp_file(sxid_tmp_t)
########################################
#
# Local policy
#
allow sxid_t self:capability { dac_override dac_read_search fsetid };
dontaudit sxid_t self:capability { setuid setgid sys_tty_config };
allow sxid_t self:process signal_perms;
allow sxid_t self:fifo_file rw_fifo_file_perms;
allow sxid_t self:tcp_socket create_stream_socket_perms;
allow sxid_t self:udp_socket create_socket_perms;
allow sxid_t sxid_log_t:file manage_file_perms;
logging_log_filetrans(sxid_t, sxid_log_t, file)
manage_dirs_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
manage_files_pattern(sxid_t, sxid_tmp_t, sxid_tmp_t)
files_tmp_filetrans(sxid_t, sxid_tmp_t, { file dir })
kernel_read_system_state(sxid_t)
kernel_read_kernel_sysctls(sxid_t)
corecmd_exec_bin(sxid_t)
corecmd_exec_shell(sxid_t)
corenet_all_recvfrom_unlabeled(sxid_t)
corenet_all_recvfrom_netlabel(sxid_t)
corenet_tcp_sendrecv_generic_if(sxid_t)
corenet_udp_sendrecv_generic_if(sxid_t)
corenet_tcp_sendrecv_generic_node(sxid_t)
corenet_udp_sendrecv_generic_node(sxid_t)
corenet_tcp_sendrecv_all_ports(sxid_t)
corenet_udp_sendrecv_all_ports(sxid_t)
dev_read_sysfs(sxid_t)
dev_getattr_all_blk_files(sxid_t)
dev_getattr_all_chr_files(sxid_t)
domain_use_interactive_fds(sxid_t)
files_list_all(sxid_t)
files_getattr_all_symlinks(sxid_t)
files_getattr_all_pipes(sxid_t)
files_getattr_all_sockets(sxid_t)
fs_getattr_xattr_fs(sxid_t)
fs_search_auto_mountpoints(sxid_t)
fs_list_all(sxid_t)
term_dontaudit_use_console(sxid_t)
auth_read_all_files_except_auth_files(sxid_t)
auth_dontaudit_getattr_shadow(sxid_t)
init_use_fds(sxid_t)
init_use_script_ptys(sxid_t)
logging_send_syslog_msg(sxid_t)
miscfiles_read_localization(sxid_t)
mount_exec(sxid_t)
sysnet_read_config(sxid_t)
userdom_dontaudit_use_unpriv_user_fds(sxid_t)
cron_system_entry(sxid_t, sxid_exec_t)
optional_policy(`
mta_send_mail(sxid_t)
')
optional_policy(`
seutil_sigchld_newrole(sxid_t)
')
optional_policy(`
udev_read_db(sxid_t)
')

2
policy/modules/admin/tmpreaper.fc
View File

@ -1,2 +0,0 @@
/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)
/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0)

Some files were not shown because too many files have changed in this diff Show More