mirror of
https://github.com/SELinuxProject/refpolicy
synced 2025-03-11 07:40:18 +00:00
Pull in some changes from Fedora policy system layer.
This commit is contained in:
Chris PeBenito
parent
5e8cdeab27
commit
127d617b31
@ -11,18 +11,36 @@
|
||||
|
||||
#####################################
|
||||
## <summary>
|
||||
## Allow read and write access to tgtd semaphores.
|
||||
## Allow read and write access to tgtd semaphores.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tgtd_rw_semaphores',`
|
||||
gen_require(`
|
||||
type tgtd_t;
|
||||
')
|
||||
gen_require(`
|
||||
type tgtd_t;
|
||||
')
|
||||
|
||||
allow $1 tgtd_t:sem rw_sem_perms;
|
||||
allow $1 tgtd_t:sem rw_sem_perms;
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Manage tgtd sempaphores.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`tgtd_manage_semaphores',`
|
||||
gen_require(`
|
||||
type tgtd_t;
|
||||
')
|
||||
|
||||
allow $1 tgtd_t:sem create_sem_perms;
|
||||
')
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(tgtd, 1.1.0)
|
||||
policy_module(tgtd, 1.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(fstools, 1.14.0)
|
||||
policy_module(fstools, 1.14.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
|
||||
|
||||
kernel_read_system_state(fsadm_t)
|
||||
kernel_read_kernel_sysctls(fsadm_t)
|
||||
kernel_request_load_module(fsadm_t)
|
||||
# Allow console log change (updfstab)
|
||||
kernel_change_ring_buffer_level(fsadm_t)
|
||||
# mkreiserfs needs this
|
||||
@ -78,6 +79,7 @@ dev_dontaudit_getattr_generic_files(fsadm_t)
|
||||
# mkreiserfs and other programs need this for UUID
|
||||
dev_read_rand(fsadm_t)
|
||||
dev_read_urand(fsadm_t)
|
||||
dev_write_kmsg(fsadm_t)
|
||||
# Recreate /dev/cdrom.
|
||||
dev_manage_generic_symlinks(fsadm_t)
|
||||
# fdisk needs this for early boot
|
||||
@ -85,7 +87,7 @@ dev_manage_generic_blk_files(fsadm_t)
|
||||
# Access to /initrd devices
|
||||
dev_search_usbfs(fsadm_t)
|
||||
# for swapon
|
||||
dev_read_sysfs(fsadm_t)
|
||||
dev_rw_sysfs(fsadm_t)
|
||||
# Access to /initrd devices
|
||||
dev_getattr_usbfs_dirs(fsadm_t)
|
||||
# Access to /dev/mapper/control
|
||||
@ -114,6 +116,7 @@ fs_rw_tmpfs_files(fsadm_t)
|
||||
# remount file system to apply changes
|
||||
fs_remount_xattr_fs(fsadm_t)
|
||||
# for /dev/shm
|
||||
fs_list_auto_mountpoints(fsadm_t)
|
||||
fs_search_tmpfs(fsadm_t)
|
||||
fs_getattr_tmpfs_dirs(fsadm_t)
|
||||
fs_read_tmpfs_symlinks(fsadm_t)
|
||||
@ -142,9 +145,6 @@ logging_send_syslog_msg(fsadm_t)
|
||||
|
||||
miscfiles_read_localization(fsadm_t)
|
||||
|
||||
modutils_read_module_config(fsadm_t)
|
||||
modutils_read_module_deps(fsadm_t)
|
||||
|
||||
seutil_read_config(fsadm_t)
|
||||
|
||||
userdom_use_user_terminals(fsadm_t)
|
||||
@ -165,6 +165,19 @@ optional_policy(`
|
||||
cron_system_entry(fsadm_t, fsadm_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_dontaudit_write_log(fsadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
livecd_rw_tmp_files(fsadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
modutils_read_module_config(fsadm_t)
|
||||
modutils_read_module_deps(fsadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(fsadm_t)
|
||||
')
|
||||
@ -174,6 +187,10 @@ optional_policy(`
|
||||
rhgb_stub(fsadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(fsadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xen_append_log(fsadm_t)
|
||||
xen_rw_image_files(fsadm_t)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(hotplug, 1.14.0)
|
||||
policy_module(hotplug, 1.14.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -105,9 +105,6 @@ libs_read_lib_files(hotplug_t)
|
||||
miscfiles_read_hwdata(hotplug_t)
|
||||
miscfiles_read_localization(hotplug_t)
|
||||
|
||||
modutils_domtrans_insmod(hotplug_t)
|
||||
modutils_read_module_deps(hotplug_t)
|
||||
|
||||
seutil_dontaudit_search_config(hotplug_t)
|
||||
|
||||
sysnet_read_config(hotplug_t)
|
||||
@ -153,6 +150,11 @@ optional_policy(`
|
||||
iptables_domtrans(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
modutils_domtrans_insmod(hotplug_t)
|
||||
modutils_read_module_deps(hotplug_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mount_domtrans(hotplug_t)
|
||||
')
|
||||
|
||||
@ -25,6 +25,7 @@
|
||||
/usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
/usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
/usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
|
||||
|
||||
/usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
/usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0)
|
||||
@ -35,6 +36,8 @@
|
||||
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
|
||||
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
|
||||
|
||||
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
|
||||
|
||||
/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
|
||||
|
||||
/var/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
|
||||
|
||||
@ -37,6 +37,24 @@ interface(`ipsec_stream_connect',`
|
||||
stream_connect_pattern($1, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ipsec in the ipsec mgmt domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ipsec_domtrans_mgmt',`
|
||||
gen_require(`
|
||||
type ipsec_mgmt_t, ipsec_mgmt_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to racoon using a unix domain stream socket.
|
||||
@ -92,6 +110,84 @@ interface(`ipsec_exec_mgmt',`
|
||||
can_exec($1, ipsec_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send ipsec mgmt a general signal.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
interface(`ipsec_signal_mgmt',`
|
||||
gen_require(`
|
||||
type ipsec_mgmt_t;
|
||||
')
|
||||
|
||||
allow $1 ipsec_mgmt_t:process signal;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send ipsec mgmt a null signal.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
interface(`ipsec_signull_mgmt',`
|
||||
gen_require(`
|
||||
type ipsec_mgmt_t;
|
||||
')
|
||||
|
||||
allow $1 ipsec_mgmt_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send ipsec mgmt a kill signal.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
#
|
||||
interface(`ipsec_kill_mgmt',`
|
||||
gen_require(`
|
||||
type ipsec_mgmt_t;
|
||||
')
|
||||
|
||||
allow $1 ipsec_mgmt_t:process sigkill;
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## ipsec-mgmt over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ipsec_mgmt_dbus_chat',`
|
||||
gen_require(`
|
||||
type ipsec_mgmt_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 ipsec_mgmt_t:dbus send_msg;
|
||||
allow ipsec_mgmt_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the IPSEC configuration
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(ipsec, 1.11.1)
|
||||
policy_module(ipsec, 1.11.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -73,7 +73,7 @@ role system_r types setkey_t;
|
||||
#
|
||||
|
||||
allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
|
||||
dontaudit ipsec_t self:capability sys_tty_config;
|
||||
dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
|
||||
allow ipsec_t self:process { getcap setcap getsched signal setsched };
|
||||
allow ipsec_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ipsec_t self:udp_socket create_socket_perms;
|
||||
@ -95,9 +95,10 @@ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
|
||||
files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||
manage_sock_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
|
||||
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { file sock_file })
|
||||
files_pid_filetrans(ipsec_t, ipsec_var_run_t, { dir file sock_file })
|
||||
|
||||
can_exec(ipsec_t, ipsec_mgmt_exec_t)
|
||||
|
||||
@ -108,8 +109,8 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
|
||||
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
|
||||
allow ipsec_mgmt_t ipsec_t:fd use;
|
||||
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
|
||||
dontaudit ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
|
||||
allow ipsec_mgmt_t ipsec_t:process sigchld;
|
||||
allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
|
||||
allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
|
||||
|
||||
kernel_read_kernel_sysctls(ipsec_t)
|
||||
kernel_list_proc(ipsec_t)
|
||||
@ -150,6 +151,7 @@ domain_use_interactive_fds(ipsec_t)
|
||||
files_list_tmp(ipsec_t)
|
||||
files_read_etc_files(ipsec_t)
|
||||
files_read_usr_files(ipsec_t)
|
||||
files_dontaudit_search_home(ipsec_t)
|
||||
|
||||
fs_getattr_all_fs(ipsec_t)
|
||||
fs_search_auto_mountpoints(ipsec_t)
|
||||
@ -185,8 +187,8 @@ optional_policy(`
|
||||
#
|
||||
|
||||
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
|
||||
dontaudit ipsec_mgmt_t self:capability sys_tty_config;
|
||||
allow ipsec_mgmt_t self:process { getsched ptrace setrlimit signal };
|
||||
dontaudit ipsec_mgmt_t self:capability { sys_ptrace sys_tty_config };
|
||||
allow ipsec_mgmt_t self:process { getsched ptrace setrlimit setsched signal };
|
||||
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
|
||||
@ -225,7 +227,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
|
||||
|
||||
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
|
||||
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
|
||||
files_etc_filetrans(ipsec_mgmt_t, ipsec_key_file_t, file)
|
||||
|
||||
# whack needs to connect to pluto
|
||||
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
|
||||
@ -258,7 +259,7 @@ dev_read_urand(ipsec_mgmt_t)
|
||||
|
||||
domain_use_interactive_fds(ipsec_mgmt_t)
|
||||
# denials when ps tries to search /proc. Do not audit these denials.
|
||||
domain_dontaudit_list_all_domains_state(ipsec_mgmt_t)
|
||||
domain_dontaudit_read_all_domains_state(ipsec_mgmt_t)
|
||||
# suppress audit messages about unnecessary socket access
|
||||
# cjp: this seems excessive
|
||||
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
|
||||
@ -278,6 +279,9 @@ fs_list_tmpfs(ipsec_mgmt_t)
|
||||
term_use_console(ipsec_mgmt_t)
|
||||
term_dontaudit_getattr_unallocated_ttys(ipsec_mgmt_t)
|
||||
|
||||
auth_dontaudit_read_login_records(ipsec_mgmt_t)
|
||||
|
||||
init_read_utmp(ipsec_mgmt_t)
|
||||
init_use_script_ptys(ipsec_mgmt_t)
|
||||
init_exec_script_files(ipsec_mgmt_t)
|
||||
init_use_fds(ipsec_mgmt_t)
|
||||
@ -287,11 +291,11 @@ logging_send_syslog_msg(ipsec_mgmt_t)
|
||||
|
||||
miscfiles_read_localization(ipsec_mgmt_t)
|
||||
|
||||
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||
|
||||
seutil_dontaudit_search_config(ipsec_mgmt_t)
|
||||
|
||||
sysnet_manage_config(ipsec_mgmt_t)
|
||||
sysnet_domtrans_ifconfig(ipsec_mgmt_t)
|
||||
sysnet_etc_filetrans_config(ipsec_mgmt_t)
|
||||
|
||||
userdom_use_user_terminals(ipsec_mgmt_t)
|
||||
|
||||
@ -299,6 +303,27 @@ optional_policy(`
|
||||
consoletype_exec(ipsec_mgmt_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hostname_exec(ipsec_mgmt_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(ipsec_mgmt_t)
|
||||
dbus_connect_system_bus(ipsec_mgmt_t)
|
||||
|
||||
optional_policy(`
|
||||
networkmanager_dbus_chat(ipsec_mgmt_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
iptables_domtrans(ipsec_mgmt_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
modutils_domtrans_insmod(ipsec_mgmt_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(ipsec_mgmt_t)
|
||||
')
|
||||
@ -412,6 +437,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
|
||||
files_read_etc_files(setkey_t)
|
||||
|
||||
init_dontaudit_use_fds(setkey_t)
|
||||
init_read_script_tmp_files(setkey_t)
|
||||
|
||||
# allow setkey to set the context for ipsec SAs and policy.
|
||||
corenet_setcontext_all_spds(setkey_t)
|
||||
|
||||
@ -1,11 +1,17 @@
|
||||
/etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/ebtables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
|
||||
/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
|
||||
/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
|
||||
|
||||
/sbin/ebtables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ebtables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ip6?tables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ipvsadm -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ipvsadm-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
|
||||
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
|
||||
|
||||
@ -17,6 +17,10 @@ interface(`iptables_domtrans',`
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, iptables_exec_t, iptables_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit iptables_t $1:socket_class_set { read write };
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(iptables, 1.11.1)
|
||||
policy_module(iptables, 1.11.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -31,6 +31,7 @@ allow iptables_t self:capability { dac_read_search dac_override net_admin net_ra
|
||||
dontaudit iptables_t self:capability sys_tty_config;
|
||||
allow iptables_t self:fifo_file rw_fifo_file_perms;
|
||||
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
||||
allow iptables_t self:netlink_socket create_socket_perms;
|
||||
allow iptables_t self:rawip_socket create_socket_perms;
|
||||
|
||||
manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
|
||||
@ -52,6 +53,10 @@ kernel_read_kernel_sysctls(iptables_t)
|
||||
kernel_read_modprobe_sysctls(iptables_t)
|
||||
kernel_use_fds(iptables_t)
|
||||
|
||||
# needed by ipvsadm
|
||||
corecmd_exec_bin(iptables_t)
|
||||
corecmd_exec_shell(iptables_t)
|
||||
|
||||
corenet_relabelto_all_packets(iptables_t)
|
||||
corenet_dontaudit_rw_tun_tap_dev(iptables_t)
|
||||
|
||||
@ -88,6 +93,10 @@ sysnet_dns_name_resolve(iptables_t)
|
||||
userdom_use_user_terminals(iptables_t)
|
||||
userdom_use_all_users_fds(iptables_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dev_dontaudit_write_mtrr(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
fail2ban_append_log(iptables_t)
|
||||
')
|
||||
@ -125,6 +134,7 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
shorewall_read_tmp_files(iptables_t)
|
||||
shorewall_rw_lib_files(iptables_t)
|
||||
shorewall_read_config(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -18,6 +18,24 @@ interface(`iscsid_domtrans',`
|
||||
domtrans_pattern($1, iscsid_exec_t, iscsid_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage iscsid sempaphores.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`iscsi_manage_semaphores',`
|
||||
gen_require(`
|
||||
type iscsid_t;
|
||||
')
|
||||
|
||||
allow $1 iscsid_t:sem create_sem_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to ISCSI using a unix domain stream socket.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(iscsi, 1.7.0)
|
||||
policy_module(iscsi, 1.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -31,6 +31,7 @@ files_pid_file(iscsi_var_run_t)
|
||||
#
|
||||
|
||||
allow iscsid_t self:capability { dac_override ipc_lock net_admin net_raw sys_admin sys_nice sys_resource };
|
||||
dontaudit iscsid_t self:capability sys_ptrace;
|
||||
allow iscsid_t self:process { setrlimit setsched signal };
|
||||
allow iscsid_t self:fifo_file rw_fifo_file_perms;
|
||||
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
@ -38,14 +39,15 @@ allow iscsid_t self:unix_dgram_socket create_socket_perms;
|
||||
allow iscsid_t self:sem create_sem_perms;
|
||||
allow iscsid_t self:shm create_shm_perms;
|
||||
allow iscsid_t self:netlink_socket create_socket_perms;
|
||||
allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
allow iscsid_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
can_exec(iscsid_t, iscsid_exec_t)
|
||||
|
||||
manage_dirs_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
|
||||
manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t)
|
||||
files_lock_filetrans(iscsid_t, iscsi_lock_t, file)
|
||||
files_lock_filetrans(iscsid_t, iscsi_lock_t, { dir file })
|
||||
|
||||
manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t)
|
||||
logging_log_filetrans(iscsid_t, iscsi_log_t, file)
|
||||
@ -91,5 +93,5 @@ logging_send_syslog_msg(iscsid_t)
|
||||
miscfiles_read_localization(iscsid_t)
|
||||
|
||||
optional_policy(`
|
||||
tgtd_rw_semaphores(iscsid_t)
|
||||
tgtd_manage_semaphores(iscsid_t)
|
||||
')
|
||||
|
||||
@ -90,6 +90,7 @@ ifdef(`distro_gentoo',`
|
||||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
/opt/Adobe.*/libcurl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/Adobe/Reader.?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/opt/Adobe/Reader.?/Reader/intellinux/SPPlugins/.*\.ap[il] -- gen_context(system_u:object_r:lib_t,s0)
|
||||
@ -198,8 +199,6 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/libfglrx_gamma\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/mozilla/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib64/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/nx/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -208,6 +207,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
|
||||
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libgpac\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
@ -247,6 +247,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
|
||||
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/sane/libsane-epkowa\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
||||
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
|
||||
@ -304,11 +305,6 @@ HOME_DIR/.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:te
|
||||
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
|
||||
/usr/lib64/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0)
|
||||
/usr/lib(64)?/pgsql/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
|
||||
/usr/lib(64)?/pgsql/test/regress/.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
|
||||
|
||||
/usr/share/hplip/prnt/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
|
||||
/usr/share/squeezeboxserver/CPAN/arch/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
') dnl end distro_redhat
|
||||
|
||||
#
|
||||
|
||||
@ -44,6 +44,26 @@ interface(`libs_run_ldconfig',`
|
||||
role $2 types ldconfig_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ldconfig in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`libs_exec_ldconfig',`
|
||||
gen_require(`
|
||||
type ldconfig_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, ldconfig_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use the dynamic link/loader for automatic loading
|
||||
@ -231,6 +251,24 @@ interface(`libs_manage_lib_dirs',`
|
||||
allow $1 lib_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit attempts to setattr on library files
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`libs_dontaudit_setattr_lib_files',`
|
||||
gen_require(`
|
||||
type lib_t;
|
||||
')
|
||||
|
||||
dontaudit $1 lib_t:file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read files in the library directories, such
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(libraries, 2.7.0)
|
||||
policy_module(libraries, 2.7.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
||||
@ -1,2 +1,3 @@
|
||||
|
||||
/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
|
||||
/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(locallogin, 1.10.1)
|
||||
policy_module(locallogin, 1.10.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -185,7 +185,7 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(local_login_t)
|
||||
unconfined_shell_domtrans(local_login_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -198,13 +198,14 @@ optional_policy(`
|
||||
')
|
||||
|
||||
#################################
|
||||
#
|
||||
#
|
||||
# Sulogin local policy
|
||||
#
|
||||
|
||||
allow sulogin_t self:capability dac_override;
|
||||
allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow sulogin_t self:fd use;
|
||||
allow sulogin_t self:fifo_file rw_file_perms;
|
||||
allow sulogin_t self:fifo_file rw_fifo_file_perms;
|
||||
allow sulogin_t self:unix_dgram_socket create_socket_perms;
|
||||
allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow sulogin_t self:unix_dgram_socket sendto;
|
||||
|
||||
@ -25,6 +25,7 @@
|
||||
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
|
||||
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||
|
||||
ifdef(`distro_suse', `
|
||||
@ -37,13 +38,14 @@ ifdef(`distro_suse', `
|
||||
|
||||
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
|
||||
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
|
||||
ifndef(`distro_gentoo',`
|
||||
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
|
||||
@ -54,18 +56,21 @@ ifdef(`distro_redhat',`
|
||||
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||
')
|
||||
|
||||
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0)
|
||||
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
|
||||
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
|
||||
/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
|
||||
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
|
||||
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
|
||||
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
|
||||
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
|
||||
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
|
||||
|
||||
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
|
||||
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
|
||||
/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/spool/plymouth/boot\.log gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
|
||||
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
|
||||
@ -679,6 +679,25 @@ interface(`logging_rw_generic_log_dirs',`
|
||||
allow $1 var_log_t:dir rw_dir_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Set attributes on all log dirs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_setattr_all_log_dirs',`
|
||||
gen_require(`
|
||||
attribute logfile;
|
||||
')
|
||||
|
||||
allow $1 logfile:dir setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the atttributes
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
policy_module(logging, 1.17.1)
|
||||
policy_module(logging, 1.17.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -19,6 +19,10 @@ type auditd_log_t;
|
||||
files_security_file(auditd_log_t)
|
||||
files_security_mountpoint(auditd_log_t)
|
||||
|
||||
type audit_spool_t;
|
||||
files_security_file(audit_spool_t)
|
||||
files_security_mountpoint(audit_spool_t)
|
||||
|
||||
type auditd_t;
|
||||
type auditd_exec_t;
|
||||
init_daemon_domain(auditd_t, auditd_exec_t)
|
||||
@ -55,7 +59,7 @@ type klogd_var_run_t;
|
||||
files_pid_file(klogd_var_run_t)
|
||||
|
||||
type syslog_conf_t;
|
||||
files_type(syslog_conf_t)
|
||||
files_config_file(syslog_conf_t)
|
||||
|
||||
type syslogd_t;
|
||||
type syslogd_exec_t;
|
||||
@ -253,7 +257,16 @@ optional_policy(`
|
||||
# Audit remote logger local policy
|
||||
#
|
||||
|
||||
allow audisp_remote_t self:capability { setuid setpcap };
|
||||
allow audisp_remote_t self:process { getcap setcap };
|
||||
allow audisp_remote_t self:tcp_socket create_socket_perms;
|
||||
allow audisp_remote_t var_log_t:dir search_dir_perms;
|
||||
|
||||
manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
||||
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
|
||||
files_spool_filetrans(audisp_remote_t, audit_spool_t, { dir file })
|
||||
|
||||
corecmd_exec_bin(audisp_remote_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(audisp_remote_t)
|
||||
corenet_all_recvfrom_netlabel(audisp_remote_t)
|
||||
@ -268,6 +281,7 @@ corenet_sendrecv_audit_client_packets(audisp_remote_t)
|
||||
files_read_etc_files(audisp_remote_t)
|
||||
|
||||
logging_send_syslog_msg(audisp_remote_t)
|
||||
logging_send_audit_msgs(audisp_remote_t)
|
||||
|
||||
miscfiles_read_localization(audisp_remote_t)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user