mirror of
https://github.com/SELinuxProject/refpolicy
synced 2025-01-11 09:39:25 +00:00
more conversion
This commit is contained in:
Chris PeBenito
parent
bd202fe157
commit
1e5c2a416a
@ -302,3 +302,17 @@ define(`terminal_ignore_use_general_pseudoterminal_depend',`
|
||||
type devpts_t;
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_ignore_use_pseudoterminal_multiplexer(domain)
|
||||
#
|
||||
define(`terminal_ignore_use_pseudoterminal_multiplexer',`
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 ptmx_t:chr_file { getattr read write };
|
||||
')
|
||||
|
||||
define(`terminal_ignore_use_pseudoterminal_multiplexer_depend',`
|
||||
type ptmx_t;
|
||||
class chr_file { getattr read write };
|
||||
')
|
||||
|
||||
@ -116,8 +116,7 @@ class process transition;
|
||||
#
|
||||
define(`authlogin_modify_login_records',`
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
# FIXME: search var_log_t
|
||||
logging_search_system_log_directory($1)
|
||||
allow $1 wtmp_t:file { getattr read write setattr };
|
||||
')
|
||||
|
||||
@ -190,6 +189,38 @@ type lastlog_t;
|
||||
class file { getattr read write setattr };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# authlogin_pam_transition(domain)
|
||||
#
|
||||
define(`authlogin_pam_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 pam_exec_t:file { getattr read execute };
|
||||
allow $1 pam_t:process transition;
|
||||
type_transition $1 pam_exec_t:file pam_t;
|
||||
dontaudit $1 pam_t:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
define(`authlogin_pam_transition_depend',`
|
||||
type pam_t, pam_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# authlogin_pam_execute(domain)
|
||||
#
|
||||
define(`authlogin_pam_execute',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 pam_exec_t:file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
define(`authlogin_pam_execute_depend',`
|
||||
type pam_exec_t;
|
||||
class file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# authlogin_pam_read_runtime_data(domain)
|
||||
@ -225,3 +256,59 @@ type pam_var_run_t;
|
||||
class dir { getattr search read write remove_name };
|
||||
class file { getattr unlink };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# authlogin_pam_console_transition(domain)
|
||||
#
|
||||
define(`authlogin_pam_console_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 pam_console_exec_t:file { getattr read execute };
|
||||
allow $1 pam_console_t:process transition;
|
||||
type_transition $1 pam_console_exec_t:file pam_console_t;
|
||||
dontaudit $1 pam_console_t:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
define(`authlogin_pam_console_transition_depend',`
|
||||
type pam_console_t, pam_console_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# authlogin_pam_console_read_runtime_data(domain)
|
||||
#
|
||||
define(`authlogin_pam_console_read_runtime_data',`
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
files_search_runtime_data_directory($1)
|
||||
allow $1 pam_var_console_t:dir { getattr search read };
|
||||
allow $1 pam_var_console_t:file { getattr read };
|
||||
')
|
||||
|
||||
define(`authlogin_pam_console_read_runtime_data_depend',`
|
||||
type pam_var_console_t;
|
||||
class dir { getattr search read };
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# authlogin_pam_console_manage_runtime_data(domain)
|
||||
#
|
||||
define(`authlogin_pam_console_manage_runtime_data',`
|
||||
requires_block_template(`$0'_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
files_search_runtime_data_directory($1)
|
||||
allow $1 pam_var_console_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow $1 pam_var_console_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow $1 pam_var_console_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
')
|
||||
|
||||
define(`authlogin_pam_console_manage_runtime_data_depend',`
|
||||
type pam_var_console_t;
|
||||
class dir { read getattr lock search ioctl add_name remove_name write };
|
||||
class file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
class lnk_file { create read getattr setattr link unlink rename };
|
||||
')
|
||||
|
||||
@ -172,6 +172,11 @@ terminal_ignore_use_general_pseudoterminal(pam_console_t)
|
||||
files_ignore_read_rootfs_file(pam_console_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te', `
|
||||
hotplug_use_file_descriptors(pam_console_t)
|
||||
hotplug_ignore_search_config_directory(pam_console_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(pam_console_t)
|
||||
')
|
||||
@ -210,11 +215,6 @@ ifdef(`gpm.te', `
|
||||
allow pam_console_t gpmctl_t:sock_file { getattr setattr };
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te', `
|
||||
dontaudit pam_console_t hotplug_etc_t:dir search;
|
||||
hotplug_use_file_descriptors(pam_console_t)
|
||||
')
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
allow pam_console_t xdm_var_run_t:file { getattr read };
|
||||
')
|
||||
@ -236,6 +236,7 @@ terminal_get_all_users_physical_terminal_attributes(utempter_t)
|
||||
terminal_get_all_users_pseudoterminal_attributes(utempter_t)
|
||||
terminal_ignore_use_all_users_physical_terminals(utempter_t)
|
||||
terminal_ignore_use_all_users_pseudoterminals(utempter_t)
|
||||
terminal_ignore_use_pseudoterminal_multiplexer(utempter_t)
|
||||
|
||||
init_script_modify_runtime_data(utempter_t)
|
||||
|
||||
@ -253,9 +254,6 @@ in_user_role(utempter_t)
|
||||
role sysadm_r types utempter_t;
|
||||
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
|
||||
|
||||
# dontaudit access to /dev/ptmx.
|
||||
dontaudit utempter_t ptmx_t:chr_file rw_file_perms;
|
||||
|
||||
# Allow utemper to write to /tmp/.xses-*
|
||||
allow utempter_t user_tmpfile:file { getattr write append };
|
||||
|
||||
|
||||
@ -45,3 +45,36 @@ define(`hotplug_use_file_descriptors_depend',`
|
||||
type hotplug_t;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# hotplug_ignore_search_config_directory(domain)
|
||||
#
|
||||
define(`hotplug_ignore_search_config_directory',`
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 hotplug_etc_t:dir search;
|
||||
')
|
||||
|
||||
define(`hotplug_ignore_search_config_directory_depend',`
|
||||
type hotplug_etc_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# hotplug_read_config(domain)
|
||||
#
|
||||
define(`hotplug_read_config',`
|
||||
requires_block_template(`$0'_depend)
|
||||
# FIXME: search etc_t
|
||||
allow $1 hotplug_etc_t:file { read getattr lock ioctl };
|
||||
allow $1 hotplug_etc_t:dir { read getattr lock search ioctl };
|
||||
allow $1 hotplug_etc_t:lnk_file { getattr read };
|
||||
')
|
||||
|
||||
define(`hotplug_read_config_depend',`
|
||||
type hotplug_etc_t;
|
||||
class file { read getattr lock ioctl };
|
||||
class dir { read getattr lock search ioctl };
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
@ -289,6 +289,10 @@ modutils_depmod_transition(initrc_t)
|
||||
modutils_update_modules_transition(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_transition(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
sysnetwork_ifconfig_transition(initrc_t)
|
||||
')
|
||||
|
||||
@ -10,6 +10,7 @@ policy_module(iptables, 1.0)
|
||||
type iptables_t;
|
||||
type iptables_exec_t;
|
||||
domain_make_daemon_domain(iptables_t,iptables_exec_t)
|
||||
role system_r types iptables_t;
|
||||
|
||||
type iptables_tmp_t;
|
||||
files_make_file(iptables_tmp_t)
|
||||
@ -23,9 +24,11 @@ files_make_file(iptables_t)
|
||||
#
|
||||
|
||||
allow iptables_t self:capability { net_admin net_raw };
|
||||
allow iptables_t self:process { sigkill sigstop signull signal };
|
||||
dontaudit iptables_t self:capability sys_tty_config;
|
||||
allow iptables_t self:process { sigchld sigkill sigstop signull signal };
|
||||
|
||||
allow iptables_t iptables_var_run_t:dir { ioctl read getattr lock write append };
|
||||
files_create_daemon_runtime_data(iptables_t,iptables_var_run_t)
|
||||
|
||||
allow iptables_t iptables_exec_t:file { getattr read execute execute_no_trans };
|
||||
|
||||
@ -35,27 +38,68 @@ files_create_private_tmp_data(iptables_t, iptables_tmp_t, { file dir })
|
||||
|
||||
allow iptables_t self:rawip_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
|
||||
kernel_read_modprobe_sysctl(iptables_t)
|
||||
kernel_use_file_descriptors(iptables_t)
|
||||
kernel_read_system_state(iptables_t)
|
||||
kernel_read_network_state(iptables_t)
|
||||
kernel_read_hardware_state(iptables_t)
|
||||
kernel_read_kernel_sysctl(iptables_t)
|
||||
kernel_read_modprobe_sysctl(iptables_t)
|
||||
kernel_use_file_descriptors(iptables_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(iptables_t)
|
||||
|
||||
devices_discard_data_stream(iptables_t)
|
||||
|
||||
terminal_ignore_use_console(iptables_t)
|
||||
|
||||
init_use_file_descriptors(iptables_t)
|
||||
init_script_use_pseudoterminal(iptables_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(iptables_t)
|
||||
|
||||
files_read_general_system_config(iptables_t)
|
||||
|
||||
libraries_use_dynamic_loader(iptables_t)
|
||||
libraries_read_shared_libraries(iptables_t)
|
||||
|
||||
logging_send_system_log_message(iptables_t)
|
||||
# system-config-network appends to /var/log
|
||||
#logging_append_system_logs(iptables_t)
|
||||
|
||||
miscfiles_read_localization(iptables_t)
|
||||
|
||||
sysnetwork_ifconfig_transition(iptables_t)
|
||||
|
||||
optional_policy(`modutils.te', `
|
||||
modutils_insmod_transition(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(iptables_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_database(iptables_t)
|
||||
')
|
||||
|
||||
tunable_policy(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(iptables_t)
|
||||
terminal_ignore_use_general_pseudoterminal(iptables_t)
|
||||
files_ignore_read_rootfs_file(iptables_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
daemon_base_domain(iptables, `, privmodule')
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow iptables_t rhgb_t:process sigchld;
|
||||
allow iptables_t rhgb_t:fd use;
|
||||
allow iptables_t rhgb_t:fifo_file { read write };
|
||||
')
|
||||
allow iptables_t null_device_t:chr_file r_file_perms;
|
||||
dontaudit iptables_t unpriv_userdomain:fd use;
|
||||
allow iptables_t autofs_t:dir { search getattr };
|
||||
tunable_policy(`direct_sysadm_daemon', `
|
||||
dontaudit iptables_t admin_tty_type:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans(sysadm_t, iptables_exec_t, iptables_t)
|
||||
role sysadm_r types iptables_t;
|
||||
@ -63,11 +107,6 @@ role sysadm_r types iptables_t;
|
||||
# to allow rules to be saved on reboot
|
||||
allow iptables_t initrc_tmp_t:file rw_file_perms;
|
||||
|
||||
domain_auto_trans(iptables_t, ifconfig_exec_t, ifconfig_t)
|
||||
|
||||
file_type_auto_trans(iptables_t, var_run_t, iptables_var_run_t, $2)
|
||||
allow iptables_t var_t:dir search;
|
||||
|
||||
# for iptables -L
|
||||
can_resolve(iptables_t)
|
||||
can_ypbind(iptables_t)
|
||||
|
||||
@ -3,9 +3,10 @@
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type local_login_t; #, privuser, privrole, auth_chkpwd, privowner, privfd, nscd_client_domain;
|
||||
type local_login_t; #, privuser, privrole, auth_chkpwd, privowner, nscd_client_domain;
|
||||
domain_make_domain(local_login_t)
|
||||
authlogin_make_login_program_entrypoint(local_login_t)
|
||||
domain_make_file_descriptors_widely_inheritable(local_login_t)
|
||||
role system_r types local_login_t;
|
||||
|
||||
type local_login_tmp_t;
|
||||
@ -34,6 +35,10 @@ kernel_compute_reachable_user_contexts(local_login_t)
|
||||
# for SSP/ProPolice
|
||||
devices_get_pseudorandom_data(local_login_t)
|
||||
|
||||
terminal_use_all_users_physical_terminals(local_login_t)
|
||||
terminal_use_general_physical_terminal(local_login_t)
|
||||
|
||||
init_script_modify_runtime_data(local_login_t)
|
||||
init_ignore_use_file_descriptors(local_login_t)
|
||||
|
||||
files_read_general_system_config(local_login_t)
|
||||
@ -50,6 +55,8 @@ selinux_read_default_contexts(local_login_t)
|
||||
authlogin_ignore_read_shadow_passwords(local_login_t)
|
||||
authlogin_modify_login_records(local_login_t)
|
||||
authlogin_modify_last_login_log(local_login_t)
|
||||
authlogin_pam_execute(local_login_t)
|
||||
authlogin_pam_console_manage_runtime_data(local_login_t)
|
||||
|
||||
miscfiles_read_localization(local_login_t)
|
||||
|
||||
@ -75,11 +82,6 @@ allow local_login_t exec_type:{ file lnk_file } r_file_perms;
|
||||
# Read /dev directories and any symbolic links.
|
||||
allow local_login_t device_t:lnk_file r_file_perms;
|
||||
|
||||
optional_policy(`authlogin.te',`
|
||||
can_exec(local_login_t, pam_exec_t)
|
||||
rw_dir_create_file(local_login_t, pam_var_console_t)
|
||||
')
|
||||
|
||||
dontaudit local_login_t sysfs_t:dir search;
|
||||
|
||||
allow local_login_t autofs_t:dir { search read getattr };
|
||||
@ -98,13 +100,6 @@ allow local_login_t crack_db_t:file r_file_perms;
|
||||
allow local_login_t home_root_t:dir search;
|
||||
allow local_login_t home_dir_type:dir search;
|
||||
|
||||
# Write to /var/run/utmp.
|
||||
allow local_login_t var_run_t:dir search;
|
||||
allow local_login_t initrc_var_run_t:file rw_file_perms;
|
||||
|
||||
# Write to /var/log/wtmp.
|
||||
allow local_login_t var_log_t:dir search;
|
||||
|
||||
# Write to /var/log/btmp
|
||||
allow local_login_t faillog_t:file { append read write };
|
||||
|
||||
@ -143,12 +138,12 @@ allow local_login_t var_lock_t:dir rw_dir_perms;
|
||||
allow local_login_t var_lock_t:file create_file_perms;
|
||||
|
||||
# Read and write ttys.
|
||||
allow local_login_t tty_device_t:chr_file { setattr rw_file_perms };
|
||||
allow local_login_t ttyfile:chr_file { setattr rw_file_perms };
|
||||
allow local_login_t tty_device_t:chr_file setattr;
|
||||
allow local_login_t ttyfile:chr_file setattr;
|
||||
|
||||
# Relabel ttys.
|
||||
allow local_login_t tty_device_t:chr_file { getattr relabelfrom relabelto };
|
||||
allow local_login_t ttyfile:chr_file { getattr relabelfrom relabelto };
|
||||
allow local_login_t tty_device_t:chr_file { relabelfrom relabelto };
|
||||
allow local_login_t ttyfile:chr_file { relabelfrom relabelto };
|
||||
|
||||
optional_policy(`gpm.te',`
|
||||
allow local_login_t gpmctl_t:sock_file { getattr setattr };
|
||||
|
||||
@ -126,10 +126,6 @@ files_read_general_system_config(syslogd_t)
|
||||
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
|
||||
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
|
||||
files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
|
||||
tunable_policy(`distro_suse', `
|
||||
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
|
||||
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
|
||||
')
|
||||
|
||||
libraries_use_dynamic_loader(syslogd_t)
|
||||
libraries_read_shared_libraries(syslogd_t)
|
||||
@ -170,6 +166,7 @@ files_ignore_read_rootfs_file(syslogd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow syslogd_t proc_t:dir r_dir_perms;
|
||||
allow syslogd_t proc_t:lnk_file read;
|
||||
allow syslogd_t null_device_t:chr_file r_file_perms;
|
||||
@ -185,6 +182,11 @@ tunable_policy(`direct_sysadm_daemon',`
|
||||
dontaudit syslogd_t admin_tty_type:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
tunable_policy(`distro_suse', `
|
||||
# suse creates a /dev/log under /var/lib/stunnel for chrooted stunnel
|
||||
file_type_auto_trans(syslogd_t, var_lib_t, devlog_t, sock_file)
|
||||
')
|
||||
|
||||
# can_network is for the UDP socket
|
||||
can_ypbind(syslogd_t)
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@ policy_module(miscfiles,1.0)
|
||||
#
|
||||
# catman_t is the type for /var/catman.
|
||||
#
|
||||
type catman_t; # , file_type, sysadmfile, tmpfile;
|
||||
type catman_t; # , tmpfile;
|
||||
files_make_file(catman_t)
|
||||
|
||||
#
|
||||
@ -42,5 +42,5 @@ files_make_file(test_file_t)
|
||||
#
|
||||
# for /var/{spool,lib}/texmf index files
|
||||
#
|
||||
type tetex_data_t; # , file_type, sysadmfile, tmpfile;
|
||||
type tetex_data_t; # , tmpfile;
|
||||
files_make_file(tetex_data_t)
|
||||
|
||||
@ -69,8 +69,6 @@ ifdef(`TODO',`
|
||||
# nfsv4 has a filesystem to mount for its userspace daemons
|
||||
allow mount_t var_lib_nfs_t:dir mounton;
|
||||
|
||||
#domain_auto_trans(initrc_t, mount_exec_t, mount_t)
|
||||
|
||||
# for localization
|
||||
allow mount_t lib_t:file { getattr read };
|
||||
|
||||
@ -125,15 +123,24 @@ allow mount_t autofs_t:dir read;
|
||||
|
||||
optional_policy(`portmap.te', `
|
||||
# for nfs
|
||||
can_network(mount_t)
|
||||
can_ypbind(mount_t)
|
||||
can_udp_send(mount_t, portmap_t)
|
||||
can_udp_send(portmap_t, mount_t)
|
||||
allow mount_t rpc_pipefs_t:dir search;
|
||||
corenetwork_network_tcp_on_all_interfaces(mount_t)
|
||||
corenetwork_network_raw_on_all_interfaces(mount_t)
|
||||
corenetwork_network_udp_on_all_interfaces(mount_t)
|
||||
corenetwork_network_tcp_on_all_nodes(mount_t)
|
||||
corenetwork_network_raw_on_all_nodes(mount_t)
|
||||
corenetwork_network_udp_on_all_nodes(mount_t)
|
||||
corenetwork_network_tcp_on_all_ports(mount_t)
|
||||
corenetwork_network_udp_on_all_ports(mount_t)
|
||||
corenetwork_bind_tcp_on_all_nodes(mount_t)
|
||||
corenetwork_bind_udp_on_all_nodes(mount_t)
|
||||
corenetwork_bind_tcp_on_general_port(mount_t)
|
||||
corenetwork_bind_udp_on_general_port(mount_t)
|
||||
corenetwork_bind_tcp_on_reserved_port(mount_t)
|
||||
corenetwork_bind_udp_on_reserved_port(mount_t)
|
||||
can_udp_send(mount_t, portmap_t)
|
||||
can_udp_send(portmap_t, mount_t)
|
||||
allow mount_t rpc_pipefs_t:dir search;
|
||||
')
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
@ -106,6 +106,8 @@ terminal_use_controlling_terminal(checkpolicy_t)
|
||||
init_use_file_descriptors(checkpolicy_t)
|
||||
init_script_use_pseudoterminal(checkpolicy_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
|
||||
|
||||
libraries_use_dynamic_loader(checkpolicy_t)
|
||||
libraries_read_shared_libraries(checkpolicy_t)
|
||||
|
||||
@ -117,11 +119,9 @@ domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
|
||||
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
|
||||
|
||||
# directory search permissions for path to source and binary policy files
|
||||
allow checkpolicy_t root_t:dir search;
|
||||
allow checkpolicy_t etc_t:dir search;
|
||||
|
||||
# Read the devpts root directory.
|
||||
allow checkpolicy_t devpts_t:dir r_dir_perms;
|
||||
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
|
||||
|
||||
# Other access
|
||||
@ -133,7 +133,8 @@ allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
|
||||
# so it can be used without privilege to write real binary policy file
|
||||
can_exec(unpriv_userdomain, checkpolicy_exec_t)
|
||||
|
||||
allow checkpolicy_t { userdomain privfd }:fd use;
|
||||
allow checkpolicy_t userdomain:fd use;
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@ -165,6 +166,8 @@ terminal_list_pseudoterminals(load_policy_t)
|
||||
init_script_use_file_descriptors(load_policy_t)
|
||||
init_script_use_pseudoterminal(load_policy_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(load_policy_t)
|
||||
|
||||
libraries_use_dynamic_loader(load_policy_t)
|
||||
libraries_read_shared_libraries(load_policy_t)
|
||||
|
||||
@ -178,9 +181,9 @@ domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
|
||||
allow load_policy_t etc_t:dir search;
|
||||
|
||||
# Other access
|
||||
allow load_policy_t { admin_tty_type }:chr_file { read write ioctl getattr };
|
||||
allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
|
||||
|
||||
allow load_policy_t { userdomain privfd }:fd use;
|
||||
allow load_policy_t userdomain:fd use;
|
||||
|
||||
allow load_policy_t sysadm_tmp_t:file { getattr write } ;
|
||||
') dnl endif TODO
|
||||
@ -223,6 +226,11 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
|
||||
terminal_list_pseudoterminals(newrole_t)
|
||||
terminal_use_controlling_terminal(newrole_t)
|
||||
|
||||
# Write to utmp.
|
||||
init_script_modify_runtime_data(newrole_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(newrole_t)
|
||||
|
||||
files_read_general_system_config(newrole_t)
|
||||
|
||||
libraries_use_dynamic_loader(newrole_t)
|
||||
@ -243,9 +251,6 @@ allow newrole_t autofs_t:dir { search getattr };
|
||||
# for when the user types "exec newrole" at the command line
|
||||
allow newrole_t privfd:process sigchld;
|
||||
|
||||
# Inherit descriptors from the current session.
|
||||
allow newrole_t privfd:fd use;
|
||||
|
||||
# Execute /sbin/pwdb_chkpwd to check the password.
|
||||
allow newrole_t sbin_t:dir r_dir_perms;
|
||||
|
||||
@ -283,9 +288,6 @@ dontaudit newrole_t { home_root_t home_type }:dir search;
|
||||
# for when the network connection is killed
|
||||
dontaudit unpriv_userdomain newrole_t:process signal;
|
||||
|
||||
# Write to utmp.
|
||||
allow newrole_t var_run_t:dir r_dir_perms;
|
||||
allow newrole_t initrc_var_run_t:file rw_file_perms;
|
||||
') dnl ifdef TODO
|
||||
|
||||
########################################
|
||||
@ -310,9 +312,13 @@ kernel_compute_reachable_user_contexts(restorecon_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(restorecon_t)
|
||||
|
||||
terminal_use_general_physical_terminal(restorecon_t)
|
||||
|
||||
init_use_file_descriptors(restorecon_t)
|
||||
init_script_use_pseudoterminal(restorecon_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(restorecon_t)
|
||||
|
||||
files_read_runtime_system_config(restorecon_t)
|
||||
files_read_general_system_config(restorecon_t)
|
||||
|
||||
@ -332,12 +338,12 @@ devices_manage_all_devices_labels(restorecon_t)
|
||||
files_manage_all_files_labels(restorecon_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
|
||||
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
|
||||
|
||||
domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t)
|
||||
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
|
||||
role sysadm_r types restorecon_t;
|
||||
allow restorecon_t { userdomain privfd }:fd use;
|
||||
allow restorecon_t userdomain:fd use;
|
||||
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that restorecon can not be run!
|
||||
@ -375,11 +381,16 @@ kernel_compute_reachable_user_contexts(setfiles_t)
|
||||
filesystem_get_persistent_filesystem_attributes(setfiles_t)
|
||||
|
||||
terminal_use_controlling_terminal(setfiles_t)
|
||||
terminal_use_all_users_physical_terminals(setfiles_t)
|
||||
terminal_use_all_users_pseudoterminals(setfiles_t)
|
||||
terminal_use_general_physical_terminal(setfiles_t)
|
||||
|
||||
init_use_file_descriptors(setfiles_t)
|
||||
init_script_use_file_descriptors(setfiles_t)
|
||||
init_script_use_pseudoterminal(setfiles_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(setfiles_t)
|
||||
|
||||
libraries_use_dynamic_loader(setfiles_t)
|
||||
libraries_read_shared_libraries(setfiles_t)
|
||||
|
||||
@ -398,12 +409,10 @@ files_manage_all_files_labels(setfiles_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow setfiles_t { ttyfile ptyfile tty_device_t }:chr_file { read write ioctl };
|
||||
|
||||
domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
|
||||
role sysadm_r types setfiles_t;
|
||||
|
||||
allow setfiles_t { userdomain privfd }:fd use;
|
||||
allow setfiles_t userdomain:fd use;
|
||||
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that setfiles can not be run!
|
||||
|
||||
@ -106,6 +106,8 @@ terminal_use_controlling_terminal(checkpolicy_t)
|
||||
init_use_file_descriptors(checkpolicy_t)
|
||||
init_script_use_pseudoterminal(checkpolicy_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(checkpolicy_t)
|
||||
|
||||
libraries_use_dynamic_loader(checkpolicy_t)
|
||||
libraries_read_shared_libraries(checkpolicy_t)
|
||||
|
||||
@ -117,11 +119,9 @@ domain_auto_trans(sysadm_t, checkpolicy_exec_t, checkpolicy_t)
|
||||
file_type_auto_trans(checkpolicy_t, policy_src_t, policy_config_t, file)
|
||||
|
||||
# directory search permissions for path to source and binary policy files
|
||||
allow checkpolicy_t root_t:dir search;
|
||||
allow checkpolicy_t etc_t:dir search;
|
||||
|
||||
# Read the devpts root directory.
|
||||
allow checkpolicy_t devpts_t:dir r_dir_perms;
|
||||
ifdef(`sshd.te',`allow checkpolicy_t sshd_devpts_t:dir r_dir_perms;')
|
||||
|
||||
# Other access
|
||||
@ -133,7 +133,8 @@ allow checkpolicy_t sysadm_tmp_t:file { getattr write } ;
|
||||
# so it can be used without privilege to write real binary policy file
|
||||
can_exec(unpriv_userdomain, checkpolicy_exec_t)
|
||||
|
||||
allow checkpolicy_t { userdomain privfd }:fd use;
|
||||
allow checkpolicy_t userdomain:fd use;
|
||||
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
@ -165,6 +166,8 @@ terminal_list_pseudoterminals(load_policy_t)
|
||||
init_script_use_file_descriptors(load_policy_t)
|
||||
init_script_use_pseudoterminal(load_policy_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(load_policy_t)
|
||||
|
||||
libraries_use_dynamic_loader(load_policy_t)
|
||||
libraries_read_shared_libraries(load_policy_t)
|
||||
|
||||
@ -178,9 +181,9 @@ domain_auto_trans(sysadm_t, load_policy_exec_t, load_policy_t)
|
||||
allow load_policy_t etc_t:dir search;
|
||||
|
||||
# Other access
|
||||
allow load_policy_t { admin_tty_type }:chr_file { read write ioctl getattr };
|
||||
allow load_policy_t admin_tty_type:chr_file { read write ioctl getattr };
|
||||
|
||||
allow load_policy_t { userdomain privfd }:fd use;
|
||||
allow load_policy_t userdomain:fd use;
|
||||
|
||||
allow load_policy_t sysadm_tmp_t:file { getattr write } ;
|
||||
') dnl endif TODO
|
||||
@ -223,6 +226,11 @@ filesystem_get_persistent_filesystem_attributes(newrole_t)
|
||||
terminal_list_pseudoterminals(newrole_t)
|
||||
terminal_use_controlling_terminal(newrole_t)
|
||||
|
||||
# Write to utmp.
|
||||
init_script_modify_runtime_data(newrole_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(newrole_t)
|
||||
|
||||
files_read_general_system_config(newrole_t)
|
||||
|
||||
libraries_use_dynamic_loader(newrole_t)
|
||||
@ -243,9 +251,6 @@ allow newrole_t autofs_t:dir { search getattr };
|
||||
# for when the user types "exec newrole" at the command line
|
||||
allow newrole_t privfd:process sigchld;
|
||||
|
||||
# Inherit descriptors from the current session.
|
||||
allow newrole_t privfd:fd use;
|
||||
|
||||
# Execute /sbin/pwdb_chkpwd to check the password.
|
||||
allow newrole_t sbin_t:dir r_dir_perms;
|
||||
|
||||
@ -283,9 +288,6 @@ dontaudit newrole_t { home_root_t home_type }:dir search;
|
||||
# for when the network connection is killed
|
||||
dontaudit unpriv_userdomain newrole_t:process signal;
|
||||
|
||||
# Write to utmp.
|
||||
allow newrole_t var_run_t:dir r_dir_perms;
|
||||
allow newrole_t initrc_var_run_t:file rw_file_perms;
|
||||
') dnl ifdef TODO
|
||||
|
||||
########################################
|
||||
@ -310,9 +312,13 @@ kernel_compute_reachable_user_contexts(restorecon_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(restorecon_t)
|
||||
|
||||
terminal_use_general_physical_terminal(restorecon_t)
|
||||
|
||||
init_use_file_descriptors(restorecon_t)
|
||||
init_script_use_pseudoterminal(restorecon_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(restorecon_t)
|
||||
|
||||
files_read_runtime_system_config(restorecon_t)
|
||||
files_read_general_system_config(restorecon_t)
|
||||
|
||||
@ -332,12 +338,12 @@ devices_manage_all_devices_labels(restorecon_t)
|
||||
files_manage_all_files_labels(restorecon_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
|
||||
allow restorecon_t admin_tty_type:chr_file { read write ioctl };
|
||||
|
||||
domain_auto_trans(initrc_t, restorecon_exec_t, restorecon_t)
|
||||
domain_audo_trans(sysadm_t, restorecon_exec_t, restorecon_t)
|
||||
role sysadm_r types restorecon_t;
|
||||
allow restorecon_t { userdomain privfd }:fd use;
|
||||
allow restorecon_t userdomain:fd use;
|
||||
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that restorecon can not be run!
|
||||
@ -375,11 +381,16 @@ kernel_compute_reachable_user_contexts(setfiles_t)
|
||||
filesystem_get_persistent_filesystem_attributes(setfiles_t)
|
||||
|
||||
terminal_use_controlling_terminal(setfiles_t)
|
||||
terminal_use_all_users_physical_terminals(setfiles_t)
|
||||
terminal_use_all_users_pseudoterminals(setfiles_t)
|
||||
terminal_use_general_physical_terminal(setfiles_t)
|
||||
|
||||
init_use_file_descriptors(setfiles_t)
|
||||
init_script_use_file_descriptors(setfiles_t)
|
||||
init_script_use_pseudoterminal(setfiles_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(setfiles_t)
|
||||
|
||||
libraries_use_dynamic_loader(setfiles_t)
|
||||
libraries_read_shared_libraries(setfiles_t)
|
||||
|
||||
@ -398,12 +409,10 @@ files_manage_all_files_labels(setfiles_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
allow setfiles_t { ttyfile ptyfile tty_device_t }:chr_file { read write ioctl };
|
||||
|
||||
domain_auto_trans(sysadm_t, setfiles_exec_t, setfiles_t)
|
||||
role sysadm_r types setfiles_t;
|
||||
|
||||
allow setfiles_t { userdomain privfd }:fd use;
|
||||
allow setfiles_t userdomain:fd use;
|
||||
|
||||
# for upgrading glibc and other shared objects - without this the upgrade
|
||||
# scripts will put things in a state such that setfiles can not be run!
|
||||
|
||||
@ -1,5 +1,23 @@
|
||||
# Copyright (C) 2005 Tresys Technology, LLC
|
||||
|
||||
########################################
|
||||
#
|
||||
# sysnetwork_dhcpc_transition(domain)
|
||||
#
|
||||
define(`sysnetwork_dhcpc_transition',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 dhcpc_exec_t:file { getattr read execute };
|
||||
allow $1 dhcpc_t:process transition;
|
||||
type_transition $1 dhcpc_exec_t:file dhcpc_t;
|
||||
dontaudit $1 dhcpc_t:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
define(`sysnetwork_dhcpc_transition_depend',`
|
||||
type dhcpc_t, dhcpc_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# sysnetwork_ifconfig_transition(domain)
|
||||
|
||||
@ -133,6 +133,10 @@ optional_policy(`hostname.te',`
|
||||
hostname_transition(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_transition(dhcpc_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(dhcpc_t)
|
||||
')
|
||||
@ -142,7 +146,7 @@ udev_read_database(dhcpc_t)
|
||||
')
|
||||
|
||||
#
|
||||
# dhclient sometimes starts ypbind and ntdp
|
||||
# dhclient sometimes starts ypbind and ntpd
|
||||
#
|
||||
init_script_execute(dhcpc_t)
|
||||
optional_policy(`ypbind.te',`
|
||||
@ -156,6 +160,7 @@ ifdef(`TODO',`
|
||||
allow dhcpc_t null_device_t:chr_file r_file_perms;
|
||||
allow dhcpc_t autofs_t:dir { search getattr };
|
||||
dontaudit dhcpc_t sysadm_home_dir_t:dir search;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow dhcpc_t rhgb_t:process sigchld;
|
||||
allow dhcpc_t rhgb_t:fd use;
|
||||
@ -164,14 +169,9 @@ allow dhcpc_t rhgb_t:fifo_file { read write };
|
||||
|
||||
can_ypbind(dhcpc_t)
|
||||
|
||||
allow dhcpc_t devpts_t:dir search;
|
||||
|
||||
# for localization
|
||||
allow dhcpc_t lib_t:file { getattr read };
|
||||
|
||||
ifdef(`nscd.te', `
|
||||
domain_auto_trans(dhcpc_t, nscd_exec_t, nscd_t)
|
||||
')
|
||||
ifdef(`cardmgr.te', `
|
||||
domain_auto_trans(cardmgr_t, dhcpc_exec_t, dhcpc_t)
|
||||
allow cardmgr_t dhcpc_var_run_t:file { getattr read };
|
||||
@ -261,6 +261,9 @@ kernel_read_network_state(ifconfig_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(ifconfig_t)
|
||||
|
||||
terminal_ignore_use_all_users_physical_terminals(ifconfig_t)
|
||||
terminal_ignore_use_all_users_pseudoterminals(ifconfig_t)
|
||||
|
||||
init_use_file_descriptors(ifconfig_t)
|
||||
init_script_use_pseudoterminal(ifconfig_t)
|
||||
init_run_init_use_file_descriptors(ifconfig_t)
|
||||
@ -288,7 +291,6 @@ role sysadm_r types ifconfig_t;
|
||||
allow ifconfig_t userdomain:fd use;
|
||||
|
||||
# Access terminals.
|
||||
allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
|
||||
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
|
||||
|
||||
allow ifconfig_t tun_tap_device_t:chr_file { read write };
|
||||
|
||||
@ -97,16 +97,30 @@ modutils_insmod_transition(udev_t)
|
||||
|
||||
logging_send_system_log_message(udev_t)
|
||||
|
||||
sysnetwork_ifconfig_transition(udev_t)
|
||||
|
||||
optional_policy(`authlogin.te',`
|
||||
authlogin_pam_console_read_runtime_data(udev_t)
|
||||
authlogin_pam_console_transition(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`consoletype.te',`
|
||||
consoletype_execute(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
hotplug_read_config(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
sysnetwork_dhcpc_transition(udev_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow udev_t var_log_t:dir search;
|
||||
allow udev_t var_lock_t:dir search;
|
||||
allow udev_t var_lock_t:file getattr;
|
||||
|
||||
# Mount
|
||||
allow udev_t mnt_t:dir search;
|
||||
|
||||
allow udev_t devpts_t:dir { getattr search };
|
||||
@ -119,8 +133,6 @@ dontaudit udev_t file_t:dir search;
|
||||
dontaudit udev_t domain:dir r_dir_perms;
|
||||
dontaudit udev_t ttyfile:chr_file unlink;
|
||||
|
||||
domain_auto_trans(udev_t, ifconfig_exec_t, ifconfig_t)
|
||||
|
||||
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
|
||||
|
||||
dbusd_client(system, udev)
|
||||
@ -134,7 +146,7 @@ allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_p
|
||||
allow udev_t tmpfs_t:dir search;
|
||||
|
||||
# for arping used for static IP addresses on PCMCIA ethernet
|
||||
domain_auto_trans(udev_t, netutils_exec_t, netutils_t)
|
||||
netutils_transition(udev_t)
|
||||
') dnl end ifdef distro_redhat
|
||||
|
||||
tunable_policy(`hide_broken_symptoms',`
|
||||
@ -146,17 +158,4 @@ optional_policy(`xdm.te',`
|
||||
allow udev_t xdm_var_run_t:file { getattr read };
|
||||
')
|
||||
|
||||
optional_policy(`hotplug.te',`
|
||||
r_dir_file(udev_t, hotplug_etc_t)
|
||||
')
|
||||
|
||||
optional_policy(`authlogin.te',`
|
||||
allow udev_t pam_var_console_t:dir search;
|
||||
allow udev_t pam_var_console_t:file { getattr read };
|
||||
authlogin_pam_console_transition(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`sysnetwork.te',`
|
||||
domain_auto_trans(udev_t, dhcpc_exec_t, dhcpc_t)
|
||||
')
|
||||
') dnl endif TODO
|
||||
|
||||
Loading…
Reference in New Issue
Block a user