a few conditional cleanups
This commit is contained in:
Chris PeBenito
parent
8f6cbfebd1
commit
1f91e1bfe5
|
|
@ -25,6 +25,9 @@ gen_tunable(allow_kerberos,false)
|
|||
## allow host key based authentication
|
||||
gen_tunable(allow_ssh_keysign,false)
|
||||
|
||||
## Allow sysadm to ptrace all processes
|
||||
gen_tunable(allow_ptrace,false)
|
||||
|
||||
## Allow users to connect to mysql
|
||||
gen_tunable(allow_user_mysql_connect,false)
|
||||
|
||||
|
|
|
|||
|
|
@ -108,7 +108,6 @@ interface(`netutils_domtrans_ping',`
|
|||
interface(`netutils_run_ping',`
|
||||
gen_require(`
|
||||
type ping_t;
|
||||
class chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
netutils_domtrans_ping($1)
|
||||
|
|
@ -116,6 +115,35 @@ interface(`netutils_run_ping',`
|
|||
allow ping_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Conditionally execute ping in the ping domain, and
|
||||
## allow the specified role the ping domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the ping domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the ping domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`netutils_run_ping_cond',`
|
||||
gen_require(`
|
||||
type ping_t;
|
||||
bool user_ping;
|
||||
')
|
||||
|
||||
role $2 types ping_t;
|
||||
|
||||
if ( user_ping ) {
|
||||
netutils_domtrans_ping($1)
|
||||
allow ping_t $3:chr_file rw_term_perms;
|
||||
}
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ping in the caller domain.
|
||||
|
|
@ -182,6 +210,35 @@ interface(`netutils_run_traceroute',`
|
|||
allow traceroute_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Conditionally execute traceroute in the traceroute domain, and
|
||||
## allow the specified role the traceroute domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the traceroute domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the traceroute domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`netutils_run_traceroute_cond',`
|
||||
gen_require(`
|
||||
type traceroute_t;
|
||||
bool user_ping;
|
||||
')
|
||||
|
||||
role $2 types traceroute_t;
|
||||
|
||||
if( user_ping ) {
|
||||
netutils_domtrans_traceroute($1)
|
||||
allow traceroute_t $3:chr_file rw_term_perms;
|
||||
}
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute traceroute in the caller domain.
|
||||
|
|
|
|||
|
|
@ -152,11 +152,9 @@ optional_policy(`hotplug.te',`
|
|||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
in_user_role(ping_t)
|
||||
tunable_policy(`user_ping',`
|
||||
domain_auto_trans(unpriv_userdomain, ping_exec_t, ping_t)
|
||||
if(user_ping) {
|
||||
ifdef(`gnome-pty-helper.te', `allow ping_t gphdomain:fd use;')
|
||||
')
|
||||
}
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
|
|
@ -217,10 +215,6 @@ optional_policy(`nscd.te',`
|
|||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
in_user_role(traceroute_t)
|
||||
tunable_policy(`user_ping',`
|
||||
domain_auto_trans(unpriv_userdomain, traceroute_exec_t, traceroute_t)
|
||||
')
|
||||
ifdef(`gnome-pty-helper.te', `allow traceroute_t sysadm_gph_t:fd use;')
|
||||
#rules needed for nmap
|
||||
dontaudit traceroute_t userdomain:dir search;
|
||||
|
|
|
|||
|
|
@ -148,14 +148,11 @@ interface(`rpm_use_script_fd',`
|
|||
#
|
||||
interface(`rpm_read_db',`
|
||||
gen_require(`
|
||||
type rpm_var_lib_t_t;
|
||||
class dir r_dir_perms;
|
||||
class lnk_file r_file_perms;
|
||||
class file r_file_perms;
|
||||
type rpm_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 rpm_var_lib_t:dir r_dir_perms;
|
||||
allow $1 rpm_var_lib_t:file r_file_perms;
|
||||
allow $1 rpm_var_lib_t:file { getattr read };
|
||||
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
|
|
@ -170,9 +167,6 @@ interface(`rpm_read_db',`
|
|||
interface(`rpm_manage_db',`
|
||||
gen_require(`
|
||||
type rpm_var_lib_t;
|
||||
class dir rw_dir_perms;
|
||||
class lnk_file { getattr read write unlink };
|
||||
class file { getattr create read write append unlink };
|
||||
')
|
||||
|
||||
allow $1 rpm_var_lib_t:dir rw_dir_perms;
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ interface(`nis_use_ypbind',`
|
|||
allow $1 self:udp_socket create_socket_perms;
|
||||
|
||||
allow $1 var_yp_t:dir r_dir_perms;
|
||||
allow $1 var_yp_t:lnk_file r_file_perms;
|
||||
allow $1 var_yp_t:lnk_file { getattr read };
|
||||
allow $1 var_yp_t:file r_file_perms;
|
||||
|
||||
corenet_tcp_sendrecv_all_if($1)
|
||||
|
|
|
|||
|
|
@ -71,6 +71,10 @@ interface(`domain_type',`
|
|||
unconfined_sigchld($1)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_ptrace',`
|
||||
userdom_sigchld_sysadm($1)
|
||||
')
|
||||
|
||||
# allow any domain to connect to the LDAP server
|
||||
optional_policy(`ldap.te',`
|
||||
ldap_use($1)
|
||||
|
|
@ -545,6 +549,22 @@ interface(`domain_getattr_confined_domains',`
|
|||
allow $1 { domain -unconfined_domain }:process getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Ptrace all domains.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`domain_ptrace_all_domains',`
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
')
|
||||
|
||||
allow $1 domain:process ptrace;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to ptrace all domains.
|
||||
|
|
@ -566,7 +586,6 @@ interface(`domain_getattr_confined_domains',`
|
|||
interface(`domain_dontaudit_ptrace_all_domains',`
|
||||
gen_require(`
|
||||
attribute domain;
|
||||
class process ptrace;
|
||||
')
|
||||
|
||||
dontaudit $1 domain:process ptrace;
|
||||
|
|
|
|||
|
|
@ -380,7 +380,6 @@ ifdef(`targeted_policy',`',`
|
|||
|
||||
term_dontaudit_list_ptys(run_init_t)
|
||||
|
||||
auth_domtrans_chk_passwd(run_init_t)
|
||||
auth_dontaudit_read_shadow(run_init_t)
|
||||
|
||||
corecmd_exec_bin(run_init_t)
|
||||
|
|
|
|||
|
|
@ -609,6 +609,11 @@ template(`unpriv_user_template', `
|
|||
modutils_read_module_conf($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`netutils.te',`
|
||||
netutils_run_ping_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
# for when the network connection is killed
|
||||
seutil_dontaudit_signal_newrole($1_t)
|
||||
|
|
@ -1513,6 +1518,22 @@ interface(`userdom_read_staff_home_files',`
|
|||
allow $1 staff_home_t:{ file lnk_file } r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send a SIGCHLD signal to sysadm users.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_sigchld_sysadm',`
|
||||
gen_require(`
|
||||
type sysadm_t;
|
||||
')
|
||||
|
||||
allow $1 sysadm_t:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write sysadm ttys.
|
||||
|
|
|
|||
|
|
@ -116,6 +116,10 @@ ifdef(`targeted_policy',`
|
|||
')
|
||||
')
|
||||
|
||||
tunable_policy(`allow_ptrace',`
|
||||
domain_ptrace_all_domains(sysadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`bootloader.te',`
|
||||
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
|
|
|||
Loading…
Reference in New Issue