add some file_t interfaces, and console write
This commit is contained in:
parent
b8fca44d3f
commit
3b857eae09
|
@ -37,7 +37,7 @@ kernel_ignore_read_system_state(consoletype_t)
|
|||
|
||||
filesystem_get_all_filesystems_attributes(consoletype_t)
|
||||
|
||||
terminal_ignore_use_console(consoletype_t)
|
||||
terminal_use_console(consoletype_t)
|
||||
terminal_use_general_physical_terminal(consoletype_t)
|
||||
|
||||
init_use_file_descriptors(consoletype_t)
|
||||
|
@ -69,7 +69,6 @@ allow consoletype_t sysadm_t:fd use;
|
|||
allow consoletype_t { sysadm_tty_device_t sysadm_devpts_t }:chr_file rw_file_perms;
|
||||
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
|
||||
|
||||
allow consoletype_t initrc_t:fifo_file write;
|
||||
allow consoletype_t nfs_t:file write;
|
||||
|
||||
allow consoletype_t crond_t:fifo_file { read getattr ioctl };
|
||||
|
|
|
@ -33,6 +33,8 @@ terminal_ignore_use_console(dmesg_t)
|
|||
domain_use_widely_inheritable_file_descriptors(dmesg_t)
|
||||
|
||||
files_read_general_system_config_directory(dmesg_t)
|
||||
# for when /usr is not mounted:
|
||||
files_ignore_search_isid_type_dir(dmesg_t)
|
||||
|
||||
init_use_file_descriptors(dmesg_t)
|
||||
init_script_use_pseudoterminal(dmesg_t)
|
||||
|
@ -73,7 +75,4 @@ allow dmesg_t rhgb_t:fifo_file { read write };
|
|||
')
|
||||
|
||||
allow dmesg_t autofs_t:dir { search getattr };
|
||||
|
||||
# for when /usr is not mounted
|
||||
dontaudit dmesg_t file_t:dir search;
|
||||
') dnl endif TODO
|
||||
|
|
|
@ -1,4 +1,8 @@
|
|||
# Copyright (C) 2005 Tresys Technology, LLC
|
||||
## <module name="devices" layer="kernel">
|
||||
## <summary>
|
||||
## Policy for all devices except mass storage and terminal devices.
|
||||
## </summary>
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1015,3 +1019,5 @@ type device_t, power_device_t;
|
|||
class dir r_dir_perms;
|
||||
class chr_file { getattr read write ioctl };
|
||||
')
|
||||
|
||||
## </module>
|
||||
|
|
|
@ -14,7 +14,7 @@ dontaudit kernel_t $1:process { noatsecure siginh rlimitinh };
|
|||
allow $1 kernel_t:fd use;
|
||||
allow kernel_t $1:fd use;
|
||||
allow kernel_t $1:fifo_file rw_file_perms;
|
||||
allow kernel_t $1:process sigchld;
|
||||
allow $1 kernel_t:process sigchld;
|
||||
')
|
||||
|
||||
define(`kernel_make_userland_entrypoint_depend',`
|
||||
|
@ -406,7 +406,7 @@ class system ipc_info;
|
|||
define(`kernel_get_selinuxfs_mount_point',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 proc_t:dir search;
|
||||
allow $1 proc_t:lnk_file read;
|
||||
allow $1 proc_t:{ file lnk_file } read;
|
||||
allow $1 self:dir search;
|
||||
allow $1 self:file { getattr read };
|
||||
')
|
||||
|
@ -561,6 +561,20 @@ class dir { search getattr read };
|
|||
class file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_ignore_search_sysctl_dir(domain)
|
||||
#
|
||||
define(`kernel_ignore_search_sysctl_dir',`
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 sysctl_t:dir search;
|
||||
')
|
||||
|
||||
define(`kernel_ignore_search_sysctl_dir_depend',`
|
||||
type sysctl_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_device_sysctl(domain)
|
||||
|
@ -630,6 +644,20 @@ class dir { search getattr read };
|
|||
class file { getattr read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_ignore_search_network_sysctl_dir(domain)
|
||||
#
|
||||
define(`kernel_ignore_search_network_sysctl_dir',`
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 sysctl_net_t:dir search;
|
||||
')
|
||||
|
||||
define(`kernel_ignore_search_network_sysctl_dir_depend',`
|
||||
type sysctl_net_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# kernel_read_network_sysctl(domain)
|
||||
|
|
|
@ -97,15 +97,38 @@ class chr_file { getattr read write };
|
|||
define(`terminal_use_all_terminals',`
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 devpts_t:dir { getattr search read };
|
||||
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file { getattr read write ioctl };
|
||||
allow $1 devpts_t:dir r_dir_perms;
|
||||
allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`terminal_use_all_terminals_depend',`
|
||||
attribute ttynode, ptynode;
|
||||
type console_device_t, devpts_t, tty_device_t;
|
||||
class dir { getattr search read };
|
||||
class chr_file { getattr read write };
|
||||
class dir r_dir_perms;
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="terminal_write_console">
|
||||
## <description>
|
||||
## Write to the console.
|
||||
## </description>
|
||||
## <parameter name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </parameter>
|
||||
## <infoflow type="write" weight="10"/>
|
||||
## </interface>
|
||||
#
|
||||
define(`terminal_write_console',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 console_device_t:chr_file write;
|
||||
')
|
||||
|
||||
define(`terminal_use_console_depend',`
|
||||
type console_device_t;
|
||||
class chr_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -122,12 +145,12 @@ class chr_file { getattr read write };
|
|||
define(`terminal_use_console',`
|
||||
requires_block_template(`$0'_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 console_device_t:chr_file { getattr read write ioctl };
|
||||
allow $1 console_device_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
define(`terminal_use_console_depend',`
|
||||
type console_device_t;
|
||||
class chr_file { read write };
|
||||
class chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
@ -234,3 +234,17 @@ kernel_compute_selinux_create_context($1_crontab_t)
|
|||
kernel_compute_selinux_relabel_context($1_crontab_t)
|
||||
kernel_compute_selinux_reachable_user_contexts($1_crontab_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# cron_modify_log(domain)
|
||||
#
|
||||
define(`cron_modify_log',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 crond_log_t:file { getattr read write ioctl lock append };
|
||||
')
|
||||
|
||||
define(`cron_modify_log_depend',`
|
||||
type crond_log_t;
|
||||
class file rw_file_perms;
|
||||
')
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Copyright (C) 2005 Tresys Technology, LLC
|
||||
|
||||
policy_module(consoletype, 1.0)
|
||||
policy_module(cron, 1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -67,7 +67,7 @@ allow crond_t self:msg { send receive };
|
|||
|
||||
allow crond_t crond_log_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
|
||||
allow crond_t crond_var_run_t:file { getattr create read write append setattr unlink };
|
||||
allow crond_t crond_var_run_t:file create_file_perms;
|
||||
files_create_daemon_runtime_data(crond_t,crond_var_run_t)
|
||||
|
||||
allow crond_t crond_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
|
|
|
@ -48,6 +48,8 @@ init_script_use_pseudoterminal(hwclock_t)
|
|||
domain_use_widely_inheritable_file_descriptors(hwclock_t)
|
||||
|
||||
files_read_general_system_config_directory(hwclock_t)
|
||||
# for when /usr is not mounted:
|
||||
files_ignore_search_isid_type_dir(hwclock_t)
|
||||
|
||||
libraries_use_dynamic_loader(hwclock_t)
|
||||
libraries_use_shared_libraries(hwclock_t)
|
||||
|
@ -93,7 +95,4 @@ optional_policy(`apmd.te', `
|
|||
domain_auto_trans(apmd_t, hwclock_exec_t, hwclock_t)
|
||||
')
|
||||
|
||||
# for when /usr is not mounted
|
||||
dontaudit hwclock_t file_t:dir search;
|
||||
|
||||
') dnl end TODO
|
||||
|
|
|
@ -621,6 +621,34 @@ type etc_t;
|
|||
class dir { getattr search read write add_name remove_name };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_ignore_get_isid_type_dir_attrib(domain)
|
||||
#
|
||||
define(`files_ignore_get_isid_type_dir_attrib',`
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 file_t:dir search;
|
||||
')
|
||||
|
||||
define(`files_ignore_get_isid_type_dir_attrib_depend',`
|
||||
type file_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_ignore_search_isid_type_dir(domain)
|
||||
#
|
||||
define(`files_ignore_search_isid_type_dir',`
|
||||
requires_block_template(`$0'_depend)
|
||||
dontaudit $1 file_t:dir search;
|
||||
')
|
||||
|
||||
define(`files_ignore_search_isid_type_dir_depend',`
|
||||
type file_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <interface name="files_list_home_directories">
|
||||
## <description>
|
||||
|
|
|
@ -43,6 +43,9 @@ init_script_use_pseudoterminal(hostname_t)
|
|||
|
||||
domain_use_widely_inheritable_file_descriptors(hostname_t)
|
||||
|
||||
# for when /usr is not mounted:
|
||||
files_ignore_search_isid_type_dir(hostname_t)
|
||||
|
||||
libraries_use_dynamic_loader(hostname_t)
|
||||
libraries_use_shared_libraries(hostname_t)
|
||||
|
||||
|
@ -100,8 +103,4 @@ allow hostname_t rhgb_t:fifo_file { read write };
|
|||
|
||||
allow hostname_t autofs_t:dir { search getattr };
|
||||
##end daemon_base_domain
|
||||
|
||||
# for when /usr is not mounted
|
||||
dontaudit hostname_t file_t:dir search;
|
||||
|
||||
') dnl end TODO
|
||||
|
|
|
@ -78,6 +78,8 @@ domain_use_widely_inheritable_file_descriptors(hotplug_t)
|
|||
files_read_general_system_config(hotplug_t)
|
||||
files_manage_runtime_system_config(hotplug_t)
|
||||
files_execute_system_config_script(hotplug_t)
|
||||
# for when filesystems are not mounted early in the boot:
|
||||
files_ignore_search_isid_type_dir(hotplug_t)
|
||||
|
||||
init_use_file_descriptors(hotplug_t)
|
||||
init_script_use_pseudoterminal(hotplug_t)
|
||||
|
@ -173,8 +175,6 @@ dbusd_client(system, hotplug)
|
|||
|
||||
allow hotplug_t kernel_t:process sigchld;
|
||||
|
||||
# for when filesystems are not mounted early in the boot
|
||||
dontaudit hotplug_t file_t:dir { search getattr };
|
||||
|
||||
# for ps
|
||||
dontaudit hotplug_t domain:dir { getattr search };
|
||||
|
|
|
@ -5,27 +5,38 @@
|
|||
# init_make_init_domain(domain,entrypointfile)
|
||||
#
|
||||
define(`init_make_init_domain',`
|
||||
requires_block_template(`$0'_depend)
|
||||
domain_make_domain($1)
|
||||
domain_make_entrypoint_file($1,$2)
|
||||
role system_r types $1;
|
||||
allow init_t $1:process transition;
|
||||
allow init_t $2:file { getattr read execute };
|
||||
dontaudit init_t $1:process { noatsecure siginh rlimitinh };
|
||||
type_transition init_t $2:process $1;
|
||||
allow $1 init_t:fd use;
|
||||
allow init_t $1:fd use;
|
||||
allow $1 init_t:fifo_file rw_file_perms;
|
||||
allow $1 init_t:process sigchld;
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
domain_make_domain($1)
|
||||
domain_make_entrypoint_file($1,$2)
|
||||
|
||||
role system_r types $1;
|
||||
|
||||
allow init_t $1:process transition;
|
||||
allow init_t $2:file { getattr read execute };
|
||||
dontaudit init_t $1:process { noatsecure siginh rlimitinh };
|
||||
type_transition init_t $2:process $1;
|
||||
|
||||
allow $1 init_t:fd use;
|
||||
allow init_t $1:fd use;
|
||||
allow $1 init_t:fifo_file rw_file_perms;
|
||||
allow $1 init_t:process sigchld;
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
optional_policy(`distro_redhat',`
|
||||
kernel_ignore_use_file_descriptors($1)
|
||||
files_ignore_read_rootfs_file($1)
|
||||
')
|
||||
')
|
||||
|
||||
define(`init_make_init_domain_depend',`
|
||||
type init_t;
|
||||
class file { getattr read execute };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
role system_r;
|
||||
type init_t;
|
||||
class file { getattr read execute };
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
class process { transition noatsecure siginh rlimitinh sigchld };
|
||||
role system_r;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -33,18 +44,29 @@ role system_r;
|
|||
# init_make_daemon_domain(domain,entrypointfile)
|
||||
#
|
||||
define(`init_make_daemon_domain',`
|
||||
requires_block_template(`$0'_depend)
|
||||
domain_make_domain($1)
|
||||
domain_make_entrypoint_file($1,$2)
|
||||
role system_r types $1;
|
||||
allow initrc_t $1:process transition;
|
||||
allow initrc_t $2:file { getattr read execute };
|
||||
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||
type_transition initrc_t $2:process $1;
|
||||
allow initrc_t $1:fd use;
|
||||
allow $1 initrc_t:fd use;
|
||||
allow $1 initrc_t:fifo_file rw_file_perms;
|
||||
allow $1 initrc_t:process sigchld;
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
domain_make_domain($1)
|
||||
domain_make_entrypoint_file($1,$2)
|
||||
|
||||
role system_r types $1;
|
||||
|
||||
allow initrc_t $1:process transition;
|
||||
allow initrc_t $2:file { getattr read execute };
|
||||
dontaudit initrc_t $1:process { noatsecure siginh rlimitinh };
|
||||
type_transition initrc_t $2:process $1;
|
||||
|
||||
allow initrc_t $1:fd use;
|
||||
allow $1 initrc_t:fd use;
|
||||
allow $1 initrc_t:fifo_file rw_file_perms;
|
||||
allow $1 initrc_t:process sigchld;
|
||||
|
||||
# Red Hat systems seem to have a stray
|
||||
# fd open from the initrd
|
||||
optional_policy(`distro_redhat',`
|
||||
kernel_ignore_use_file_descriptors($1)
|
||||
files_ignore_read_rootfs_file($1)
|
||||
')
|
||||
')
|
||||
|
||||
define(`init_make_daemon_domain_depend',`
|
||||
|
|
|
@ -61,6 +61,15 @@ files_make_temporary_file(initrc_tmp_t)
|
|||
# Init local policy
|
||||
#
|
||||
|
||||
# Use capabilities. old rule:
|
||||
allow init_t self:capability ~sys_module;
|
||||
# is ~sys_module really needed? observed:
|
||||
# sys_boot
|
||||
# sys_tty_config
|
||||
# kill: now provided by domain_kill_all_domains()
|
||||
# setuid (from /sbin/shutdown)
|
||||
# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
|
||||
|
||||
allow init_t self:fifo_file { read write ioctl };
|
||||
|
||||
# Re-exec itself
|
||||
|
@ -74,6 +83,9 @@ allow init_t initctl_t:fifo_file { create getattr read append write setattr unli
|
|||
filesystem_tmpfs_associate(initctl_t)
|
||||
devices_create_dev_entry(init_t,initctl_t,fifo_file)
|
||||
|
||||
# Modify utmp.
|
||||
allow init_t initrc_var_run_t:file { getattr read write setattr lock };
|
||||
|
||||
# Run init scripts. this is ok since initrc
|
||||
# is also in this module
|
||||
allow init_t initrc_t:process transition;
|
||||
|
@ -109,6 +121,8 @@ domain_sigchld_all_domains(init_t)
|
|||
|
||||
files_read_general_system_config(init_t)
|
||||
files_modify_system_runtime_data(init_t)
|
||||
files_ignore_search_isid_type_dir(init_t)
|
||||
files_manage_runtime_system_config(init_t)
|
||||
# Run /etc/X11/prefdm:
|
||||
files_execute_system_config_script(init_t)
|
||||
# file descriptors inherited from the rootfs:
|
||||
|
@ -117,8 +131,10 @@ files_ignore_modify_rootfs_device(init_t)
|
|||
|
||||
libraries_use_dynamic_loader(init_t)
|
||||
libraries_use_shared_libraries(init_t)
|
||||
libraries_modify_dynamic_loader_cache(init_t)
|
||||
|
||||
logging_send_system_log_message(init_t)
|
||||
logging_modify_system_logs(init_t)
|
||||
|
||||
selinux_read_config(init_t)
|
||||
|
||||
|
@ -129,39 +145,15 @@ filesystem_use_tmpfs_character_devices(init_t)
|
|||
filesystem_create_private_tmpfs_data(init_t,initctl_t,fifo_file)
|
||||
')
|
||||
|
||||
optional_policy(`authlogin.te',`
|
||||
authlogin_modify_login_records(init_t)
|
||||
')
|
||||
|
||||
# Run the shell in the sysadm_t domain for single-user mode.
|
||||
optional_policy(`userdomain.te',`
|
||||
userdomain_sysadm_shell_transition(init_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# the following seem questionable
|
||||
#
|
||||
|
||||
libraries_modify_dynamic_loader_cache(init_t)
|
||||
files_manage_runtime_system_config(init_t)
|
||||
authlogin_modify_login_records(init_t)
|
||||
logging_modify_system_logs(init_t)
|
||||
|
||||
# Use capabilities. old rule:
|
||||
allow init_t self:capability ~sys_module;
|
||||
# is ~sys_module really needed? observed:
|
||||
# sys_boot
|
||||
# sys_tty_config
|
||||
# kill: now provided by domain_kill_all_domains()
|
||||
# setuid (from /sbin/shutdown)
|
||||
# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
|
||||
|
||||
# Modify utmp.
|
||||
allow init_t initrc_var_run_t:file { getattr read write setattr lock };
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
# for mount points
|
||||
allow init_t file_t:dir search;
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Init script local policy
|
||||
|
|
|
@ -207,6 +207,8 @@ kernel_read_system_state(sulogin_t)
|
|||
init_script_get_process_group(sulogin_t)
|
||||
|
||||
files_read_general_system_config(sulogin_t)
|
||||
# because file systems are not mounted:
|
||||
files_ignore_search_isid_type_dir(sulogin_t)
|
||||
|
||||
libraries_use_dynamic_loader(sulogin_t)
|
||||
libraries_use_shared_libraries(sulogin_t)
|
||||
|
@ -250,7 +252,4 @@ allow sulogin_t autofs_t:dir { search getattr };
|
|||
')
|
||||
|
||||
allow sulogin_t { staff_home_dir_t sysadm_home_dir_t }:dir search;
|
||||
|
||||
# because file systems are not mounted
|
||||
dontaudit sulogin_t file_t:dir search;
|
||||
') dnl endif TODO
|
||||
|
|
|
@ -35,10 +35,10 @@ files_make_file(var_log_t)
|
|||
# klogd local policy
|
||||
#
|
||||
|
||||
allow klogd_t klogd_tmp_t:file { getattr create read write append setattr unlink };
|
||||
allow klogd_t klogd_tmp_t:file create_file_perms;
|
||||
files_create_private_tmp_data(klogd_t,klogd_tmp_t)
|
||||
|
||||
allow klogd_t klogd_var_run_t:file { getattr create read write append setattr unlink };
|
||||
allow klogd_t klogd_var_run_t:file create_file_perms;
|
||||
|
||||
allow klogd_t self:capability sys_admin;
|
||||
dontaudit klogd_t self:capability sys_resource;
|
||||
|
@ -60,6 +60,8 @@ files_read_runtime_system_config(klogd_t)
|
|||
# read /etc/nsswitch.conf
|
||||
files_read_general_system_config(klogd_t)
|
||||
|
||||
init_use_file_descriptors(klogd_t)
|
||||
|
||||
libraries_use_dynamic_loader(klogd_t)
|
||||
libraries_use_shared_libraries(klogd_t)
|
||||
|
||||
|
@ -77,12 +79,15 @@ allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys
|
|||
dontaudit syslogd_t self:capability sys_tty_config;
|
||||
|
||||
# create/append log files.
|
||||
allow syslogd_t var_log_t:dir { read getattr search add_name write };
|
||||
allow syslogd_t var_log_t:file { create ioctl getattr setattr append link };
|
||||
allow syslogd_t var_log_t:dir rw_dir_perms;
|
||||
allow syslogd_t var_log_t:file create_file_perms;
|
||||
|
||||
# manage temporary files
|
||||
allow syslogd_t syslogd_tmp_t:file { getattr create read write append setattr unlink };
|
||||
allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
|
||||
allow syslogd_t syslogd_tmp_t:file create_file_perms;
|
||||
files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
|
||||
|
||||
allow syslogd_t syslogd_var_run_t:file create_file_perms;
|
||||
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
|
||||
|
||||
# receive messages to be logged
|
||||
allow syslogd_t devlog_t:unix_stream_socket name_bind;
|
||||
|
@ -94,6 +99,7 @@ allow syslogd_t self:fifo_file { getattr read write ioctl lock };
|
|||
|
||||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
|
||||
|
||||
# manage pid file
|
||||
allow syslogd_t syslogd_var_run_t:file { getattr create read write append setattr unlink };
|
||||
|
@ -129,9 +135,6 @@ init_script_use_pseudoterminal(syslogd_t)
|
|||
domain_use_widely_inheritable_file_descriptors(syslogd_t)
|
||||
|
||||
files_read_general_system_config(syslogd_t)
|
||||
files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t,file)
|
||||
files_create_daemon_runtime_data(syslogd_t,devlog_t,sock_file)
|
||||
files_create_private_tmp_data(syslogd_t,syslogd_tmp_t)
|
||||
|
||||
libraries_use_dynamic_loader(syslogd_t)
|
||||
libraries_use_shared_libraries(syslogd_t)
|
||||
|
@ -145,7 +148,7 @@ userdomain_ignore_use_all_unprivileged_users_file_descriptors(syslogd_t)
|
|||
#
|
||||
# /initrd is not umounted before minilog starts
|
||||
#
|
||||
#dontaudit syslogd_t file_t:dir search;
|
||||
files_ignore_search_isid_type_dir(syslogd_t)
|
||||
#allow syslogd_t tmpfs_t:dir search;
|
||||
#dontaudit syslogd_t unlabeled_t:file read;
|
||||
#dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
|
||||
|
@ -159,6 +162,12 @@ kernel_clear_ring_buffer(syslogd_t)
|
|||
kernel_change_ring_buffer_level(syslogd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(syslogd_t)
|
||||
terminal_ignore_use_general_pseudoterminal(syslogd_t)
|
||||
files_ignore_read_rootfs_file(syslogd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinux.te',`
|
||||
selinux_newrole_sigchld(syslogd_t)
|
||||
')
|
||||
|
@ -167,10 +176,8 @@ optional_policy(`udev.te', `
|
|||
udev_read_database(syslogd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`targeted_policy', `
|
||||
terminal_ignore_use_general_physical_terminal(syslogd_t)
|
||||
terminal_ignore_use_general_pseudoterminal(syslogd_t)
|
||||
files_ignore_read_rootfs_file(syslogd_t)
|
||||
optional_policy(`cron.te',`
|
||||
cron_modify_log(syslogd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
@ -198,8 +205,6 @@ can_ypbind(syslogd_t)
|
|||
allow syslogd_t xconsole_device_t:fifo_file { ioctl read write };
|
||||
|
||||
ifdef(`crond.te', `
|
||||
# Write to the cron log.
|
||||
allow syslogd_t crond_log_t:file rw_file_perms;
|
||||
# for daemon re-start
|
||||
allow system_crond_t syslogd_t:lnk_file read;
|
||||
')
|
||||
|
|
|
@ -117,6 +117,8 @@ domain_use_widely_inheritable_file_descriptors(lvm_t)
|
|||
files_search_system_state_data_directory(lvm_t)
|
||||
files_read_general_system_config(lvm_t)
|
||||
files_read_runtime_system_config(lvm_t)
|
||||
# for when /usr is not mounted:
|
||||
files_ignore_search_isid_type_dir(lvm_t)
|
||||
|
||||
init_use_file_descriptors(lvm_t)
|
||||
init_ignore_get_control_channel_attributes(lvm_t)
|
||||
|
@ -159,9 +161,6 @@ allow lvm_t device_t:lnk_file { relabelfrom relabelto };
|
|||
|
||||
dontaudit lvm_t var_run_t:dir getattr;
|
||||
|
||||
# for when /usr is not mounted
|
||||
dontaudit lvm_t file_t:dir search;
|
||||
|
||||
optional_policy(`gnome-pty-helper.te', `
|
||||
allow lvm_t sysadm_gph_t:fd use;
|
||||
')
|
||||
|
|
|
@ -80,8 +80,10 @@ files_read_runtime_system_config(insmod_t)
|
|||
files_read_general_system_config(insmod_t)
|
||||
files_read_general_application_resources(insmod_t)
|
||||
files_execute_system_config_script(insmod_t)
|
||||
# for nscd
|
||||
# for nscd:
|
||||
files_ignore_search_runtime_data_directory(insmod_t)
|
||||
# for when /var is not mounted early in the boot:
|
||||
files_ignore_search_isid_type_dir(insmod_t)
|
||||
|
||||
init_use_control_channel(insmod_t)
|
||||
init_use_file_descriptors(insmod_t)
|
||||
|
@ -113,10 +115,6 @@ allow insmod_t xserver_log_t:file getattr;
|
|||
# why is this needed? insmod cannot mounton any dir
|
||||
# and it also transitions to mount
|
||||
allow insmod_t usbfs_t:filesystem mount;
|
||||
|
||||
# for when /var is not mounted early in the boot
|
||||
dontaudit insmod_t file_t:dir search;
|
||||
|
||||
') dnl if TODO
|
||||
|
||||
########################################
|
||||
|
|
|
@ -45,7 +45,12 @@ files_create_daemon_runtime_data(dhcpc_t,dhcpc_var_run_t)
|
|||
# transition to ifconfig
|
||||
allow dhcpc_t ifconfig_exec_t:file { getattr read execute };
|
||||
allow dhcpc_t ifconfig_t:process transition;
|
||||
type_transition dhcpc_t ifconfig_exec_t:process ifconfig_t;
|
||||
dontaudit dhcpc_t ifconfig_t:process { noatsecure siginh rlimitinh };
|
||||
allow dhcpc_t ifconfig_t:fd use;
|
||||
allow ifconfig_t dhcpc_t:fd use;
|
||||
allow ifconfig_t dhcpc_t:fifo_file rw_file_perms;
|
||||
allow ifconfig_t dhcpc_t:process sigchld;
|
||||
|
||||
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
|
||||
# in /etc created by dhcpcd will be labelled net_conf_t.
|
||||
|
@ -253,6 +258,8 @@ files_read_general_system_config(ifconfig_t);
|
|||
kernel_use_file_descriptors(ifconfig_t)
|
||||
kernel_read_system_state(ifconfig_t)
|
||||
kernel_read_network_state(ifconfig_t)
|
||||
kernel_ignore_search_sysctl_dir(ifconfig_t)
|
||||
kernel_ignore_search_network_sysctl_dir(ifconfig_t)
|
||||
|
||||
filesystem_get_persistent_filesystem_attributes(ifconfig_t)
|
||||
|
||||
|
@ -290,11 +297,6 @@ ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
|
|||
|
||||
allow ifconfig_t tun_tap_device_t:chr_file { read write };
|
||||
|
||||
# ifconfig attempts to search some sysctl entries.
|
||||
# Do not audit those attempts; comment out these rules if it is desired to
|
||||
# see the denials.
|
||||
dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
|
||||
|
||||
optional_policy(`rhgb.te', `
|
||||
allow ifconfig_t rhgb_t:process sigchld;
|
||||
allow ifconfig_t rhgb_t:fd use;
|
||||
|
|
|
@ -92,6 +92,7 @@ domain_ignore_read_all_domains_process_dirs(udev_t)
|
|||
files_read_runtime_system_config(udev_t)
|
||||
files_read_general_system_config(udev_t)
|
||||
files_execute_system_config_script(udev_t)
|
||||
files_ignore_search_isid_type_dir(udev_t)
|
||||
|
||||
init_use_file_descriptors(udev_t)
|
||||
init_script_read_runtime_data(udev_t)
|
||||
|
@ -150,7 +151,6 @@ allow udev_t sysadm_tty_device_t:chr_file { read write };
|
|||
|
||||
# Dontaudits
|
||||
dontaudit udev_t staff_home_dir_t:dir search;
|
||||
dontaudit udev_t file_t:dir search;
|
||||
dontaudit udev_t ttyfile:chr_file unlink;
|
||||
|
||||
allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
|
||||
|
|
Loading…
Reference in New Issue