fill pam and utempter authlogin policy and fix up interfaces
This commit is contained in:
Chris PeBenito
parent
4541a9d9a5
commit
3ce6cb4a45
|
|
@ -53,7 +53,7 @@ libraries_use_dynamic_loader(consoletype_t)
|
|||
libraries_read_shared_libraries(consoletype_t)
|
||||
|
||||
optional_policy(`authlogin.te', `
|
||||
authlogin_read_pam_runtime_data(consoletype_t)
|
||||
authlogin_pam_read_runtime_data(consoletype_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ files_make_file(boot_runtime_t)
|
|||
|
||||
type bootloader_t;
|
||||
domain_make_domain(bootloader_t)
|
||||
role system_r types bootloader_t;
|
||||
|
||||
type bootloader_exec_t;
|
||||
domain_make_entrypoint_file(bootloader_t,bootloader_exec_t)
|
||||
|
|
@ -79,7 +80,7 @@ storage_raw_write_removable_device(bootloader_t)
|
|||
devices_get_all_character_device_attributes(bootloader_t)
|
||||
devices_set_all_block_device_attributes(bootloader_t)
|
||||
devices_ignore_modify_generic_devices(bootloader_t)
|
||||
# for reading BIOS data (cjp: ?)
|
||||
# for reading BIOS data
|
||||
devices_raw_read_memory(bootloader_t)
|
||||
|
||||
init_get_control_channel_attributes(bootloader_t)
|
||||
|
|
@ -104,11 +105,11 @@ logging_send_system_log_message(bootloader_t)
|
|||
filesystem_get_persistent_filesystem_attributes(bootloader_t)
|
||||
|
||||
terminal_use_controlling_terminal(bootloader_t)
|
||||
terminal_get_user_terminal_attributes(bootloader_t)
|
||||
terminal_get_all_users_physical_terminal_attributes(bootloader_t)
|
||||
|
||||
allow bootloader_t bootloader_etc_t:file { getattr read };
|
||||
|
||||
optional_policy(modutils.te,`
|
||||
optional_policy(`modutils.te',`
|
||||
modutils_insmod_execute(insmod_t)
|
||||
')
|
||||
|
||||
|
|
@ -122,7 +123,7 @@ miscfiles_read_localization(bootloader_t)
|
|||
allow bootloader_t modules_object_t:dir { getattr search read };
|
||||
allow bootloader_t modules_object_t:file { getattr read };
|
||||
|
||||
files_read_general_system_resources(bootloader_t)
|
||||
files_read_general_application_resources(bootloader_t)
|
||||
bootloader_install_initrd(bootloader_t)
|
||||
|
||||
devices_get_random_data(bootloader_t)
|
||||
|
|
@ -160,7 +161,7 @@ tunable_policy(`distro_debian', `
|
|||
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
||||
allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
|
||||
allow bootloader_t boot_t:file relabelfrom;
|
||||
')
|
||||
') dnl end distro_debian
|
||||
|
||||
tunable_policy(`distro_redhat', `
|
||||
files_make_mountpoint(bootloader_tmp_t)
|
||||
|
|
@ -176,7 +177,7 @@ allow bootloader_t boot_runtime_t:file { read getattr unlink };
|
|||
# for memlock
|
||||
devices_get_zeros(bootloader_t)
|
||||
allow bootloader_t self:capability ipc_lock;
|
||||
')
|
||||
') dnl end distro_redhat
|
||||
|
||||
ifdef(`TODO',`
|
||||
|
||||
|
|
@ -184,7 +185,6 @@ ifdef(`TODO',`
|
|||
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
|
||||
allow bootloader_t admin_tty_type:chr_file rw_file_perms;
|
||||
|
||||
role system_r types bootloader_t;
|
||||
allow bootloader_t initrc_t:fifo_file { read write };
|
||||
|
||||
allow bootloader_t lib_t:file { getattr read };
|
||||
|
|
|
|||
|
|
@ -160,7 +160,7 @@ allow kernel_t sysctl_kernel_t:file { getattr read };
|
|||
|
||||
# old base_file_read_access():
|
||||
files_list_home_directories(kernel_t)
|
||||
files_read_general_shared_resources(kernel_t)
|
||||
files_read_general_application_resources(kernel_t)
|
||||
selinux_read_config(kernel_t)
|
||||
|
||||
selinux_read_binary_policy(kernel_t)
|
||||
|
|
|
|||
|
|
@ -27,20 +27,112 @@ devices_list_device_nodes_depend
|
|||
|
||||
########################################
|
||||
#
|
||||
# terminal_use_all_terminals(domain,[`optional'])
|
||||
# terminal_use_all_terminals(domain)
|
||||
#
|
||||
define(`terminal_use_all_terminals',`
|
||||
requires_block_template(terminal_use_all_terminals_depend,$2)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 devpts_t:dir { getattr read search };
|
||||
requires_block_template(terminal_use_all_terminals_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 devpts_t:dir { getattr search read };
|
||||
allow $1 { console_device_t devtty_t ttynode ptynode }:chr_file { read write };
|
||||
')
|
||||
|
||||
define(`terminal_use_all_terminals_depend',`
|
||||
attribute ttynode, ptynode;
|
||||
type console_device_t, devtty_t, devpts_t;
|
||||
class dir { getattr search read };
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_get_all_users_physical_terminal_attributes(domain)
|
||||
#
|
||||
define(`terminal_get_all_users_physical_terminal_attributes',`
|
||||
requires_block_template(terminal_get_all_users_physical_terminal_attributes_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 ttynode:chr_file getattr;
|
||||
')
|
||||
|
||||
define(`terminal_get_all_users_physical_terminal_attributes_depend',`
|
||||
attribute ttynode;
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_use_all_users_physical_terminals(domain)
|
||||
#
|
||||
define(`terminal_use_all_users_physical_terminals',`
|
||||
requires_block_template(terminal_use_all_users_physical_terminals_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 ttynode:chr_file { read write };
|
||||
')
|
||||
|
||||
define(`terminal_use_all_users_physical_terminals_depend',`
|
||||
attribute ttynode;
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_ignore_use_all_users_physical_terminals(domain)
|
||||
#
|
||||
define(`terminal_ignore_use_all_users_physical_terminals',`
|
||||
requires_block_template(terminal_ignore_use_all_users_physical_terminals_depend)
|
||||
dontaudit $1 ttynode:chr_file { read write };
|
||||
')
|
||||
|
||||
define(`terminal_ignore_use_all_users_physical_terminals_depend',`
|
||||
attribute ttynode;
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_get_all_users_pseudoterminal_attributes(domain)
|
||||
#
|
||||
define(`terminal_get_all_users_pseudoterminal_attributes',`
|
||||
requires_block_template(terminal_get_all_users_pseudoterminal_attributes_depend,$2)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 devpts_t:dir { getattr search read };
|
||||
allow $1 ptynode:chr_file getattr;
|
||||
')
|
||||
|
||||
define(`terminal_get_all_users_pseudoterminal_attributes_depend',`
|
||||
attribute ptynode;
|
||||
class dir { getattr search read };
|
||||
class chr_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_use_all_users_pseudoterminals(domain)
|
||||
#
|
||||
define(`terminal_use_all_users_pseudoterminals',`
|
||||
requires_block_template(terminal_use_all_users_pseudoterminals_depend)
|
||||
devices_list_device_nodes($1)
|
||||
allow $1 devpts_t:dir { getattr read search };
|
||||
allow $1 ptynode:chr_file { read write };
|
||||
')
|
||||
|
||||
define(`terminal_use_all_users_pseudoterminals_depend',`
|
||||
attribute ptynode;
|
||||
class dir { getattr search read };
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_ignore_use_all_users_pseudoterminals(domain)
|
||||
#
|
||||
define(`terminal_ignore_use_all_users_pseudoterminals',`
|
||||
requires_block_template(terminal_ignore_use_all_users_pseudoterminals_depend)
|
||||
dontaudit $1 ptynode:chr_file { read write };
|
||||
')
|
||||
|
||||
define(`terminal_ignore_use_all_users_pseudoterminals_depend',`
|
||||
attribute ptynode;
|
||||
class chr_file { read write };
|
||||
devices_list_device_nodes_depend
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -152,22 +244,6 @@ type tty_device_t;
|
|||
class chr_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_get_user_terminal_attributes(domain,[`optional'])
|
||||
#
|
||||
define(`terminal_get_user_terminal_attributes',`
|
||||
requires_block_template(terminal_get_user_terminal_attributes_depend,$2)
|
||||
devices_list_device_nodes($1,optional)
|
||||
allow $1 ttynode:chr_file getattr;
|
||||
')
|
||||
|
||||
define(`terminal_get_user_terminal_attributes_depend',`
|
||||
attribute ttynode;
|
||||
class chr_file getattr;
|
||||
devices_list_device_nodes_depend
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# terminal_list_pseudoterminals(domain,[`optional'])
|
||||
|
|
|
|||
|
|
@ -37,7 +37,10 @@ kernel_read_system_state($1_chkpwd_t)
|
|||
#can_resolve($1_chkpwd_t)
|
||||
|
||||
# Transition from the user domain to this domain.
|
||||
ifelse($1, system, `', `
|
||||
ifelse($1, system, `
|
||||
#dontaudit $1_chkpwd_t user_tty_type:chr_file rw_file_perms;
|
||||
terminal_use_general_physical_terminal($1_chkpwd_t)
|
||||
', `
|
||||
# Transition from the user domain to this domain.
|
||||
allow $1_t chkpwd_exec_t:file { getattr read execute };
|
||||
allow $1_t $1_chkpwd_t:process transition;
|
||||
|
|
@ -113,6 +116,8 @@ class process transition;
|
|||
#
|
||||
define(`authlogin_modify_login_records',`
|
||||
requires_block_template(authlogin_modify_login_records_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
# FIXME: search var_log_t
|
||||
allow $1 wtmp_t:file { getattr read write setattr };
|
||||
')
|
||||
|
||||
|
|
@ -127,6 +132,7 @@ class file { getattr read write setattr };
|
|||
#
|
||||
define(`authlogin_read_shadow_passwords',`
|
||||
requires_block_template(authlogin_read_shadow_passwords_depend)
|
||||
# FIXME: read etc_t dir
|
||||
allow $1 shadow_t:file { getattr read };
|
||||
typeattribute $1 can_read_shadow_passwords;
|
||||
')
|
||||
|
|
@ -157,6 +163,7 @@ class file { getattr read };
|
|||
#
|
||||
define(`authlogin_modify_shadow_passwords',`
|
||||
requires_block_template(authlogin_modify_shadow_passwords_depend)
|
||||
# FIXME: read etc_t dir
|
||||
allow $1 shadow_t:file { getattr read write };
|
||||
typeattribute $1 can_read_shadow_passwords;
|
||||
typeattribute $1 can_write_shadow_passwords;
|
||||
|
|
@ -185,16 +192,36 @@ class file { getattr read write setattr };
|
|||
|
||||
#######################################
|
||||
#
|
||||
# authlogin_read_pam_runtime_data(domain)
|
||||
# authlogin_pam_read_runtime_data(domain)
|
||||
#
|
||||
define(`authlogin_read_pam_runtime_data',`
|
||||
requires_block_template(authlogin_read_pam_runtime_data_depend)
|
||||
# FIXME: search var_t
|
||||
# FIXME: search var_run_t
|
||||
define(`authlogin_pam_read_runtime_data',`
|
||||
requires_block_template(authlogin_pam_read_runtime_data_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
files_search_runtime_data_directory($1)
|
||||
allow $1 pam_var_run_t:dir { getattr search read };
|
||||
allow $1 pam_var_run_t:file { getattr read };
|
||||
')
|
||||
|
||||
define(`authlogin_read_pam_runtime_data_depend',`
|
||||
type lastlog_t;
|
||||
define(`authlogin_pam_read_runtime_data_depend',`
|
||||
type pam_var_run_t;
|
||||
class dir { getattr search read };
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# authlogin_pam_remove_runtime_data(domain)
|
||||
#
|
||||
define(`authlogin_pam_remove_runtime_data',`
|
||||
requires_block_template(authlogin_pam_remove_runtime_data_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
files_search_runtime_data_directory($1)
|
||||
allow $1 pam_var_run_t:dir { getattr search read write remove_name };
|
||||
allow $1 pam_var_run_t:file { getattr unlink };
|
||||
')
|
||||
|
||||
define(`authlogin_pam_remove_runtime_data_depend',`
|
||||
type pam_var_run_t;
|
||||
class dir { getattr search read write remove_name };
|
||||
class file { getattr unlink };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -25,8 +25,9 @@ domain_make_domain(pam_console_t)
|
|||
type pam_console_exec_t;
|
||||
domain_make_entrypoint_file(pam_console_t,pam_console_exec_t)
|
||||
|
||||
type pam_t;
|
||||
type pam_t; #, nscd_client_domain;
|
||||
domain_make_domain(pam_t)
|
||||
role system_r types pam_t;
|
||||
|
||||
type pam_exec_t;
|
||||
domain_make_entrypoint_file(pam_t,pam_exec_t)
|
||||
|
|
@ -47,7 +48,7 @@ attribute can_write_shadow_passwords;
|
|||
neverallow ~can_read_shadow_passwords shadow_t:file read;
|
||||
neverallow ~can_write_shadow_passwords shadow_t:file write;
|
||||
|
||||
type utempter_t;
|
||||
type utempter_t; #, nscd_client_domain;
|
||||
domain_make_domain(utempter_t)
|
||||
|
||||
type utempter_exec_t;
|
||||
|
|
@ -58,7 +59,102 @@ logging_make_log_file(wtmp_t)
|
|||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
# PAM local policy
|
||||
#
|
||||
#dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
|
||||
#dontaudit system_chkpwd_t privfd:fd use;
|
||||
|
||||
allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
dontaudit pam_t self:capability sys_tty_config;
|
||||
|
||||
allow pam_t self:fd use;
|
||||
allow pam_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow pam_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow pam_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow pam_t self:unix_dgram_socket sendto;
|
||||
allow pam_t self:unix_stream_socket connectto;
|
||||
allow pam_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow pam_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow pam_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow pam_t self:msg { send receive };
|
||||
|
||||
allow pam_t pam_var_run_t:dir { search getattr read write remove_name };
|
||||
allow pam_t pam_var_run_t:file { getattr read unlink };
|
||||
|
||||
allow pam_t pam_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
allow pam_t pam_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
files_create_private_tmp_data(pam_t, pam_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(pam_t)
|
||||
|
||||
terminal_use_controlling_terminal(pam_t)
|
||||
terminal_use_all_users_physical_terminals(pam_t)
|
||||
terminal_use_all_users_pseudoterminals(pam_t)
|
||||
|
||||
init_script_ignore_modify_runtime_data(pam_t)
|
||||
|
||||
files_read_general_system_config(pam_t)
|
||||
files_read_runtime_data_directory(pam_t)
|
||||
|
||||
libraries_use_dynamic_loader(pam_t)
|
||||
libraries_read_shared_libraries(pam_t)
|
||||
|
||||
logging_send_system_log_message(pam_t)
|
||||
|
||||
optional_policy(`locallogin.te',`
|
||||
locallogin_use_file_descriptors(pam_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow pam_t unpriv_userdomain:fd use;
|
||||
can_ypbind(pam_t)
|
||||
ifdef(`automount.te', `
|
||||
allow pam_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
in_user_role(pam_t)
|
||||
domain_auto_trans(userdomain, pam_exec_t, pam_t)
|
||||
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
|
||||
') dnl endif TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Utempter local policy
|
||||
#
|
||||
|
||||
allow utempter_t self:capability setgid;
|
||||
allow utempter_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
|
||||
allow utempter_t wtmp_t:file { ioctl read getattr lock write append };
|
||||
|
||||
terminal_get_all_users_physical_terminal_attributes(utempter_t)
|
||||
terminal_get_all_users_pseudoterminal_attributes(utempter_t)
|
||||
terminal_ignore_use_all_users_physical_terminals(utempter_t)
|
||||
terminal_ignore_use_all_users_pseudoterminals(utempter_t)
|
||||
|
||||
init_script_modify_runtime_data(utempter_t)
|
||||
|
||||
files_read_general_system_config(utempter_t)
|
||||
|
||||
domain_use_widely_inheritable_file_descriptors(utempter_t)
|
||||
|
||||
libraries_use_dynamic_loader(utempter_t)
|
||||
libraries_read_shared_libraries(utempter_t)
|
||||
|
||||
logging_search_system_log_directory(utempter_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
in_user_role(utempter_t)
|
||||
role sysadm_r types utempter_t;
|
||||
domain_auto_trans(userdomain, utempter_exec_t, utempter_t)
|
||||
|
||||
# dontaudit access to /dev/ptmx.
|
||||
dontaudit utempter_t ptmx_t:chr_file rw_file_perms;
|
||||
|
||||
# Allow utemper to write to /tmp/.xses-*
|
||||
allow utempter_t user_tmpfile:file { getattr write append };
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
allow utempter_t xdm_t:fd use;
|
||||
allow utempter_t xdm_t:fifo_file { write getattr };
|
||||
')
|
||||
|
||||
') dnl endif TODO
|
||||
|
|
|
|||
|
|
@ -127,6 +127,20 @@ attribute privfd;
|
|||
class fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# domain_ignore_use_widely_inheritable_file_descriptors(domain,[`optional'])
|
||||
#
|
||||
define(`domain_ignore_use_widely_inheritable_file_descriptors',`
|
||||
requires_block_template(domain_ignore_use_widely_inheritable_file_descriptors_depend,$2)
|
||||
dontaudit $1 privfd:fd use;
|
||||
')
|
||||
|
||||
define(`domain_ignore_use_widely_inheritable_file_descriptors_depend',`
|
||||
attribute privfd;
|
||||
class fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# domain_all_init_domains_transition(domain,[`optional'])
|
||||
|
|
|
|||
|
|
@ -362,15 +362,72 @@ class dir { getattr search read write add_name remove_name };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_read_general_shared_resources(domain,[`optional'])
|
||||
# files_list_home_directories(type,[`optional'])
|
||||
#
|
||||
define(`files_read_general_shared_resources',`
|
||||
requires_block_template(files_read_general_shared_resources_depend,$2)
|
||||
define(`files_list_home_directories',`
|
||||
requires_block_template(files_list_home_directories_depend,$2)
|
||||
allow $1 home_root_t:dir { getattr search read };
|
||||
')
|
||||
|
||||
define(`files_list_home_directories_depend',`
|
||||
type home_root_t;
|
||||
class dir { getattr search read };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional'])
|
||||
#
|
||||
define(`files_create_private_tmp_data',`
|
||||
requires_block_template(files_create_private_tmp_data_depend,$2)
|
||||
allow $1 tmp_t:dir { getattr search read write add_name remove_name };
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 tmp_t:file $2;
|
||||
',`
|
||||
type_transition $1 tmp_t:$3 $2;
|
||||
')
|
||||
typeattribute $1 tmpfile;
|
||||
')
|
||||
|
||||
define(`files_create_private_tmp_data_depend',`
|
||||
attribute tmpfile;
|
||||
type tmp_t;
|
||||
class dir { getattr search read write add_name };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_remove_all_tmp_data(domain,[`optional'])
|
||||
#
|
||||
define(`files_remove_all_tmp_data',`
|
||||
requires_block_template(files_remove_all_tmp_data_depend,$2)
|
||||
allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
|
||||
allow $1 tmpfile:file { getattr unlink };
|
||||
allow $1 tmpfile:lnk_file { getattr unlink };
|
||||
allow $1 tmpfile:fifo_file { getattr unlink };
|
||||
allow $1 tmpfile:sock_file { getattr unlink };
|
||||
')
|
||||
|
||||
define(`files_remove_all_tmp_data_depend',`
|
||||
attribute tmpfile;
|
||||
class dir { getattr search read write add_name remove_name rmdir };
|
||||
class file { getattr unlink };
|
||||
class lnk_file { getattr unlink };
|
||||
class fifo_file { getattr unlink };
|
||||
class sock_file { getattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_read_general_application_resources(domain,[`optional'])
|
||||
#
|
||||
define(`files_read_general_application_resources',`
|
||||
requires_block_template(files_read_general_application_resources_depend,$2)
|
||||
allow $1 usr_t:dir { getattr search read };
|
||||
allow $1 usr_t:{ file lnk_file } { getattr read };
|
||||
')
|
||||
|
||||
define(`files_read_general_shared_resources_depend',`
|
||||
define(`files_read_general_application_resources_depend',`
|
||||
type usr_t;
|
||||
class dir { getattr search read };
|
||||
class file { getattr read };
|
||||
|
|
@ -379,27 +436,121 @@ class lnk_file { getattr read };
|
|||
|
||||
########################################
|
||||
#
|
||||
# files_manage_pseudorandom_saved_seed(domain,[`optional'])
|
||||
# files_read_system_source_code(domain)
|
||||
#
|
||||
define(`files_read_system_source_code',`
|
||||
requires_block_template(files_read_system_source_code_depend)
|
||||
allow $1 usr_t:dir search;
|
||||
allow $1 src_t:dir { getattr search read };
|
||||
allow $1 src_t:{ file lnk_file } { getattr read };
|
||||
')
|
||||
|
||||
define(`files_read_system_source_code_depend',`
|
||||
type usr_t, src_t;
|
||||
class dir { getattr search read };
|
||||
class file { getattr read };
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_search_system_state_data_directory(domain)
|
||||
#
|
||||
define(`files_search_system_state_data_directory',`
|
||||
requires_block_template(files_search_system_state_data_directory_depend)
|
||||
allow $1 var_t:dir search;
|
||||
')
|
||||
|
||||
define(`files_search_system_state_data_directory_depend',`
|
||||
type var_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_manage_pseudorandom_saved_seed(domain)
|
||||
#
|
||||
define(`files_manage_pseudorandom_saved_seed',`
|
||||
requires_block_template(files_manage_pseudorandom_saved_seed_depend,$2)
|
||||
requires_block_template(files_manage_pseudorandom_saved_seed_depend)
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_lib_t:dir { getattr search read write add_name remove_name };
|
||||
allow $1 var_lib_t:file { getattr create read write setattr unlink };
|
||||
')
|
||||
|
||||
define(`files_manage_pseudorandom_saved_seed_depend',`
|
||||
type usr_t;
|
||||
type var_t, var_lib_t;
|
||||
class dir { getattr search read write add_name remove_name };
|
||||
class file { getattr create read write setattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_create_daemon_runtime_data(domain,pidfile,[object class(es)],[`optional'])
|
||||
# files_manage_system_lock_files(domain,[`optional'])
|
||||
#
|
||||
define(`files_manage_system_lock_files',`
|
||||
requires_block_template(files_manage_system_lock_files_depend,$2)
|
||||
allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
|
||||
allow $1 var_lock_t:file { getattr create read write setattr unlink };
|
||||
')
|
||||
|
||||
define(`files_manage_system_lock_files_depend',`
|
||||
type var_lock_t;
|
||||
class dir { getattr search create read write setattr add_name remove_name rmdir };
|
||||
class file { getattr create read write setattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_remove_all_lock_files(domain,[`optional'])
|
||||
#
|
||||
define(`files_remove_all_lock_files',`
|
||||
requires_block_template(files_remove_all_lock_files_depend,$2)
|
||||
allow $1 lockfile:dir { getattr search read write add_name remove_name };
|
||||
allow $1 lockfile:file { getattr unlink };
|
||||
')
|
||||
|
||||
define(`files_remove_all_lock_files_depend',`
|
||||
attribute lockfile;
|
||||
class dir { getattr search read write add_name remove_name };
|
||||
class file { getattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_search_runtime_data_directory(domain)
|
||||
#
|
||||
define(`files_search_runtime_data_directory',`
|
||||
requires_block_template(files_search_runtime_data_directory_depend)
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_run_t:dir search;
|
||||
')
|
||||
|
||||
define(`files_search_runtime_data_directory_depend',`
|
||||
type var_t, var_run_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_read_runtime_data_directory(domain)
|
||||
#
|
||||
define(`files_read_runtime_data_directory',`
|
||||
requires_block_template(files_read_runtime_data_directory_depend)
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_run_t:dir { getattr search read };
|
||||
')
|
||||
|
||||
define(`files_read_runtime_data_directory_depend',`
|
||||
type var_t, var_run_t;
|
||||
class dir { getattr search read };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_create_daemon_runtime_data(domain,pidfile,[object class(es)])
|
||||
#
|
||||
define(`files_create_daemon_runtime_data',`
|
||||
requires_block_template(files_create_daemon_runtime_data_depend,$4)
|
||||
requires_block_template(files_create_daemon_runtime_data_depend)
|
||||
allow $1 var_t:dir search;
|
||||
allow $1 var_run_t:dir { getattr search read write add_name remove_name };
|
||||
ifelse(`$3',`',`
|
||||
|
|
@ -455,128 +606,3 @@ class file { getattr unlink };
|
|||
class lnk_file { getattr unlink };
|
||||
class sock_file { getattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_create_private_tmp_data(domain,private_type,[object class(es)],[`optional'])
|
||||
#
|
||||
define(`files_create_private_tmp_data',`
|
||||
requires_block_template(files_create_private_tmp_data_depend,$2)
|
||||
allow $1 tmp_t:dir { getattr search read write add_name remove_name };
|
||||
ifelse(`$3',`',`
|
||||
type_transition $1 tmp_t:file $2;
|
||||
',`
|
||||
type_transition $1 tmp_t:$3 $2;
|
||||
')
|
||||
typeattribute $1 tmpfile;
|
||||
')
|
||||
|
||||
define(`files_create_private_tmp_data_depend',`
|
||||
attribute tmpfile;
|
||||
type etc_t;
|
||||
class dir { getattr search read write add_name };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_remove_all_tmp_data(domain,[`optional'])
|
||||
#
|
||||
define(`files_remove_all_tmp_data',`
|
||||
requires_block_template(files_remove_all_tmp_data_depend,$2)
|
||||
allow $1 tmpfile:dir { getattr search read write add_name remove_name rmdir };
|
||||
allow $1 tmpfile:file { getattr unlink };
|
||||
allow $1 tmpfile:lnk_file { getattr unlink };
|
||||
allow $1 tmpfile:fifo_file { getattr unlink };
|
||||
allow $1 tmpfile:sock_file { getattr unlink };
|
||||
')
|
||||
|
||||
define(`files_remove_all_tmp_data_depend',`
|
||||
attribute tmpfile;
|
||||
class dir { getattr search read write add_name remove_name rmdir };
|
||||
class file { getattr unlink };
|
||||
class lnk_file { getattr unlink };
|
||||
class fifo_file { getattr unlink };
|
||||
class sock_file { getattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_manage_system_lock_files(domain,[`optional'])
|
||||
#
|
||||
define(`files_manage_system_lock_files',`
|
||||
requires_block_template(files_manage_system_lock_files_depend,$2)
|
||||
allow $1 var_lock_t:dir { getattr search create read write setattr add_name remove_name rmdir };
|
||||
allow $1 var_lock_t:file { getattr create read write setattr unlink };
|
||||
')
|
||||
|
||||
define(`files_manage_system_lock_files_depend',`
|
||||
type var_lock_t;
|
||||
class dir { getattr search create read write setattr add_name remove_name rmdir };
|
||||
class file { getattr create read write setattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_remove_all_lock_files(domain,[`optional'])
|
||||
#
|
||||
define(`files_remove_all_lock_files',`
|
||||
requires_block_template(files_remove_all_lock_files_depend,$2)
|
||||
allow $1 lockfile:dir { getattr search read write add_name remove_name };
|
||||
allow $1 lockfile:file { getattr unlink };
|
||||
')
|
||||
|
||||
define(`files_remove_all_lock_files_depend',`
|
||||
attribute lockfile;
|
||||
class dir { getattr search read write add_name remove_name };
|
||||
class file { getattr unlink };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_read_general_system_resources(domain,[`optional'])
|
||||
#
|
||||
define(`files_read_general_system_resources',`
|
||||
requires_block_template(files_read_general_system_resources_depend,$2)
|
||||
allow $1 usr_t:dir { getattr search read };
|
||||
allow $1 usr_t:{ file lnk_file } { getattr read };
|
||||
')
|
||||
|
||||
define(`files_read_general_system_resources_depend',`
|
||||
type usr_t;
|
||||
class dir { getattr search read };
|
||||
class file { getattr read };
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_read_system_source_code(type,[`optional'])
|
||||
#
|
||||
define(`files_read_system_source_code',`
|
||||
requires_block_template(files_read_system_source_code_depend,$2)
|
||||
allow $1 usr_t:dir search;
|
||||
allow $1 src_t:dir { getattr search read };
|
||||
allow $1 src_t:{ file lnk_file } { getattr read };
|
||||
')
|
||||
|
||||
define(`files_read_system_source_code_depend',`
|
||||
type usr_t, src_t;
|
||||
class dir { getattr search read };
|
||||
class file { getattr read };
|
||||
class lnk_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_list_home_directories(type,[`optional'])
|
||||
#
|
||||
define(`files_list_home_directories',`
|
||||
requires_block_template(files_list_home_directories_depend,$2)
|
||||
allow $1 home_root_t:dir { getattr search read };
|
||||
')
|
||||
|
||||
define(`files_list_home_directories_depend',`
|
||||
type home_root_t;
|
||||
class dir { getattr search read };
|
||||
|
||||
')
|
||||
|
|
|
|||
|
|
@ -2,10 +2,10 @@
|
|||
|
||||
########################################
|
||||
#
|
||||
# init_transition(domain,[`optional'])
|
||||
# init_transition(domain)
|
||||
#
|
||||
define(`init_transition',`
|
||||
requires_block_template(init_transition_depend,$2)
|
||||
requires_block_template(init_transition_depend)
|
||||
allow $1 init_exec_t:file { getattr read execute };
|
||||
allow $1 init_t:process transition;
|
||||
type_transition $1 init_exec_t:file init_t;
|
||||
|
|
@ -20,10 +20,10 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
|
||||
########################################
|
||||
#
|
||||
# init_get_control_channel_attributes(domain,[`optional'])
|
||||
# init_get_control_channel_attributes(domain)
|
||||
#
|
||||
define(`init_get_control_channel_attributes',`
|
||||
requires_block_template(init_get_control_channel_attributes_depend,$2)
|
||||
requires_block_template(init_get_control_channel_attributes_depend)
|
||||
allow $1 initctl_t:fifo_file getattr;
|
||||
')
|
||||
|
||||
|
|
@ -63,10 +63,10 @@ class fifo_file { read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# init_sigchld(domain,[`optional'])
|
||||
# init_sigchld(domain)
|
||||
#
|
||||
define(`init_sigchld',`
|
||||
requires_block_template(init_sigchld_depend,$2)
|
||||
requires_block_template(init_sigchld_depend)
|
||||
allow $1 init_t:process sigchld;
|
||||
')
|
||||
|
||||
|
|
@ -77,10 +77,10 @@ class process sigchld;
|
|||
|
||||
########################################
|
||||
#
|
||||
# init_use_file_descriptors(domain,[`optional'])
|
||||
# init_use_file_descriptors(domain)
|
||||
#
|
||||
define(`init_use_file_descriptors',`
|
||||
requires_block_template(init_use_file_descriptors_depend,$2)
|
||||
requires_block_template(init_use_file_descriptors_depend)
|
||||
allow $1 init_t:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -91,10 +91,10 @@ class fd use;
|
|||
|
||||
########################################
|
||||
#
|
||||
# init_ignore_use_file_descriptors(domain,[`optional'])
|
||||
# init_ignore_use_file_descriptors(domain)
|
||||
#
|
||||
define(`init_ignore_use_file_descriptors',`
|
||||
requires_block_template(init_ignore_use_file_descriptors_depend,$2)
|
||||
requires_block_template(init_ignore_use_file_descriptors_depend)
|
||||
dontaudit $1 init_t:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -105,10 +105,10 @@ class fd use;
|
|||
|
||||
########################################
|
||||
#
|
||||
# init_script_transition(domain,[`optional'])
|
||||
# init_script_transition(domain)
|
||||
#
|
||||
define(`init_script_transition',`
|
||||
requires_block_template(init_script_transition_depend,$2)
|
||||
requires_block_template(init_script_transition_depend)
|
||||
allow $1 initrc_exec_t:file { getattr read execute };
|
||||
allow $1 initrc_t:process transition;
|
||||
type_transition $1 initrc_exec_t:process init_t;
|
||||
|
|
@ -123,10 +123,30 @@ class process { transition noatsecure siginh rlimitinh };
|
|||
|
||||
########################################
|
||||
#
|
||||
# init_script_use_file_descriptors(domain,[`optional'])
|
||||
# init_script_direct_admin_transition(role,domain)
|
||||
#
|
||||
define(`init_script_direct_admin_transition',`
|
||||
requires_block_template(init_script_direct_admin_transition_depend)
|
||||
allow $2 initrc_exec_t:file { getattr read execute };
|
||||
allow $2 initrc_t:process transition;
|
||||
type_transition $2 initrc_exec_t:file init_t;
|
||||
role_transition $1 initrc_exec_t system_r;
|
||||
dontaudit $2 init_t:process { noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
define(`init_script_direct_admin_transition_depend',`
|
||||
type initrc_t, initrc_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
kernel_system_role_transition_depend
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_script_use_file_descriptors(domain)
|
||||
#
|
||||
define(`init_script_use_file_descriptors',`
|
||||
requires_block_template(init_script_use_file_descriptors_depend,$2)
|
||||
requires_block_template(init_script_use_file_descriptors_depend)
|
||||
allow $1 initrc_t:fd use;
|
||||
')
|
||||
|
||||
|
|
@ -137,10 +157,10 @@ class fd use;
|
|||
|
||||
########################################
|
||||
#
|
||||
# init_script_use_pseudoterminal(domain,[`optional'])
|
||||
# init_script_use_pseudoterminal(domain)
|
||||
#
|
||||
define(`init_script_use_pseudoterminal',`
|
||||
requires_block_template(init_script_use_pseudoterminal_depend,$2)
|
||||
requires_block_template(init_script_use_pseudoterminal_depend)
|
||||
allow $1 initrc_devpts_t:chr_file { read write };
|
||||
')
|
||||
|
||||
|
|
@ -151,20 +171,44 @@ class chr_file { read write };
|
|||
|
||||
########################################
|
||||
#
|
||||
# init_script_direct_admin_transition(role,domain,[`optional'])
|
||||
# init_script_read_runtime_data(domain)
|
||||
#
|
||||
define(`init_script_direct_admin_transition',`
|
||||
requires_block_template(init_script_direct_admin_transition_depend,$2)
|
||||
allow $2 initrc_exec_t:file { getattr read execute };
|
||||
allow $2 initrc_t:process transition;
|
||||
type_transition $2 initrc_exec_t:file init_t;
|
||||
kernel_system_role_transition($1,initrc_exec_t,optional)
|
||||
dontaudit $2 init_t:process { noatsecure siginh rlimitinh };
|
||||
define(`init_script_read_runtime_data',`
|
||||
requires_block_template(init_script_read_runtime_data_depend)
|
||||
files_read_runtime_data_directory($1)
|
||||
allow $1 initrc_var_run_t:file { getattr read };
|
||||
')
|
||||
|
||||
define(`init_script_direct_admin_transition_depend',`
|
||||
type initrc_t, initrc_exec_t;
|
||||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
kernel_system_role_transition_depend
|
||||
define(`init_script_read_runtime_data_depend',`
|
||||
type initrc_var_run_t;
|
||||
class file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_script_modify_runtime_data(domain)
|
||||
#
|
||||
define(`init_script_modify_runtime_data',`
|
||||
requires_block_template(init_script_modify_runtime_data_depend)
|
||||
files_read_runtime_data_directory($1)
|
||||
allow $1 initrc_var_run_t:file { getattr read write append };
|
||||
')
|
||||
|
||||
define(`init_script_modify_runtime_data_depend',`
|
||||
type initrc_var_run_t;
|
||||
class file { getattr read write append };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# init_script_ignore_modify_runtime_data(domain)
|
||||
#
|
||||
define(`init_script_ignore_modify_runtime_data',`
|
||||
requires_block_template(init_script_ignore_modify_runtime_data_depend)
|
||||
dontaudit $1 initrc_var_run_t:file { getattr read write append };
|
||||
')
|
||||
|
||||
define(`init_script_ignore_modify_runtime_data_depend',`
|
||||
type initrc_var_run_t;
|
||||
class file { getattr read write append };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -251,7 +251,7 @@ files_read_general_system_config(initrc_t)
|
|||
files_create_runtime_system_config(initrc_t)
|
||||
files_manage_system_lock_files(initrc_t)
|
||||
files_execute_system_config_script(initrc_t)
|
||||
files_read_general_shared_resources(initrc_t)
|
||||
files_read_general_application_resources(initrc_t)
|
||||
files_manage_pseudorandom_saved_seed(initrc_t)
|
||||
|
||||
corecommands_execute_general_programs(initrc_t)
|
||||
|
|
@ -289,6 +289,11 @@ files_create_boot_flag(initrc_t)
|
|||
bootloader_create_runtime_data(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`authlogin.te',`
|
||||
authlogin_pam_read_runtime_data(initrc_t)
|
||||
authlogin_pam_remove_runtime_data(initrc_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Mount and unmount file systems.
|
||||
allow initrc_t { file_t default_t }:dir { read search getattr mounton };
|
||||
|
|
|
|||
|
|
@ -17,3 +17,17 @@ type local_login_t, login_exec_t;
|
|||
class file { getattr read execute };
|
||||
class process { transition noatsecure siginh rlimitinh };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# locallogin_use_file_descriptors(domain,[`optional'])
|
||||
#
|
||||
define(`locallogin_use_file_descriptors',`
|
||||
requires_block_template(locallogin_use_file_descriptors_depend,$2)
|
||||
allow $1 local_login_t:fd use;
|
||||
')
|
||||
|
||||
define(`locallogin_use_file_descriptors_depend',`
|
||||
type local_login_t;
|
||||
class fd use;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -2,25 +2,24 @@
|
|||
|
||||
#######################################
|
||||
#
|
||||
# logging_make_log_file(type,[`optional'])
|
||||
# logging_make_log_file(domain)
|
||||
#
|
||||
define(`logging_make_log_file',`
|
||||
requires_block_template(logging_make_log_file_depend,$2)
|
||||
files_make_file($1,optional)
|
||||
requires_block_template(logging_make_log_file_depend)
|
||||
files_make_file($1)
|
||||
typeattribute $1 logfile;
|
||||
')
|
||||
|
||||
define(`logging_make_log_file_depend',`
|
||||
attribute logfile;
|
||||
files_make_file_depend
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# logging_send_system_log_message(type,[`optional'])
|
||||
# logging_send_system_log_message(domain)
|
||||
#
|
||||
define(`logging_send_system_log_message',`
|
||||
requires_block_template(logging_send_system_log_message_depend,$2)
|
||||
requires_block_template(logging_send_system_log_message_depend)
|
||||
allow $1 devlog_t:lnk_file read;
|
||||
allow $1 devlog_t:sock_file { ioctl read getattr lock write append };
|
||||
# the type of socket depends on the syslog daemon
|
||||
|
|
@ -39,10 +38,26 @@ class unix_stream_socket { create read getattr write setattr append bind connect
|
|||
|
||||
#######################################
|
||||
#
|
||||
# logging_append_all_logs(type,[`optional'])
|
||||
# logging_search_system_log_directory(domain)
|
||||
#
|
||||
define(`logging_search_system_log_directory',`
|
||||
requires_block_template(logging_search_system_log_directory_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
allow $1 var_log_t:dir search;
|
||||
')
|
||||
|
||||
define(`logging_search_system_log_directory_depend',`
|
||||
type var_log_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# logging_append_all_logs(domain)
|
||||
#
|
||||
define(`logging_append_all_logs',`
|
||||
requires_block_template(logging_append_all_logs_depend,$2)
|
||||
requires_block_template(logging_append_all_logs_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
allow $1 var_log_t:dir { getattr search read };
|
||||
allow $1 logfile:file { getattr append };
|
||||
')
|
||||
|
|
@ -56,10 +71,11 @@ class file { getattr append };
|
|||
|
||||
#######################################
|
||||
#
|
||||
# logging_read_all_logs(type,[`optional'])
|
||||
# logging_read_all_logs(domain)
|
||||
#
|
||||
define(`logging_read_all_logs',`
|
||||
requires_block_template(logging_read_all_logs_depend,$2)
|
||||
requires_block_template(logging_read_all_logs_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
allow $1 var_log_t:dir { getattr search read };
|
||||
allow $1 logfile:file { getattr read };
|
||||
')
|
||||
|
|
@ -73,10 +89,11 @@ class file { getattr read };
|
|||
|
||||
#######################################
|
||||
#
|
||||
# logging_modify_system_logs(type,[`optional'])
|
||||
# logging_modify_system_logs(domain)
|
||||
#
|
||||
define(`logging_modify_system_logs',`
|
||||
requires_block_template(logging_modify_system_logs_depend,$2)
|
||||
requires_block_template(logging_modify_system_logs_depend)
|
||||
files_search_system_state_data_directory($1)
|
||||
allow $1 var_log_t:dir { getattr search read };
|
||||
allow $1 var_log_t:file { getattr read write append };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -72,7 +72,7 @@ filesystem_get_persistent_filesystem_attributes(insmod_t)
|
|||
|
||||
files_read_runtime_system_config(insmod_t)
|
||||
files_read_general_system_config(insmod_t)
|
||||
files_read_general_shared_resources(insmod_t)
|
||||
files_read_general_application_resources(insmod_t)
|
||||
files_execute_system_config_script(insmod_t)
|
||||
|
||||
domain_signal_all_domains(insmod_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue