patch from dan Wed, 26 Jul 2006 14:42:46 -0400
This commit is contained in:
parent
81aa67fcc0
commit
46551033aa
|
@ -4,6 +4,7 @@
|
|||
# file should be used.
|
||||
#
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
## <desc>
|
||||
## <p>
|
||||
## Enabling secure mode disallows programs, such as
|
||||
|
@ -12,6 +13,7 @@
|
|||
## </p>
|
||||
## </desc>
|
||||
gen_bool(secure_mode,false)
|
||||
')
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
|
|
|
@ -17,6 +17,14 @@
|
|||
#
|
||||
gen_tunable(allow_cvs_read_shadow,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow zebra daemon to write it configuration files
|
||||
## </p>
|
||||
## </desc>
|
||||
#
|
||||
gen_tunable(allow_zebra_write_config,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow making the heap executable.
|
||||
|
@ -87,6 +95,13 @@ gen_tunable(allow_gssd_read_tmp,true)
|
|||
## </desc>
|
||||
gen_tunable(allow_httpd_anon_write,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow Apache to use mod_auth_pam
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_httpd_mod_auth_pam,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow java executable stack
|
||||
|
@ -132,12 +147,6 @@ gen_tunable(allow_saslauthd_read_shadow,false)
|
|||
## </desc>
|
||||
gen_tunable(allow_smbd_anon_write,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow sysadm to ptrace all processes
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_ptrace,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
|
@ -288,13 +297,6 @@ gen_tunable(pppd_can_insmod,false)
|
|||
## </desc>
|
||||
gen_tunable(read_default_t,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow ssh to run from inetd instead of as a daemon.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(run_ssh_inetd,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow samba to export user home directories.
|
||||
|
@ -309,13 +311,6 @@ gen_tunable(samba_enable_home_dirs,false)
|
|||
## </desc>
|
||||
gen_tunable(samba_share_nfs,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow spamassassin to do DNS lookups
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(spamassasin_can_network,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow squid to connect to all ports, not just
|
||||
|
@ -324,13 +319,6 @@ gen_tunable(spamassasin_can_network,false)
|
|||
## </desc>
|
||||
gen_tunable(squid_connect_any,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow ssh logins as sysadm_r:sysadm_t
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(ssh_sysadm_login,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Configure stunnel to be a standalone daemon or
|
||||
|
@ -353,6 +341,12 @@ gen_tunable(use_nfs_home_dirs,false)
|
|||
## </desc>
|
||||
gen_tunable(use_samba_home_dirs,false)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Strict policy specific
|
||||
#
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
## <desc>
|
||||
## <p>
|
||||
## Control users use of ping and traceroute
|
||||
|
@ -360,12 +354,6 @@ gen_tunable(use_samba_home_dirs,false)
|
|||
## </desc>
|
||||
gen_tunable(user_ping,false)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Strict policy specific
|
||||
#
|
||||
|
||||
ifdef(`strict_policy',`
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow gpg executable stack
|
||||
|
@ -380,6 +368,13 @@ gen_tunable(allow_gpg_execstack,false)
|
|||
## </desc>
|
||||
gen_tunable(allow_mplayer_execstack,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow sysadm to ptrace all processes
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(allow_ptrace,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## allow host key based authentication
|
||||
|
@ -480,6 +475,13 @@ gen_tunable(pppd_for_user,false)
|
|||
## </desc>
|
||||
gen_tunable(read_untrusted_content,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow ssh to run from inetd instead of as a daemon.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(run_ssh_inetd,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow user spamassassin clients to use the network.
|
||||
|
@ -487,6 +489,13 @@ gen_tunable(read_untrusted_content,false)
|
|||
## </desc>
|
||||
gen_tunable(spamassassin_can_network,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow ssh logins as sysadm_r:sysadm_t
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(ssh_sysadm_login,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow staff_r users to search the sysadm home
|
||||
|
|
|
@ -160,7 +160,7 @@ mlsconstrain process { transition dyntransition }
|
|||
(( h1 dom h2 ) or ( t1 == mcssetcats ));
|
||||
|
||||
mlsconstrain process { ptrace }
|
||||
( h1 dom h2 );
|
||||
(( h1 dom h2) or ( t1 == mcsptraceall ));
|
||||
|
||||
mlsconstrain process { sigkill sigstop }
|
||||
(( h1 dom h2 ) or ( t1 == mcskillall ));
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(bootloader,1.2.4)
|
||||
policy_module(bootloader,1.2.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -48,7 +48,7 @@ logging_log_file(var_log_ksyms_t)
|
|||
# bootloader local policy
|
||||
#
|
||||
|
||||
allow bootloader_t self:capability { dac_read_search fsetid sys_rawio sys_admin mknod chown };
|
||||
allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
|
||||
allow bootloader_t self:process { sigkill sigstop signull signal execmem };
|
||||
allow bootloader_t self:fifo_file rw_file_perms;
|
||||
|
||||
|
@ -67,6 +67,7 @@ files_tmp_filetrans(bootloader_t,bootloader_tmp_t,{ dir file lnk_file chr_file b
|
|||
files_root_filetrans(bootloader_t,bootloader_tmp_t,file)
|
||||
|
||||
kernel_getattr_core_if(bootloader_t)
|
||||
kernel_read_network_state(bootloader_t)
|
||||
kernel_read_system_state(bootloader_t)
|
||||
kernel_read_software_raid_state(bootloader_t)
|
||||
kernel_read_kernel_sysctls(bootloader_t)
|
||||
|
@ -86,7 +87,10 @@ dev_read_sysfs(bootloader_t)
|
|||
dev_read_raw_memory(bootloader_t)
|
||||
|
||||
fs_getattr_xattr_fs(bootloader_t)
|
||||
fs_getattr_tmpfs(bootloader_t)
|
||||
fs_read_tmpfs_symlinks(bootloader_t)
|
||||
#Needed for ia64
|
||||
fs_manage_dos_files(bootloader_t)
|
||||
|
||||
mls_file_read_up(bootloader_t)
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(firstboot,1.1.2)
|
||||
policy_module(firstboot,1.1.3)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
@ -105,6 +105,10 @@ ifdef(`targeted_policy',`
|
|||
unconfined_domtrans(firstboot_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
hal_dbus_send(firstboot_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(firstboot_t)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(netutils,1.1.4)
|
||||
policy_module(netutils,1.1.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -211,11 +211,11 @@ sysnet_read_config(traceroute_t)
|
|||
ifdef(`targeted_policy',`
|
||||
term_use_unallocated_ttys(traceroute_t)
|
||||
term_use_generic_ptys(traceroute_t)
|
||||
')
|
||||
|
||||
tunable_policy(`user_ping',`
|
||||
term_use_all_user_ttys(traceroute_t)
|
||||
term_use_all_user_ptys(traceroute_t)
|
||||
',`
|
||||
tunable_policy(`user_ping',`
|
||||
term_use_all_user_ttys(traceroute_t)
|
||||
term_use_all_user_ptys(traceroute_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(prelink,1.1.4)
|
||||
policy_module(prelink,1.1.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -48,6 +48,7 @@ corecmd_manage_all_executables(prelink_t)
|
|||
corecmd_relabel_all_executables(prelink_t)
|
||||
corecmd_mmap_all_executables(prelink_t)
|
||||
corecmd_read_sbin_symlinks(prelink_t)
|
||||
corecmd_read_bin_symlinks(prelink_t)
|
||||
|
||||
dev_read_urand(prelink_t)
|
||||
|
||||
|
|
|
@ -211,7 +211,7 @@ interface(`rpm_read_db',`
|
|||
|
||||
files_search_var_lib($1)
|
||||
allow $1 rpm_var_lib_t:dir r_dir_perms;
|
||||
allow $1 rpm_var_lib_t:file { getattr read };
|
||||
allow $1 rpm_var_lib_t:file r_file_perms;
|
||||
allow $1 rpm_var_lib_t:lnk_file r_file_perms;
|
||||
')
|
||||
|
||||
|
@ -232,8 +232,8 @@ interface(`rpm_manage_db',`
|
|||
|
||||
files_search_var_lib($1)
|
||||
allow $1 rpm_var_lib_t:dir rw_dir_perms;
|
||||
allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
|
||||
allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
|
||||
allow $1 rpm_var_lib_t:file manage_file_perms;
|
||||
allow $1 rpm_var_lib_t:lnk_file create_lnk_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(rpm,1.3.9)
|
||||
policy_module(rpm,1.3.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(usermanage,1.3.7)
|
||||
policy_module(usermanage,1.3.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -260,6 +260,7 @@ optional_policy(`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_exec(groupadd_t)
|
||||
nscd_socket_use(groupadd_t)
|
||||
')
|
||||
|
||||
|
@ -534,6 +535,7 @@ optional_policy(`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_exec(useradd_t)
|
||||
nscd_socket_use(useradd_t)
|
||||
')
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(corenetwork,1.1.12)
|
||||
policy_module(corenetwork,1.1.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -62,7 +62,7 @@ network_port(amavisd_recv, tcp,10024,s0)
|
|||
network_port(amavisd_send, tcp,10025,s0)
|
||||
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
|
||||
network_port(auth, tcp,113,s0)
|
||||
network_port(bgp, tcp,179,s0, udp,179,s0)
|
||||
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
|
||||
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
|
||||
network_port(clamd, tcp,3310,s0)
|
||||
network_port(clockspeed, udp,4041,s0)
|
||||
|
@ -145,7 +145,7 @@ network_port(uucpd, tcp,540,s0)
|
|||
network_port(vnc, tcp,5900,s0)
|
||||
network_port(xen, tcp,8002,s0)
|
||||
network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
|
||||
network_port(zebra, tcp,2601,s0)
|
||||
network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
|
||||
network_port(zope, tcp,8021,s0)
|
||||
|
||||
# Defaults for reserved ports. Earlier portcon entries take precedence;
|
||||
|
|
|
@ -19,7 +19,9 @@
|
|||
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
|
||||
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
|
||||
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
|
||||
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||
|
@ -54,6 +56,7 @@
|
|||
/dev/sndstat -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
|
||||
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
|
||||
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
ifdef(`distro_suse', `
|
||||
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(devices,1.1.14)
|
||||
policy_module(devices,1.1.15)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
ifdef(`distro_redhat',`
|
||||
/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(files,1.2.12)
|
||||
policy_module(files,1.2.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -1017,6 +1017,26 @@ interface(`fs_relabelfrom_dos_fs',`
|
|||
allow $1 dosfs_t:filesystem relabelfrom;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete files
|
||||
## on a DOS filesystem.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_manage_dos_files',`
|
||||
gen_require(`
|
||||
type dosfs_t;
|
||||
')
|
||||
|
||||
allow $1 dosfs_t:dir rw_dir_perms;
|
||||
allow $1 dosfs_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read eventpollfs files.
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(filesystem,1.3.12)
|
||||
policy_module(filesystem,1.3.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
########################################
|
||||
## <summary>
|
||||
## This domain is allowed to sigkill and sigstop
|
||||
## all domains regardless of their MCS level.
|
||||
## all domains regardless of their MCS category set.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
@ -22,6 +22,26 @@ interface(`mcs_killall',`
|
|||
typeattribute $1 mcskillall;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## This domain is allowed to ptrace
|
||||
## all domains regardless of their MCS
|
||||
## category set.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain target for user exemption.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`mcs_ptrace_all',`
|
||||
gen_require(`
|
||||
attribute mcsptraceall;
|
||||
')
|
||||
|
||||
typeattribute $1 mcsptraceall;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make specified domain MCS trusted
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(mcs,1.0.2)
|
||||
policy_module(mcs,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -7,6 +7,7 @@ policy_module(mcs,1.0.2)
|
|||
#
|
||||
|
||||
attribute mcskillall;
|
||||
attribute mcsptraceall;
|
||||
attribute mcssetcats;
|
||||
|
||||
########################################
|
||||
|
|
|
@ -150,7 +150,11 @@ interface(`selinux_set_enforce_mode',`
|
|||
|
||||
if(!secure_mode_policyload) {
|
||||
allow $1 security_t:security setenforce;
|
||||
auditallow $1 security_t:security setenforce;
|
||||
|
||||
ifdef(`distro_rhel4',`
|
||||
# needed for systems without audit support
|
||||
auditallow $1 security_t:security setenforce;
|
||||
')
|
||||
}
|
||||
')
|
||||
|
||||
|
@ -177,7 +181,11 @@ interface(`selinux_load_policy',`
|
|||
|
||||
if(!secure_mode_policyload) {
|
||||
allow $1 security_t:security load_policy;
|
||||
auditallow $1 security_t:security load_policy;
|
||||
|
||||
ifdef(`distro_rhel4',`
|
||||
# needed for systems without audit support
|
||||
auditallow $1 security_t:security load_policy;
|
||||
')
|
||||
}
|
||||
')
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(selinux,1.1.1)
|
||||
policy_module(selinux,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -40,10 +40,9 @@ allow selinux_unconfined_type security_t:security ~{ load_policy setenforce setb
|
|||
|
||||
if(!secure_mode_policyload) {
|
||||
allow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
|
||||
auditallow selinux_unconfined_type security_t:security { load_policy setenforce };
|
||||
|
||||
ifdef(`distro_rhel4',`
|
||||
# needed for systems without audit support
|
||||
auditallow selinux_unconfined_type security_t:security setbool;
|
||||
auditallow selinux_unconfined_type security_t:security { load_policy setenforce setbool };
|
||||
')
|
||||
}
|
||||
|
|
|
@ -21,8 +21,9 @@
|
|||
/dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
|
||||
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(storage,1.0.1)
|
||||
policy_module(storage,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(automount,1.2.7)
|
||||
policy_module(automount,1.2.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -36,10 +36,12 @@ allow automount_t self:unix_stream_socket create_socket_perms;
|
|||
allow automount_t self:unix_dgram_socket create_socket_perms;
|
||||
allow automount_t self:tcp_socket create_stream_socket_perms;
|
||||
allow automount_t self:udp_socket create_socket_perms;
|
||||
allow automount_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow automount_t automount_etc_t:file { getattr read };
|
||||
# because config files can be shell scripts
|
||||
can_exec(automount_t, automount_etc_t)
|
||||
can_exec(automount_t, automount_exec_t)
|
||||
|
||||
allow automount_t automount_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(automount_t,automount_lock_t,file)
|
||||
|
@ -168,6 +170,12 @@ optional_policy(`
|
|||
fstools_domtrans(automount_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
kerberos_read_keytab(automount_t)
|
||||
kerberos_read_config(automount_t)
|
||||
kerberos_dontaudit_write_config(automount_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(automount_t)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(avahi,1.2.3)
|
||||
policy_module(avahi,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -78,6 +78,7 @@ logging_send_syslog_msg(avahi_t)
|
|||
miscfiles_read_localization(avahi_t)
|
||||
|
||||
sysnet_read_config(avahi_t)
|
||||
sysnet_use_ldap(avahi_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(avahi_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
|
||||
|
|
|
@ -28,7 +28,8 @@ ifdef(`distro_gentoo',`
|
|||
')
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
/etc/named\.rfc1912.zones -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
|
||||
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
|
||||
/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(bind,1.1.6)
|
||||
policy_module(bind,1.1.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -1,5 +1,26 @@
|
|||
## <summary>Bluetooth tools and system services.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute bluetooth in the bluetooth domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## The type of the process performing this action.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`bluetooth_domtrans',`
|
||||
gen_require(`
|
||||
type bluetooth_t, bluetooth_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,bluetooth_exec_t,bluetooth_t)
|
||||
allow bluetooth_t $1:fd use;
|
||||
allow bluetooth_t $1:fifo_file rw_file_perms;
|
||||
allow bluetooth_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read bluetooth daemon configuration.
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(bluetooth,1.2.8)
|
||||
policy_module(bluetooth,1.2.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -173,6 +173,7 @@ allow bluetooth_helper_t self:fifo_file rw_file_perms;
|
|||
allow bluetooth_helper_t self:shm create_shm_perms;
|
||||
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow bluetooth_helper_t self:tcp_socket create_socket_perms;
|
||||
allow bluetooth_helper_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow bluetooth_helper_t bluetooth_t:socket { read write };
|
||||
|
||||
|
@ -222,6 +223,8 @@ ifdef(`targeted_policy',`
|
|||
userdom_manage_generic_user_home_content_files(bluetooth_helper_t)
|
||||
|
||||
optional_policy(`
|
||||
corenet_tcp_connect_xserver_port(bluetooth_helper_t)
|
||||
|
||||
xserver_stream_connect_xdm(bluetooth_helper_t)
|
||||
xserver_use_xdm_fds(bluetooth_helper_t)
|
||||
xserver_rw_xdm_pipes(bluetooth_helper_t)
|
||||
|
|
|
@ -7,9 +7,10 @@
|
|||
|
||||
/usr/sbin/clamd -- gen_context(system_u:object_r:clamd_exec_t,s0)
|
||||
|
||||
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
|
||||
/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
|
||||
/var/run/clamav/clamd\.ctl -s gen_context(system_u:object_r:clamd_sock_t,s0)
|
||||
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
|
||||
/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
|
||||
/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
|
||||
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
|
||||
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
|
||||
|
|
|
@ -35,11 +35,11 @@ interface(`clamav_domtrans',`
|
|||
#
|
||||
interface(`clamav_stream_connect',`
|
||||
gen_require(`
|
||||
type clamd_t, clamd_sock_t, clamd_var_run_t;
|
||||
type clamd_t, clamd_var_run_t;
|
||||
')
|
||||
|
||||
allow $1 clamd_var_run_t:dir search;
|
||||
allow $1 clamd_sock_t:sock_file write;
|
||||
allow $1 clamd_var_run_t:sock_file write;
|
||||
allow $1 clamd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(clamav,1.0.4)
|
||||
policy_module(clamav,1.0.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -15,10 +15,6 @@ init_daemon_domain(clamd_t, clamd_exec_t)
|
|||
type clamd_etc_t;
|
||||
files_type(clamd_etc_t)
|
||||
|
||||
# named socket type
|
||||
type clamd_sock_t;
|
||||
files_type(clamd_sock_t)
|
||||
|
||||
# tmp files
|
||||
type clamd_tmp_t;
|
||||
files_tmp_file(clamd_tmp_t)
|
||||
|
@ -34,6 +30,7 @@ files_type(clamd_var_lib_t)
|
|||
# pid files
|
||||
type clamd_var_run_t;
|
||||
files_pid_file(clamd_var_run_t)
|
||||
typealias clamd_var_run_t alias clamd_sock_t;
|
||||
|
||||
type clamscan_t;
|
||||
type clamscan_exec_t;
|
||||
|
@ -67,12 +64,6 @@ allow clamd_t clamd_etc_t:dir r_dir_perms;
|
|||
allow clamd_t clamd_etc_t:file r_file_perms;
|
||||
allow clamd_t clamd_etc_t:lnk_file { getattr read };
|
||||
|
||||
# socket file
|
||||
allow clamd_t clamd_sock_t:file manage_file_perms;
|
||||
allow clamd_t clamd_sock_t:sock_file manage_file_perms;
|
||||
allow clamd_t clamd_sock_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(clamd_t,clamd_sock_t,sock_file)
|
||||
|
||||
# tmp files
|
||||
allow clamd_t clamd_tmp_t:file create_file_perms;
|
||||
allow clamd_t clamd_tmp_t:dir create_dir_perms;
|
||||
|
@ -80,14 +71,10 @@ files_tmp_filetrans(clamd_t,clamd_tmp_t,{ file dir })
|
|||
|
||||
# var/lib files for clamd
|
||||
allow clamd_t clamd_var_lib_t:file create_file_perms;
|
||||
allow clamd_t clamd_var_lib_t:sock_file create_file_perms;
|
||||
allow clamd_t clamd_var_lib_t:dir create_dir_perms;
|
||||
files_var_filetrans(clamd_t,clamd_var_lib_t,{ file dir sock_file })
|
||||
files_var_lib_filetrans(clamd_t,clamd_var_lib_t,file)
|
||||
|
||||
# log files
|
||||
allow clamd_t clamd_var_log_t:file create_file_perms;
|
||||
allow clamd_t clamd_var_log_t:sock_file create_file_perms;
|
||||
allow clamd_t clamd_var_log_t:dir { rw_dir_perms setattr };
|
||||
logging_log_filetrans(clamd_t,clamd_var_log_t,file)
|
||||
|
||||
|
@ -161,10 +148,7 @@ allow freshclam_t clamd_etc_t:lnk_file { getattr read };
|
|||
|
||||
# var/lib files together with clamd
|
||||
allow freshclam_t clamd_var_lib_t:file create_file_perms;
|
||||
allow freshclam_t clamd_var_lib_t:sock_file create_file_perms;
|
||||
allow freshclam_t clamd_var_lib_t:dir create_dir_perms;
|
||||
files_var_filetrans(freshclam_t,clamd_var_lib_t,{ file dir sock_file })
|
||||
files_var_lib_filetrans(freshclam_t,clamd_var_lib_t,file)
|
||||
|
||||
# pidfiles- var/run together with clamd
|
||||
allow freshclam_t clamd_var_run_t:file manage_file_perms;
|
||||
|
@ -174,7 +158,6 @@ files_pid_filetrans(freshclam_t,clamd_var_run_t,file)
|
|||
|
||||
# log files (own logfiles only)
|
||||
allow freshclam_t freshclam_var_log_t:file create_file_perms;
|
||||
allow freshclam_t freshclam_var_log_t:sock_file create_file_perms;
|
||||
allow freshclam_t freshclam_var_log_t:dir { rw_dir_perms setattr };
|
||||
allow freshclam_t clamd_var_log_t:dir search;
|
||||
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
|
||||
|
@ -234,7 +217,6 @@ files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
|
|||
|
||||
# var/lib files together with clamd
|
||||
allow clamscan_t clamd_var_lib_t:file r_file_perms;
|
||||
allow clamscan_t clamd_var_lib_t:sock_file rw_file_perms;
|
||||
allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
|
||||
|
||||
kernel_read_kernel_sysctls(clamscan_t)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(cyrus,1.1.3)
|
||||
policy_module(cyrus,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -41,6 +41,7 @@ allow cyrus_t self:unix_dgram_socket sendto;
|
|||
allow cyrus_t self:unix_stream_socket connectto;
|
||||
allow cyrus_t self:tcp_socket create_stream_socket_perms;
|
||||
allow cyrus_t self:udp_socket create_socket_perms;
|
||||
allow cyrus_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
|
||||
allow cyrus_t cyrus_tmp_t:file create_file_perms;
|
||||
|
@ -122,6 +123,10 @@ optional_policy(`
|
|||
cron_system_entry(cyrus_t,cyrus_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ldap_stream_connect(cyrus_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(cyrus_t)
|
||||
')
|
||||
|
|
|
@ -28,6 +28,8 @@ ifdef(`distro_redhat', `
|
|||
#
|
||||
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
|
||||
|
||||
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
|
||||
|
||||
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
|
||||
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(dovecot,1.2.4)
|
||||
policy_module(dovecot,1.2.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -9,6 +9,12 @@ type dovecot_t;
|
|||
type dovecot_exec_t;
|
||||
init_daemon_domain(dovecot_t,dovecot_exec_t)
|
||||
|
||||
type dovecot_auth_t;
|
||||
type dovecot_auth_exec_t;
|
||||
domain_type(dovecot_auth_t)
|
||||
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
|
||||
role system_r types dovecot_auth_t;
|
||||
|
||||
type dovecot_cert_t;
|
||||
files_type(dovecot_cert_t)
|
||||
|
||||
|
@ -21,15 +27,13 @@ files_type(dovecot_passwd_t)
|
|||
type dovecot_spool_t;
|
||||
files_type(dovecot_spool_t)
|
||||
|
||||
# /var/lib/dovecot holds SSL parameters file
|
||||
type dovecot_var_lib_t;
|
||||
files_type(dovecot_var_lib_t)
|
||||
|
||||
type dovecot_var_run_t;
|
||||
files_pid_file(dovecot_var_run_t)
|
||||
|
||||
type dovecot_auth_t;
|
||||
type dovecot_auth_exec_t;
|
||||
domain_type(dovecot_auth_t)
|
||||
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
|
||||
role system_r types dovecot_auth_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
# dovecot local policy
|
||||
|
@ -161,6 +165,11 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write io
|
|||
|
||||
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
|
||||
|
||||
# Allow dovecot to create and read SSL parameters file
|
||||
allow dovecot_t dovecot_var_lib_t:dir rw_dir_perms;
|
||||
allow dovecot_t dovecot_var_lib_t:file manage_file_perms;
|
||||
files_search_var_lib(dovecot_t)
|
||||
|
||||
allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
|
||||
|
||||
kernel_read_all_sysctls(dovecot_auth_t)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(ftp,1.2.6)
|
||||
policy_module(ftp,1.2.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -50,6 +50,7 @@ allow ftpd_t self:unix_dgram_socket { sendto create_socket_perms };
|
|||
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ftpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow ftpd_t self:udp_socket create_socket_perms;
|
||||
allow ftpd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow ftpd_t ftpd_etc_t:file r_file_perms;
|
||||
|
||||
|
@ -205,6 +206,12 @@ tunable_policy(`ftpd_is_daemon',`
|
|||
corenet_tcp_bind_ftp_port(ftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
tunable_policy(`ftp_home_dir',`
|
||||
apache_search_sys_content(ftpd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
corecmd_exec_shell(ftpd_t)
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(hal,1.3.10)
|
||||
policy_module(hal,1.3.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -22,7 +22,7 @@ files_pid_file(hald_var_run_t)
|
|||
#
|
||||
|
||||
# execute openvt which needs setuid
|
||||
allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
|
||||
allow hald_t self:capability { audit_write chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
|
||||
dontaudit hald_t self:capability sys_tty_config;
|
||||
allow hald_t self:process signal_perms;
|
||||
allow hald_t self:fifo_file rw_file_perms;
|
||||
|
@ -152,6 +152,10 @@ ifdef(`targeted_policy', `
|
|||
files_dontaudit_read_root_files(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
bootloader_domtrans(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# For /usr/libexec/hald-addon-acpi
|
||||
# writes to /var/run/acpid.socket
|
||||
|
@ -162,6 +166,10 @@ optional_policy(`
|
|||
bind_search_cache(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
bluetooth_domtrans(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
clock_domtrans(hald_t)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(inetd,1.1.4)
|
||||
policy_module(inetd,1.1.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -218,8 +218,10 @@ miscfiles_read_localization(inetd_child_t)
|
|||
|
||||
sysnet_read_config(inetd_child_t)
|
||||
|
||||
tunable_policy(`run_ssh_inetd',`
|
||||
corenet_tcp_bind_ssh_port(inetd_t)
|
||||
ifdef(`strict_policy',`
|
||||
tunable_policy(`run_ssh_inetd',`
|
||||
corenet_tcp_bind_ssh_port(inetd_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
|
||||
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
|
||||
|
||||
/var/run/ldapi -s gen_context(system_u:object_r:slapd_var_run_t,s0)
|
||||
/var/run/openldap(/.*)? gen_context(system_u:object_r:slapd_var_run_t,s0)
|
||||
/var/run/slapd\.args -- gen_context(system_u:object_r:slapd_var_run_t,s0)
|
||||
/var/run/slapd\.pid -- gen_context(system_u:object_r:slapd_var_run_t,s0)
|
||||
|
|
|
@ -57,3 +57,24 @@ interface(`ldap_use',`
|
|||
allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
kernel_tcp_recvfrom($1)
|
||||
')
|
||||
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to slapd over an unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ldap_stream_connect',`
|
||||
gen_require(`
|
||||
type slapd_t, slapd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 slapd_var_run_t:sock_file write;
|
||||
allow $1 slapd_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(ldap,1.2.3)
|
||||
policy_module(ldap,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -62,6 +62,7 @@ template(`lpd_per_userdomain_template',`
|
|||
allow $1_lpr_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_lpr_t self:tcp_socket create_socket_perms;
|
||||
allow $1_lpr_t self:udp_socket create_socket_perms;
|
||||
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# lpr can run in lightweight mode, without a local print spooler.
|
||||
allow $1_lpr_t lpd_var_run_t:dir search;
|
||||
|
@ -109,7 +110,9 @@ template(`lpd_per_userdomain_template',`
|
|||
allow lpd_t $1_print_spool_t:file link_file_perms;
|
||||
|
||||
kernel_tcp_recvfrom($1_lpr_t)
|
||||
kernel_read_kernel_sysctls($1_lpr_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv($1_lpr_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_lpr_t)
|
||||
corenet_udp_sendrecv_generic_if($1_lpr_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_lpr_t)
|
||||
|
@ -119,8 +122,8 @@ template(`lpd_per_userdomain_template',`
|
|||
corenet_tcp_connect_all_ports($1_lpr_t)
|
||||
corenet_sendrecv_all_client_packets($1_lpr_t)
|
||||
|
||||
# for /dev/null
|
||||
dev_list_all_dev_nodes($1_lpr_t)
|
||||
dev_read_rand($1_lpr_t)
|
||||
dev_read_urand($1_lpr_t)
|
||||
|
||||
domain_use_interactive_fds($1_lpr_t)
|
||||
|
||||
|
@ -149,6 +152,8 @@ template(`lpd_per_userdomain_template',`
|
|||
userdom_read_user_tmp_symlinks($1,$1_lpr_t)
|
||||
# Write to the user domain tty.
|
||||
userdom_use_user_terminals($1,$1_lpr_t)
|
||||
userdom_read_user_home_content_files($1,$1_lpr_t)
|
||||
userdom_read_user_tmp_files($1,$1_lpr_t)
|
||||
|
||||
tunable_policy(`read_default_t',`
|
||||
files_list_default($1_lpr_t)
|
||||
|
@ -158,8 +163,6 @@ template(`lpd_per_userdomain_template',`
|
|||
|
||||
tunable_policy(`read_untrusted_content',`
|
||||
#list and read user specific untrusted content
|
||||
files_list_home($1_lpr_t)
|
||||
userdom_list_user_home_dirs($1,$1_lpr_t)
|
||||
userdom_read_user_untrusted_content_files($1,$1_lpr_t)
|
||||
|
||||
#list and read user specific temporary untrusted content
|
||||
|
@ -186,6 +189,7 @@ template(`lpd_per_userdomain_template',`
|
|||
cups_tcp_connect($1_lpr_t)
|
||||
cups_read_config($2)
|
||||
cups_tcp_connect($2)
|
||||
cups_stream_connect($1_lpr_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -199,14 +203,6 @@ template(`lpd_per_userdomain_template',`
|
|||
optional_policy(`
|
||||
nis_use_ypbind($1_lpr_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`
|
||||
allow $1_lpr_t xdm_t:fd use;
|
||||
allow $1_lpr_t xdm_var_run_t:dir search;
|
||||
allow $1_lpr_t xdm_t:fifo_file { getattr read write ioctl };
|
||||
')
|
||||
') dnl end TODO
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(lpd,1.2.4)
|
||||
policy_module(lpd,1.2.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(mailman,1.1.5)
|
||||
policy_module(mailman,1.1.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -30,12 +30,16 @@ mailman_domain_template(queue)
|
|||
# Mailman CGI local policy
|
||||
#
|
||||
|
||||
# cjp: the template invocation for queue should be
|
||||
# cjp: the template invocation for cgi should be
|
||||
# in the below optional policy; however, there are no
|
||||
# optionals for file contexts yet, so it is promoted
|
||||
# to global scope until such facilities exist.
|
||||
|
||||
optional_policy(`
|
||||
allow mailman_cgi_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
dev_read_urand(mailman_cgi_t)
|
||||
|
||||
allow mailman_cgi_t mailman_archive_t:dir create_dir_perms;
|
||||
allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
|
||||
allow mailman_cgi_t mailman_archive_t:file create_file_perms;
|
||||
|
@ -52,6 +56,10 @@ optional_policy(`
|
|||
apache_use_fds(mailman_cgi_t)
|
||||
apache_dontaudit_append_log(mailman_cgi_t)
|
||||
apache_search_sys_script_state(mailman_cgi_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(mailman_cgi_t)
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(nis,1.1.5)
|
||||
policy_module(nis,1.1.6)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -86,6 +86,7 @@ corenet_udp_bind_generic_port(ypbind_t)
|
|||
corenet_tcp_bind_reserved_port(ypbind_t)
|
||||
corenet_udp_bind_reserved_port(ypbind_t)
|
||||
corenet_tcp_bind_all_rpc_ports(ypbind_t)
|
||||
corenet_udp_bind_all_rpc_ports(ypbind_t)
|
||||
corenet_tcp_connect_all_ports(ypbind_t)
|
||||
corenet_dontaudit_tcp_bind_all_reserved_ports(ypbind_t)
|
||||
corenet_dontaudit_udp_bind_all_reserved_ports(ypbind_t)
|
||||
|
|
|
@ -42,6 +42,25 @@ interface(`nscd_domtrans',`
|
|||
allow nscd_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to execute nscd
|
||||
## in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`nscd_exec',`
|
||||
gen_require(`
|
||||
type nscd_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,nscd_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Use NSCD services by connecting using
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(nscd,1.2.6)
|
||||
policy_module(nscd,1.2.7)
|
||||
|
||||
gen_require(`
|
||||
class nscd all_nscd_perms;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(openvpn,1.0.2)
|
||||
policy_module(openvpn,1.0.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -33,6 +33,7 @@ allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
|
|||
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow openvpn_t self:udp_socket create_socket_perms;
|
||||
allow openvpn_t self:tcp_socket create_socket_perms;
|
||||
allow openvpn_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow openvpn_t openvpn_etc_t:dir r_dir_perms;
|
||||
allow openvpn_t openvpn_etc_t:file r_file_perms;
|
||||
|
@ -67,12 +68,15 @@ corenet_udp_bind_openvpn_port(openvpn_t)
|
|||
corenet_sendrecv_openvpn_server_packets(openvpn_t)
|
||||
corenet_rw_tun_tap_dev(openvpn_t)
|
||||
|
||||
dev_search_sysfs(openvpn_t)
|
||||
dev_read_rand(openvpn_t)
|
||||
dev_read_urand(openvpn_t)
|
||||
|
||||
files_read_etc_files(openvpn_t)
|
||||
files_read_etc_runtime_files(openvpn_t)
|
||||
|
||||
init_use_fds(openvpn_t)
|
||||
|
||||
libs_use_ld_so(openvpn_t)
|
||||
libs_use_shared_libs(openvpn_t)
|
||||
|
||||
|
@ -80,10 +84,12 @@ logging_send_syslog_msg(openvpn_t)
|
|||
|
||||
miscfiles_read_localization(openvpn_t)
|
||||
|
||||
sysnet_dns_name_resolve(openvpn_t)
|
||||
sysnet_exec_ifconfig(openvpn_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_ptys(openvpn_t)
|
||||
# Need to interact with terminals if config option "auth-user-pass" is used
|
||||
term_use_generic_ptys(openvpn_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(postfix,1.2.9)
|
||||
policy_module(postfix,1.2.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -160,7 +160,7 @@ files_read_usr_files(postfix_master_t)
|
|||
|
||||
init_use_script_ptys(postfix_master_t)
|
||||
|
||||
miscfiles_dontaudit_search_man_pages(postfix_master_t)
|
||||
miscfiles_read_man_pages(postfix_master_t)
|
||||
|
||||
seutil_sigchld_newrole(postfix_master_t)
|
||||
# postfix does a "find" on startup for some reason - keep it quiet
|
||||
|
@ -590,6 +590,10 @@ allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
|
|||
files_read_usr_files(postfix_smtpd_t)
|
||||
mta_read_aliases(postfix_smtpd_t)
|
||||
|
||||
optional_policy(`
|
||||
postgrey_stream_connect(postfix_smtpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sasl_connect(postfix_smtpd_t)
|
||||
')
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
|
||||
/usr/sbin/postgrey -- gen_context(system_u:object_r:postgrey_exec_t,s0)
|
||||
|
||||
/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
|
||||
|
||||
/var/lib/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_lib_t,s0)
|
||||
|
||||
/var/run/postgrey(/.*)? gen_context(system_u:object_r:postgrey_var_run_t,s0)
|
||||
/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
|
||||
|
|
|
@ -1 +1,21 @@
|
|||
## <summary>Postfix grey-listing server</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write to postgrey socket
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to talk to postgrey
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgrey_stream_connect',`
|
||||
gen_require(`
|
||||
type postgrey_var_run_t, postgrey_t;
|
||||
')
|
||||
|
||||
allow $1 postgrey_t:unix_stream_socket connectto;
|
||||
allow $1 postgrey_var_run_t:sock_file write;
|
||||
files_search_pids($1)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(postgrey,1.0.1)
|
||||
policy_module(postgrey,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -38,6 +38,7 @@ allow postgrey_t postgrey_var_lib_t:dir rw_dir_perms;
|
|||
files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
|
||||
|
||||
allow postgrey_t postgrey_var_run_t:file create_file_perms;
|
||||
allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
|
||||
allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
|
||||
files_pid_filetrans(postgrey_t,postgrey_var_run_t,file)
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(procmail,1.2.4)
|
||||
policy_module(procmail,1.2.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -35,6 +35,7 @@ corenet_tcp_sendrecv_all_nodes(procmail_t)
|
|||
corenet_udp_sendrecv_all_nodes(procmail_t)
|
||||
corenet_tcp_sendrecv_all_ports(procmail_t)
|
||||
corenet_udp_sendrecv_all_ports(procmail_t)
|
||||
corenet_udp_bind_all_nodes(procmail_t)
|
||||
corenet_tcp_connect_spamd_port(procmail_t)
|
||||
corenet_sendrecv_spamd_client_packets(procmail_t)
|
||||
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
/etc/cron\.(daily|weekly|monthly)/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
||||
|
||||
/etc/raddb(/.*)? gen_context(system_u:object_r:radiusd_etc_t,s0)
|
||||
/etc/raddb/db.daily -- gen_context(system_u:object_r:radiusd_etc_rw_t,s0)
|
||||
|
||||
/usr/sbin/radiusd -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
||||
/usr/sbin/freeradius -- gen_context(system_u:object_r:radiusd_exec_t,s0)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(radius,1.1.1)
|
||||
policy_module(radius,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -13,6 +13,9 @@ init_daemon_domain(radiusd_t,radiusd_exec_t)
|
|||
type radiusd_etc_t;
|
||||
files_config_file(radiusd_etc_t)
|
||||
|
||||
type radiusd_etc_rw_t;
|
||||
files_type(radiusd_etc_rw_t)
|
||||
|
||||
type radiusd_log_t;
|
||||
logging_log_file(radiusd_log_t)
|
||||
|
||||
|
@ -39,6 +42,11 @@ allow radiusd_t radiusd_etc_t:dir r_dir_perms;
|
|||
allow radiusd_t radiusd_etc_t:lnk_file { getattr read };
|
||||
files_search_etc(radiusd_t)
|
||||
|
||||
allow radiusd_t radiusd_etc_rw_t:dir create_dir_perms;
|
||||
allow radiusd_t radiusd_etc_rw_t:file create_file_perms;
|
||||
allow radiusd_t radiusd_etc_rw_t:lnk_file create_lnk_perms;
|
||||
type_transition radiusd_t radiusd_etc_t:{ dir file lnk_file } radiusd_etc_rw_t;
|
||||
|
||||
allow radiusd_t radiusd_log_t:file create_file_perms;
|
||||
allow radiusd_t radiusd_log_t:dir create_dir_perms;
|
||||
logging_log_filetrans(radiusd_t,radiusd_log_t,{ file dir })
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(remotelogin,1.2.0)
|
||||
policy_module(remotelogin,1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -37,6 +37,7 @@ allow remote_login_t self:shm create_shm_perms;
|
|||
allow remote_login_t self:sem create_sem_perms;
|
||||
allow remote_login_t self:msgq create_msgq_perms;
|
||||
allow remote_login_t self:msg { send receive };
|
||||
allow remote_login_t self:key write;
|
||||
|
||||
allow remote_login_t remote_login_tmp_t:dir create_dir_perms;
|
||||
allow remote_login_t remote_login_tmp_t:file create_file_perms;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(samba,1.2.8)
|
||||
policy_module(samba,1.2.9)
|
||||
|
||||
#################################
|
||||
#
|
||||
|
@ -186,11 +186,12 @@ allow smbd_t self:tcp_socket create_stream_socket_perms;
|
|||
allow smbd_t self:udp_socket create_socket_perms;
|
||||
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow smbd_t samba_etc_t:dir rw_dir_perms;
|
||||
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
|
||||
|
||||
allow smbd_t samba_log_t:dir ra_dir_perms;
|
||||
allow smbd_t samba_log_t:dir { ra_dir_perms setattr };
|
||||
dontaudit smbd_t samba_log_t:dir remove_name;
|
||||
allow smbd_t samba_log_t:file { create ra_file_perms };
|
||||
|
||||
|
@ -313,6 +314,7 @@ tunable_policy(`samba_share_nfs',`
|
|||
|
||||
optional_policy(`
|
||||
cups_read_rw_config(smbd_t)
|
||||
cups_stream_connect(smbd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
@ -365,7 +367,7 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
|
|||
allow nmbd_t samba_etc_t:dir { search getattr };
|
||||
allow nmbd_t samba_etc_t:file { getattr read };
|
||||
|
||||
allow nmbd_t samba_log_t:dir ra_dir_perms;
|
||||
allow nmbd_t samba_log_t:dir { ra_dir_perms setattr };
|
||||
allow nmbd_t samba_log_t:file { create ra_file_perms };
|
||||
|
||||
allow nmbd_t samba_var_t:dir rw_dir_perms;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(squid,1.1.3)
|
||||
policy_module(squid,1.1.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -80,8 +80,10 @@ corenet_udp_sendrecv_all_ports(squid_t)
|
|||
corenet_tcp_bind_all_nodes(squid_t)
|
||||
corenet_udp_bind_all_nodes(squid_t)
|
||||
corenet_tcp_bind_http_cache_port(squid_t)
|
||||
corenet_udp_bind_http_cache_port(squid_t)
|
||||
corenet_tcp_bind_ftp_port(squid_t)
|
||||
corenet_tcp_bind_gopher_port(squid_t)
|
||||
corenet_udp_bind_gopher_port(squid_t)
|
||||
corenet_tcp_connect_ftp_port(squid_t)
|
||||
corenet_tcp_connect_gopher_port(squid_t)
|
||||
corenet_tcp_connect_http_port(squid_t)
|
||||
|
@ -176,9 +178,6 @@ optional_policy(`
|
|||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
ifdef(`apache.te',`
|
||||
can_tcp_connect(squid_t, httpd_t)
|
||||
')
|
||||
#squid requires the following when run in diskd mode, the recommended setting
|
||||
allow squid_t tmpfs_t:file { read write };
|
||||
') dnl end TODO
|
||||
|
|
|
@ -71,6 +71,7 @@ template(`ssh_basic_client_template',`
|
|||
allow $1_ssh_t self:msgq create_msgq_perms;
|
||||
allow $1_ssh_t self:msg { send receive };
|
||||
allow $1_ssh_t self:tcp_socket create_socket_perms;
|
||||
allow $1_ssh_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
# for rsync
|
||||
allow $1_ssh_t $2:unix_stream_socket rw_socket_perms;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(ssh,1.3.6)
|
||||
policy_module(ssh,1.3.7)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(tftp,1.1.1)
|
||||
policy_module(tftp,1.1.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -78,6 +78,7 @@ logging_send_syslog_msg(tftpd_t)
|
|||
miscfiles_read_localization(tftpd_t)
|
||||
|
||||
sysnet_read_config(tftpd_t)
|
||||
sysnet_use_ldap(tftpd_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(tftpd_t)
|
||||
userdom_dontaudit_use_sysadm_ttys(tftpd_t)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(xfs,1.0.3)
|
||||
policy_module(xfs,1.0.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -46,6 +46,8 @@ corecmd_list_bin(xfs_t)
|
|||
corecmd_list_sbin(xfs_t)
|
||||
|
||||
dev_read_sysfs(xfs_t)
|
||||
dev_read_urand(xfs_t)
|
||||
dev_read_rand(xfs_t)
|
||||
|
||||
fs_getattr_all_fs(xfs_t)
|
||||
fs_search_auto_mountpoints(xfs_t)
|
||||
|
|
|
@ -317,7 +317,6 @@ template(`xserver_per_userdomain_template',`
|
|||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
allow $1_t xdm_xserver_tmp_t:dir r_dir_perms;
|
||||
allow $1_t xdm_xserver_t:unix_stream_socket connectto;
|
||||
|
||||
ifdef(`xdm.te', `
|
||||
|
@ -1126,6 +1125,7 @@ interface(`xserver_stream_connect_xdm_xserver',`
|
|||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
allow $1 xdm_xserver_tmp_t:dir search_dir_perms;
|
||||
allow $1 xdm_xserver_tmp_t:sock_file write;
|
||||
allow $1 xdm_xserver_t:unix_stream_socket connectto;
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(xserver,1.1.10)
|
||||
policy_module(xserver,1.1.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -88,6 +88,7 @@ allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
|||
allow xdm_t self:unix_dgram_socket create_socket_perms;
|
||||
allow xdm_t self:tcp_socket create_stream_socket_perms;
|
||||
allow xdm_t self:udp_socket create_socket_perms;
|
||||
allow xdm_t self:key write;
|
||||
|
||||
# Supress permission check on .ICE-unix
|
||||
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
|
||||
|
@ -331,7 +332,7 @@ tunable_policy(`use_samba_home_dirs',`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_domtrans(xdm_t)
|
||||
consoletype_exec(xdm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(zebra,1.2.2)
|
||||
policy_module(zebra,1.2.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -72,8 +72,10 @@ corenet_tcp_sendrecv_all_ports(zebra_t)
|
|||
corenet_udp_sendrecv_all_ports(zebra_t)
|
||||
corenet_tcp_bind_all_nodes(zebra_t)
|
||||
corenet_udp_bind_all_nodes(zebra_t)
|
||||
corenet_tcp_bind_bgp_port(zebra_t)
|
||||
corenet_tcp_bind_zebra_port(zebra_t)
|
||||
corenet_udp_bind_router_port(zebra_t)
|
||||
corenet_tcp_connect_bgp_port(zebra_t)
|
||||
corenet_sendrecv_zebra_server_packets(zebra_t)
|
||||
corenet_sendrecv_router_server_packets(zebra_t)
|
||||
|
||||
|
@ -116,6 +118,11 @@ ifdef(`targeted_policy', `
|
|||
unconfined_sigchld(zebra_t)
|
||||
')
|
||||
|
||||
tunable_policy(`allow_zebra_write_config',`
|
||||
allow zebra_t zebra_conf_t:dir write;
|
||||
allow zebra_t zebra_conf_t:file write;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ldap_use(zebra_t)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(authlogin,1.3.8)
|
||||
policy_module(authlogin,1.3.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -193,6 +193,7 @@ term_use_all_user_ptys(pam_console_t)
|
|||
term_setattr_console(pam_console_t)
|
||||
term_getattr_unallocated_ttys(pam_console_t)
|
||||
term_setattr_unallocated_ttys(pam_console_t)
|
||||
term_use_unallocated_ttys(pam_console_t)
|
||||
|
||||
auth_use_nsswitch(pam_console_t)
|
||||
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
/sbin/blkid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/blockdev -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/cfdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/sbin/dosfsck -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(fstools,1.3.2)
|
||||
policy_module(fstools,1.3.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -9,3 +9,4 @@
|
|||
/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
|
||||
|
||||
/var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0)
|
||||
/var/spool/voice -- gen_context(system_u:object_r:getty_var_run_t,s0)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(getty,1.1.2)
|
||||
policy_module(getty,1.1.3)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -37,7 +37,7 @@ files_pid_file(getty_var_run_t)
|
|||
#
|
||||
|
||||
# Use capabilities.
|
||||
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config fowner fsetid };
|
||||
allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
|
||||
dontaudit getty_t self:capability sys_tty_config;
|
||||
allow getty_t self:process { getpgid getsession signal_perms };
|
||||
|
||||
|
@ -90,6 +90,7 @@ corecmd_search_sbin(getty_t)
|
|||
files_rw_generic_pids(getty_t)
|
||||
files_read_etc_runtime_files(getty_t)
|
||||
files_read_etc_files(getty_t)
|
||||
files_search_spool(getty_t)
|
||||
|
||||
init_rw_utmp(getty_t)
|
||||
init_use_script_ptys(getty_t)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(hotplug,1.2.1)
|
||||
policy_module(hotplug,1.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -136,7 +136,7 @@ ifdef(`targeted_policy', `
|
|||
term_dontaudit_use_generic_ptys(hotplug_t)
|
||||
|
||||
optional_policy(`
|
||||
consoletype_domtrans(hotplug_t)
|
||||
consoletype_exec(hotplug_t)
|
||||
')
|
||||
')
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(init,1.3.17)
|
||||
policy_module(init,1.3.18)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
@ -286,6 +286,9 @@ fs_unmount_all_fs(initrc_t)
|
|||
fs_remount_all_fs(initrc_t)
|
||||
fs_getattr_all_fs(initrc_t)
|
||||
|
||||
# initrc_t needs to do a pidof which requires ptrace
|
||||
mcs_ptrace_all(initrc_t)
|
||||
|
||||
selinux_get_enforce_mode(initrc_t)
|
||||
|
||||
storage_getattr_fixed_disk_dev(initrc_t)
|
||||
|
|
|
@ -198,7 +198,7 @@ ifdef(`distro_redhat',`
|
|||
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
|
||||
/usr/lib(64)?.*/libmpg123\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
/usr/lib(64)?/libxvidcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(libraries,1.3.9)
|
||||
policy_module(libraries,1.3.10)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(locallogin,1.2.3)
|
||||
policy_module(locallogin,1.2.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -51,6 +51,7 @@ allow local_login_t self:shm create_shm_perms;
|
|||
allow local_login_t self:sem create_sem_perms;
|
||||
allow local_login_t self:msgq create_msgq_perms;
|
||||
allow local_login_t self:msg { send receive };
|
||||
allow local_login_t self:key write;
|
||||
|
||||
allow local_login_t local_login_lock_t:file create_file_perms;
|
||||
files_lock_filetrans(local_login_t,local_login_lock_t,file)
|
||||
|
|
|
@ -165,7 +165,8 @@ interface(`logging_manage_audit_config',`
|
|||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 auditd_etc_t:file create_file_perms;
|
||||
allow $1 auditd_etc_t:dir rw_dir_perms;
|
||||
allow $1 auditd_etc_t:file manage_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -287,6 +288,7 @@ interface(`logging_read_audit_config',`
|
|||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 auditd_etc_t:dir r_dir_perms;
|
||||
allow $1 auditd_etc_t:file r_file_perms;
|
||||
')
|
||||
|
||||
|
@ -308,7 +310,7 @@ interface(`logging_search_logs',`
|
|||
')
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir search;
|
||||
allow $1 var_log_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
@ -326,7 +328,7 @@ interface(`logging_dontaudit_search_logs',`
|
|||
type var_log_t;
|
||||
')
|
||||
|
||||
dontaudit $1 var_log_t:dir search;
|
||||
dontaudit $1 var_log_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(logging,1.3.7)
|
||||
policy_module(logging,1.3.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -140,7 +140,7 @@ term_dontaudit_use_console(auditd_t)
|
|||
# Probably want a transition, and a new auditd_helper app
|
||||
corecmd_exec_sbin(auditd_t)
|
||||
corecmd_exec_bin(auditd_t)
|
||||
|
||||
corecmd_exec_shell(auditd_t)
|
||||
|
||||
domain_use_interactive_fds(auditd_t)
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(lvm,1.3.4)
|
||||
policy_module(lvm,1.3.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -125,7 +125,7 @@ optional_policy(`
|
|||
|
||||
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
|
||||
# rawio needed for dmraid
|
||||
allow lvm_t self:capability { dac_override ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
|
||||
allow lvm_t self:capability { dac_override fowner ipc_lock sys_admin sys_nice mknod chown sys_resource sys_rawio };
|
||||
dontaudit lvm_t self:capability sys_tty_config;
|
||||
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
|
||||
# LVM will complain a lot if it cannot set its priority.
|
||||
|
@ -200,6 +200,7 @@ dev_create_generic_dirs(lvm_t)
|
|||
|
||||
fs_getattr_xattr_fs(lvm_t)
|
||||
fs_search_auto_mountpoints(lvm_t)
|
||||
fs_list_tmpfs(lvm_t)
|
||||
fs_read_tmpfs_symlinks(lvm_t)
|
||||
fs_dontaudit_read_removable_files(lvm_t)
|
||||
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
|
||||
policy_module(selinuxutil,1.2.9)
|
||||
policy_module(selinuxutil,1.2.10)
|
||||
|
||||
gen_require(`
|
||||
bool secure_mode;
|
||||
ifdef(`strict_policy',`
|
||||
gen_require(`
|
||||
bool secure_mode;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -104,6 +106,7 @@ domain_system_change_exemption(run_init_t)
|
|||
|
||||
type semanage_t;
|
||||
domain_type(semanage_t)
|
||||
domain_interactive_fd(semanage_t)
|
||||
|
||||
type semanage_exec_t;
|
||||
domain_entry_file(semanage_t, semanage_exec_t)
|
||||
|
@ -423,18 +426,17 @@ optional_policy(`
|
|||
|
||||
allow restorecond_t self:capability { dac_override dac_read_search fowner };
|
||||
allow restorecond_t self:fifo_file rw_file_perms;
|
||||
allow restorecond_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow restorecond_t restorecond_var_run_t:file create_file_perms;
|
||||
files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
|
||||
|
||||
auth_relabel_all_files_except_shadow(restorecond_t )
|
||||
auth_read_all_files_except_shadow(restorecond_t)
|
||||
fs_relabelfrom_noxattr_fs(restorecond_t)
|
||||
|
||||
kernel_use_fds(restorecond_t)
|
||||
kernel_rw_pipes(restorecond_t)
|
||||
kernel_read_system_state(restorecond_t)
|
||||
|
||||
fs_relabelfrom_noxattr_fs(restorecond_t)
|
||||
fs_dontaudit_list_nfs(restorecond_t)
|
||||
fs_getattr_xattr_fs(restorecond_t)
|
||||
fs_list_inotifyfs(restorecond_t)
|
||||
|
||||
|
@ -447,7 +449,11 @@ selinux_compute_user_contexts(restorecond_t)
|
|||
|
||||
term_dontaudit_use_generic_ptys(restorecond_t)
|
||||
|
||||
auth_relabel_all_files_except_shadow(restorecond_t )
|
||||
auth_read_all_files_except_shadow(restorecond_t)
|
||||
|
||||
init_use_fds(restorecond_t)
|
||||
init_dontaudit_use_script_ptys(restorecond_t)
|
||||
|
||||
libs_use_ld_so(restorecond_t)
|
||||
libs_use_shared_libs(restorecond_t)
|
||||
|
@ -456,6 +462,12 @@ logging_send_syslog_msg(restorecond_t)
|
|||
|
||||
miscfiles_read_localization(restorecond_t)
|
||||
|
||||
optional_policy(`
|
||||
# restorecond watches for users logging in,
|
||||
# so it getspwnam when a user logs in to find his homedir
|
||||
nis_use_ypbind(restorecond_t)
|
||||
')
|
||||
|
||||
#################################
|
||||
#
|
||||
# Run_init local policy
|
||||
|
@ -538,6 +550,7 @@ allow semanage_t self:capability { dac_override audit_write };
|
|||
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow semanage_t self:unix_dgram_socket create_socket_perms;
|
||||
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow semanage_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow semanage_t policy_config_t:file { read write };
|
||||
|
||||
|
@ -567,10 +580,15 @@ selinux_set_boolean(semanage_t)
|
|||
|
||||
term_use_all_terms(semanage_t)
|
||||
|
||||
# Running genhomedircon requires this for finding all users
|
||||
auth_use_nsswitch(semanage_t)
|
||||
|
||||
libs_use_ld_so(semanage_t)
|
||||
libs_use_shared_libs(semanage_t)
|
||||
libs_use_lib_files(semanage_t)
|
||||
|
||||
locallogin_use_fds(semanage_t)
|
||||
|
||||
logging_send_syslog_msg(semanage_t)
|
||||
|
||||
miscfiles_read_localization(semanage_t)
|
||||
|
@ -590,7 +608,7 @@ seutil_get_semanage_read_lock(semanage_t)
|
|||
userdom_search_sysadm_home_dirs(semanage_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
# Handle pp files created in homedir and /tmp
|
||||
# Handle pp files created in homedir and /tmp
|
||||
files_read_generic_tmp_files(semanage_t)
|
||||
userdom_read_generic_user_home_content_files(semanage_t)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(setrans,1.0.1)
|
||||
policy_module(setrans,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -68,3 +68,7 @@ logging_send_syslog_msg(setrans_t)
|
|||
miscfiles_read_localization(setrans_t)
|
||||
|
||||
seutil_read_config(setrans_t)
|
||||
|
||||
optional_policy(`
|
||||
rpm_use_script_fds(setrans_t)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(sysnetwork,1.1.8)
|
||||
policy_module(sysnetwork,1.1.9)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -277,6 +277,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
|
|||
# for /sbin/ip
|
||||
allow ifconfig_t self:packet_socket create_socket_perms;
|
||||
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
|
||||
allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
|
||||
allow ifconfig_t self:tcp_socket { create ioctl };
|
||||
files_read_etc_files(ifconfig_t);
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(udev,1.3.3)
|
||||
policy_module(udev,1.3.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -39,9 +39,9 @@ files_pid_file(udev_var_run_t)
|
|||
# Local policy
|
||||
#
|
||||
|
||||
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice };
|
||||
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
|
||||
dontaudit udev_t self:capability sys_tty_config;
|
||||
allow udev_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow udev_t self:process { execmem setfscreate };
|
||||
allow udev_t self:fd use;
|
||||
allow udev_t self:fifo_file rw_file_perms;
|
||||
|
|
|
@ -9,4 +9,5 @@ ifdef(`targeted_policy',`
|
|||
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
/usr/local/RealPlay/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
/usr/bin/mplayer -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
/usr/bin/xine -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
|
||||
')
|
||||
|
|
|
@ -52,9 +52,10 @@ interface(`unconfined_domain_noaudit',`
|
|||
allow $1 self:process execmem;
|
||||
')
|
||||
|
||||
tunable_policy(`allow_execmem && allow_execstack',`
|
||||
# Allow making the stack executable via mprotect.
|
||||
allow $1 self:process execstack;
|
||||
tunable_policy(`allow_execstack',`
|
||||
# Allow making the stack executable via mprotect;
|
||||
# execstack implies execmem;
|
||||
allow $1 self:process { execstack execmem };
|
||||
# auditallow $1 self:process execstack;
|
||||
')
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(unconfined,1.3.12)
|
||||
policy_module(unconfined,1.3.13)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -55,10 +55,6 @@ ifdef(`targeted_policy',`
|
|||
ada_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
amanda_domtrans_recover(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
apache_domtrans_helper(unconfined_t)
|
||||
')
|
||||
|
@ -71,6 +67,10 @@ ifdef(`targeted_policy',`
|
|||
bluetooth_domtrans_helper(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
bootloader_domtrans(unconfined_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
init_dbus_chat_script(unconfined_t)
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(xen,1.0.7)
|
||||
policy_module(xen,1.0.8)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -171,7 +171,7 @@ xen_stream_connect_xenstore(xend_t)
|
|||
netutils_domtrans(xend_t)
|
||||
|
||||
optional_policy(`
|
||||
consoletype_domtrans(xend_t)
|
||||
consoletype_exec(xend_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
Loading…
Reference in New Issue