RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Files patch from Dan Walsh. 

Redhat does want /usr/local/src labeled src_t or /usr/src for that matter

Fix labels on chroot environments
This commit is contained in:
Chris PeBenito 2010-06-09 09:09:34 -04:00
parent 135b1b4c54
commit 48e0aa86c9
3 changed files with 285 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
policy/modules/kernel/files.fc
View File

@ -48,11 +48,13 @@ ifdef(`distro_suse',`
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
@ -205,19 +207,21 @@ HOME_ROOT/lost\+found/.* <<none>>
/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/local/lost\+found/.* <<none>>
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
#
# /var
#

281
policy/modules/kernel/files.if
View File

@ -174,7 +174,7 @@ interface(`files_security_mountpoint',`
## <p>
## Make the specified type usable for runtime process ID files,
## typically found in /var/run.
## This will also make the type usable for files, making
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a PID file type may result in problems with starting
## or stopping services.
@ -221,7 +221,7 @@ interface(`files_pid_file',`
## <desc>
## <p>
## Make the specified type usable for configuration files.
## This will also make the type usable for files, making
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## configuration management tools.
@ -349,7 +349,7 @@ interface(`files_poly_member_tmp',`
## <desc>
## <p>
## Make the specified type usable for temporary files.
## This will also make the type usable for files, making
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## purging temporary files.
@ -1426,6 +1426,24 @@ interface(`files_search_all_mountpoints',`
allow $1 mountpoint:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit searching of all mount points.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`files_dontaudit_search_all_mountpoints',`
gen_require(`
attribute mountpoint;
')
dontaudit $1 mountpoint:dir search_dir_perms;
')
########################################
## <summary>
## List the contents of the root directory.
@ -1550,6 +1568,24 @@ interface(`files_dontaudit_rw_root_chr_files',`
dontaudit $1 root_t:chr_file { read write };
')
########################################
## <summary>
## Delete files in the root directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_root_files',`
gen_require(`
type root_t;
')
allow $1 root_t:file unlink;
')
########################################
## <summary>
## Remove entries from the root directory.
@ -1695,6 +1731,25 @@ interface(`files_create_boot_dirs',`
allow $1 boot_t:dir { create rw_dir_perms };
')
########################################
## <summary>
## Create, read, write, and delete
## directories in /boot.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_manage_boot_dirs',`
gen_require(`
type boot_t;
')
allow $1 boot_t:dir manage_dir_perms;
')
########################################
## <summary>
## Create a private type object in boot
@ -1740,7 +1795,7 @@ interface(`files_read_boot_files',`
type boot_t;
')
manage_files_pattern($1, boot_t, boot_t)
read_files_pattern($1, boot_t, boot_t)
')
########################################
@ -2191,6 +2246,24 @@ interface(`files_list_etc',`
allow $1 etc_t:dir list_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to write to /etc dirs.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`files_dontaudit_write_etc_dirs',`
gen_require(`
type etc_t;
')
dontaudit $1 etc_t:dir write;
')
########################################
## <summary>
## Add and remove entries from /etc directories.
@ -2787,6 +2860,120 @@ interface(`files_delete_isid_type_files',`
delete_files_pattern($1, file_t, file_t)
')
########################################
## <summary>
## Delete symbolic links on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_isid_type_symlinks',`
gen_require(`
type file_t;
')
delete_lnk_files_pattern($1, file_t, file_t)
')
########################################
## <summary>
## Delete named pipes on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_isid_type_fifo_files',`
gen_require(`
type file_t;
')
delete_fifo_files_pattern($1, file_t, file_t)
')
########################################
## <summary>
## Delete named sockets on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_isid_type_sock_files',`
gen_require(`
type file_t;
')
delete_sock_files_pattern($1, file_t, file_t)
')
########################################
## <summary>
## Delete block files on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_isid_type_blk_files',`
gen_require(`
type file_t;
')
delete_blk_files_pattern($1, file_t, file_t)
')
########################################
## <summary>
## Do not audit attempts to write to character
## files that have not yet been labeled.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_dontaudit_write_isid_chr_files',`
gen_require(`
type file_t;
')
dontaudit $1 file_t:chr_file write;
')
########################################
## <summary>
## Delete chr files on new filesystems
## that have not yet been labeled.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_delete_isid_type_chr_files',`
gen_require(`
type file_t;
')
delete_chr_files_pattern($1, file_t, file_t)
')
########################################
## <summary>
## Create, read, write, and delete files
@ -2937,6 +3124,7 @@ interface(`files_search_home',`
')
allow $1 home_root_t:dir search_dir_perms;
allow $1 home_root_t:lnk_file read_lnk_file_perms;
')
########################################
@ -2956,6 +3144,7 @@ interface(`files_dontaudit_search_home',`
')
dontaudit $1 home_root_t:dir search_dir_perms;
dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
')
########################################
@ -2975,6 +3164,7 @@ interface(`files_dontaudit_list_home',`
')
dontaudit $1 home_root_t:dir list_dir_perms;
dontaudit $1 home_root_t:lnk_file read_lnk_file_perms;
')
########################################
@ -2993,6 +3183,7 @@ interface(`files_list_home',`
')
allow $1 home_root_t:dir list_dir_perms;
allow $1 home_root_t:lnk_file read_lnk_file_perms;
')
########################################
@ -3920,6 +4111,24 @@ interface(`files_purge_tmp',`
delete_sock_files_pattern($1, tmpfile, tmpfile)
')
########################################
## <summary>
## Set the attributes of the /usr directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_setattr_usr_dirs',`
gen_require(`
type usr_t;
')
allow $1 usr_t:dir setattr;
')
########################################
## <summary>
## Search the content of /etc.
@ -3957,6 +4166,24 @@ interface(`files_list_usr',`
allow $1 usr_t:dir list_dir_perms;
')
########################################
## <summary>
## Do not audit write of /usr dirs
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`files_dontaudit_write_usr_dirs',`
gen_require(`
type usr_t;
')
dontaudit $1 usr_t:dir write;
')
########################################
## <summary>
## Add and remove entries from /usr directories.
@ -3977,7 +4204,8 @@ interface(`files_rw_usr_dirs',`
########################################
## <summary>
## dontaudit Add and remove entries from /usr directories.
## Do not audit attempts to add and remove
## entries from /usr directories.
## </summary>
## <param name="domain">
## <summary>
@ -4026,7 +4254,7 @@ interface(`files_delete_usr_files',`
type usr_t;
')
allow $1 usr_t:file delete_file_perms;
delete_files_pattern($1, usr_t, usr_t)
')
########################################
@ -5033,6 +5261,24 @@ interface(`files_dontaudit_getattr_pid_dirs',`
dontaudit $1 var_run_t:dir getattr;
')
########################################
## <summary>
## Set the attributes of the /var/run directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_setattr_pid_dirs',`
gen_require(`
type var_run_t;
')
allow $1 var_run_t:dir setattr;
')
########################################
## <summary>
## Search the contents of runtime process
@ -5109,6 +5355,24 @@ interface(`files_read_generic_pids',`
read_files_pattern($1, var_run_t, var_run_t)
')
########################################
## <summary>
## Write named generic process ID pipes
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_write_generic_pid_pipes',`
gen_require(`
type var_run_t;
')
allow $1 var_run_t:fifo_file write;
')
########################################
## <summary>
## Create an object in the process ID directory, with a private type.
@ -5514,12 +5778,15 @@ interface(`files_polyinstantiate_all',`
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
fs_mount_tmpfs($1)
fs_unmount_tmpfs($1)
ifdef(`distro_redhat',`
# namespace.init
files_search_tmp($1)
files_search_home($1)
corecmd_exec_bin($1)
seutil_domtrans_setfiles($1)
mount_domtrans($1)
')
')

3
policy/modules/kernel/files.te
View File

@ -1,5 +1,5 @@
policy_module(files, 1.13.0)
policy_module(files, 1.13.1)
########################################
#
@ -194,6 +194,7 @@ fs_associate(file_type)
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
fs_associate_ramfs(file_type)
fs_associate_hugetlbfs(file_type)
########################################
#