4 patches from dan.
This commit is contained in:
Chris PeBenito
parent
edb7b90d89
commit
adea587572
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(kismet, 1.2.0)
|
||||
policy_module(kismet, 1.2.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -11,30 +11,39 @@ type kismet_exec_t;
|
|||
application_domain(kismet_t, kismet_exec_t)
|
||||
role system_r types kismet_t;
|
||||
|
||||
type kismet_var_run_t;
|
||||
files_pid_file(kismet_var_run_t)
|
||||
type kismet_log_t;
|
||||
logging_log_file(kismet_log_t)
|
||||
|
||||
type kismet_tmp_t;
|
||||
files_tmp_file(kismet_tmp_t)
|
||||
|
||||
type kismet_var_lib_t;
|
||||
files_type(kismet_var_lib_t)
|
||||
|
||||
type kismet_log_t;
|
||||
logging_log_file(kismet_log_t)
|
||||
type kismet_var_run_t;
|
||||
files_pid_file(kismet_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# kismet local policy
|
||||
#
|
||||
|
||||
allow kismet_t self:capability { net_admin net_raw setuid setgid };
|
||||
allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
|
||||
allow kismet_t self:process signal_perms;
|
||||
allow kismet_t self:fifo_file rw_file_perms;
|
||||
allow kismet_t self:packet_socket create_socket_perms;
|
||||
allow kismet_t self:unix_dgram_socket create_socket_perms;
|
||||
allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow kismet_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow kismet_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
|
||||
allow kismet_t kismet_log_t:dir setattr;
|
||||
logging_log_filetrans(kismet_t, kismet_log_t, { file dir })
|
||||
|
||||
manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
|
||||
manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
|
||||
files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
|
||||
|
||||
allow kismet_t kismet_var_lib_t:file manage_file_perms;
|
||||
allow kismet_t kismet_var_lib_t:dir manage_dir_perms;
|
||||
files_var_lib_filetrans(kismet_t, kismet_var_lib_t, { file dir })
|
||||
|
|
@ -47,9 +56,20 @@ kernel_search_debugfs(kismet_t)
|
|||
|
||||
corecmd_exec_bin(kismet_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(kismet_t)
|
||||
corenet_all_recvfrom_netlabel(kismet_t)
|
||||
corenet_tcp_sendrecv_generic_if(kismet_t)
|
||||
corenet_tcp_sendrecv_generic_node(kismet_t)
|
||||
corenet_tcp_sendrecv_all_ports(kismet_t)
|
||||
corenet_tcp_bind_generic_node(kismet_t)
|
||||
corenet_tcp_bind_kismet_port(kismet_t)
|
||||
corenet_tcp_connect_kismet_port(kismet_t)
|
||||
corenet_tcp_connect_pulseaudio_port(kismet_t)
|
||||
|
||||
auth_use_nsswitch(kismet_t)
|
||||
|
||||
files_read_etc_files(kismet_t)
|
||||
files_read_usr_files(kismet_t)
|
||||
|
||||
miscfiles_read_localization(kismet_t)
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(logrotate, 1.11.0)
|
||||
policy_module(logrotate, 1.11.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -189,3 +189,7 @@ optional_policy(`
|
|||
optional_policy(`
|
||||
squid_domtrans(logrotate_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
varnishd_manage_log(logrotate_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(logwatch, 1.9.1)
|
||||
policy_module(logwatch, 1.9.2)
|
||||
|
||||
#################################
|
||||
#
|
||||
|
|
@ -96,6 +96,11 @@ userdom_dontaudit_search_user_home_dirs(logwatch_t)
|
|||
|
||||
mta_send_mail(logwatch_t)
|
||||
|
||||
ifdef(`distro_redhat',`
|
||||
files_search_all(logwatch_t)
|
||||
files_getattr_all_file_type_fs(logwatch_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
apache_read_log(logwatch_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -5,3 +5,5 @@
|
|||
|
||||
/var/log/prelink\.log -- gen_context(system_u:object_r:prelink_log_t,s0)
|
||||
/var/log/prelink(/.*)? gen_context(system_u:object_r:prelink_log_t,s0)
|
||||
|
||||
/var/lib/misc/prelink.* -- gen_context(system_u:object_r:prelink_var_lib_t,s0)
|
||||
|
|
|
|||
|
|
@ -120,3 +120,23 @@ interface(`prelink_manage_log',`
|
|||
logging_search_logs($1)
|
||||
manage_files_pattern($1, prelink_log_t, prelink_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## prelink var_lib files.
|
||||
## </summary>
|
||||
## <param name="file_type">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`prelink_manage_lib',`
|
||||
gen_require(`
|
||||
type prelink_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(prelink, 1.6.0)
|
||||
policy_module(prelink, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -21,12 +21,15 @@ logging_log_file(prelink_log_t)
|
|||
type prelink_tmp_t;
|
||||
files_tmp_file(prelink_tmp_t)
|
||||
|
||||
type prelink_var_lib_t;
|
||||
files_tmp_file(prelink_var_lib_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow prelink_t self:capability { chown dac_override fowner fsetid };
|
||||
allow prelink_t self:capability { chown dac_override fowner fsetid sys_resource };
|
||||
allow prelink_t self:process { execheap execmem execstack signal };
|
||||
allow prelink_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
|
|
@ -40,17 +43,20 @@ append_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
|
|||
read_lnk_files_pattern(prelink_t, prelink_log_t, prelink_log_t)
|
||||
logging_log_filetrans(prelink_t, prelink_log_t, file)
|
||||
|
||||
allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom };
|
||||
allow prelink_t prelink_tmp_t:file { manage_file_perms execute relabelfrom execmod };
|
||||
files_tmp_filetrans(prelink_t, prelink_tmp_t, file)
|
||||
fs_tmpfs_filetrans(prelink_t, prelink_tmp_t, file)
|
||||
|
||||
manage_dirs_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
|
||||
manage_files_pattern(prelink_t, prelink_var_lib_t, prelink_var_lib_t)
|
||||
files_search_var_lib(prelink_t)
|
||||
|
||||
# prelink misc objects that are not system
|
||||
# libraries or entrypoints
|
||||
allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
|
||||
|
||||
kernel_read_system_state(prelink_t)
|
||||
kernel_dontaudit_search_kernel_sysctl(prelink_t)
|
||||
kernel_dontaudit_search_sysctl(prelink_t)
|
||||
kernel_read_kernel_sysctls(prelink_t)
|
||||
|
||||
corecmd_manage_all_executables(prelink_t)
|
||||
corecmd_relabel_all_executables(prelink_t)
|
||||
|
|
@ -65,6 +71,9 @@ files_write_non_security_dirs(prelink_t)
|
|||
files_read_etc_files(prelink_t)
|
||||
files_read_etc_runtime_files(prelink_t)
|
||||
files_dontaudit_read_all_symlinks(prelink_t)
|
||||
files_manage_usr_files(prelink_t)
|
||||
files_manage_var_files(prelink_t)
|
||||
files_relabelfrom_usr_files(prelink_t)
|
||||
|
||||
fs_getattr_xattr_fs(prelink_t)
|
||||
|
||||
|
|
@ -88,3 +97,7 @@ optional_policy(`
|
|||
optional_policy(`
|
||||
cron_system_entry(prelink_t, prelink_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
unconfined_domain(prelink_t)
|
||||
')
|
||||
|
|
|
|||
Loading…
Reference in New Issue