rules picked up from sediff
This commit is contained in:
Chris PeBenito
parent
a01ab8ccb4
commit
f1470e5ede
|
|
@ -18,8 +18,8 @@ kernel_read_directory_from(sbin_t)
|
|||
#
|
||||
# ls_exec_t is the type of the ls program.
|
||||
#
|
||||
#type ls_exec_t;
|
||||
typealias bin_t alias ls_exec_t;
|
||||
type ls_exec_t;
|
||||
files_make_file(ls_exec_t)
|
||||
|
||||
#
|
||||
# shell_exec_t is the type of user shells such as /bin/bash.
|
||||
|
|
|
|||
|
|
@ -30,18 +30,9 @@ class lnk_file { getattr read };
|
|||
# domain_make_domain(domain)
|
||||
#
|
||||
define(`domain_make_domain',`
|
||||
requires_block_template(`$0'_depend)
|
||||
|
||||
domain_make_base_domain($1,optional)
|
||||
|
||||
files_read_root_dir($1,optional)
|
||||
init_sigchld($1,optional)
|
||||
')
|
||||
|
||||
define(`domain_make_domain_depend',`
|
||||
domain_make_base_domain_depend
|
||||
files_read_root_dir_depend
|
||||
init_send_sigchld_depend
|
||||
domain_make_base_domain($1)
|
||||
files_read_root_dir($1)
|
||||
init_sigchld($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -51,7 +42,7 @@ init_send_sigchld_depend
|
|||
define(`domain_make_entrypoint_file',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 $2:file entrypoint;
|
||||
files_make_file($2,$3)
|
||||
files_make_file($2)
|
||||
typeattribute $1 entry_type;
|
||||
')
|
||||
|
||||
|
|
@ -239,3 +230,17 @@ define(`domain_execute_all_entrypoint_programs_depend',`
|
|||
attribute entry_type;
|
||||
class file { getattr read execute execute_no_trans };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# domain_read_all_entrypoint_programs(domain)
|
||||
#
|
||||
define(`domain_read_all_entrypoint_programs',`
|
||||
requires_block_template(`$0'_depend)
|
||||
allow $1 entry_type:{ file lnk_file } { getattr read };
|
||||
')
|
||||
|
||||
define(`domain_read_all_entrypoint_programs_depend',`
|
||||
attribute entry_type;
|
||||
class file { getattr read };
|
||||
')
|
||||
|
|
|
|||
|
|
@ -7,14 +7,12 @@
|
|||
define(`files_make_file',`
|
||||
requires_block_template(`$0'_depend)
|
||||
typeattribute $1 file_type;
|
||||
filesystem_associate($1,optional)
|
||||
filesystem_noxattr_associate($1,optional)
|
||||
filesystem_associate($1)
|
||||
filesystem_noxattr_associate($1)
|
||||
')
|
||||
|
||||
define(`files_make_file_depend',`
|
||||
attribute file_type;
|
||||
filesystem_associate_depend
|
||||
filesystem_noxattr_associate_depend
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
|||
|
|
@ -395,11 +395,19 @@ kernel_ignore_get_message_interface_attributes(initrc_t)
|
|||
# Run_init local policy
|
||||
#
|
||||
|
||||
kernel_get_selinuxfs_mount_point(run_init_t)
|
||||
kernel_validate_selinux_context(run_init_t)
|
||||
kernel_compute_selinux_av(run_init_t)
|
||||
kernel_compute_create(run_init_t)
|
||||
kernel_compute_relabel(run_init_t)
|
||||
kernel_compute_reachable_user_contexts(run_init_t)
|
||||
|
||||
tunable_policy(`targeted_policy',`
|
||||
# targeted/unconfined stuff
|
||||
',`
|
||||
allow run_init_t initrc_t:process transition;
|
||||
allow run_init_t initrc_exec_t:file { getattr read execute };
|
||||
dontaudit run_init_t initrc_t : process { noatsecure siginh rlimitinh };
|
||||
|
||||
# for utmp
|
||||
allow run_init_t initrc_var_run_t:file { getattr read write };
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ type iptables_tmp_t;
|
|||
files_make_file(iptables_tmp_t)
|
||||
|
||||
type iptables_var_run_t; #, pidfile;
|
||||
files_make_file(iptables_t)
|
||||
files_make_file(iptables_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -18,13 +18,25 @@ files_make_file(local_login_tmp_t)
|
|||
#
|
||||
|
||||
allow local_login_t self:capability { dac_override chown fowner fsetid kill setgid setuid net_bind_service sys_nice sys_resource sys_tty_config };
|
||||
allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
|
||||
allow local_login_t self:process { setrlimit setexec };
|
||||
allow local_login_t self:fd use;
|
||||
allow local_login_t self:fifo_file { read getattr lock ioctl write append };
|
||||
allow local_login_t self:unix_dgram_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow local_login_t self:unix_stream_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown listen accept };
|
||||
allow local_login_t self:unix_dgram_socket sendto;
|
||||
allow local_login_t self:unix_stream_socket connectto;
|
||||
allow local_login_t self:shm { associate getattr setattr create destroy read write lock unix_read unix_write };
|
||||
allow local_login_t self:sem { associate getattr setattr create destroy read write unix_read unix_write };
|
||||
allow local_login_t self:msgq { associate getattr setattr create destroy read write enqueue unix_read unix_write };
|
||||
allow local_login_t self:msg { send receive };
|
||||
|
||||
allow local_login_t local_login_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
allow local_login_t local_login_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
files_create_private_tmp_data(local_login_t, local_login_tmp_t, { file dir })
|
||||
|
||||
kernel_read_system_state(local_login_t)
|
||||
kernel_read_kernel_sysctl(local_login_t)
|
||||
kernel_get_selinuxfs_mount_point(local_login_t)
|
||||
kernel_validate_selinux_context(local_login_t)
|
||||
kernel_compute_selinux_av(local_login_t)
|
||||
|
|
@ -41,8 +53,12 @@ terminal_use_general_physical_terminal(local_login_t)
|
|||
init_script_modify_runtime_data(local_login_t)
|
||||
init_ignore_use_file_descriptors(local_login_t)
|
||||
|
||||
domain_read_all_entrypoint_programs(local_login_t)
|
||||
|
||||
files_read_general_system_config(local_login_t)
|
||||
files_read_runtime_system_config(local_login_t)
|
||||
files_list_home_directories(local_login_t)
|
||||
files_read_general_application_resources(local_login_t)
|
||||
|
||||
libraries_use_dynamic_loader(local_login_t)
|
||||
libraries_read_shared_libraries(local_login_t)
|
||||
|
|
@ -61,9 +77,20 @@ authlogin_pam_console_manage_runtime_data(local_login_t)
|
|||
miscfiles_read_localization(local_login_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
general_domain_access(local_login_t)
|
||||
allow local_login_t unpriv_userdomain:fd use;
|
||||
can_ypbind(local_login_t)
|
||||
ifdef(`automount.te', `
|
||||
allow local_login_t autofs_t:dir { search getattr };
|
||||
')
|
||||
|
||||
base_file_read_access(local_login_t)
|
||||
allow local_login_t bin_t:dir r_dir_perms;
|
||||
allow local_login_t bin_t:notdevfile_class_set r_file_perms;
|
||||
allow local_login_t sbin_t:dir r_dir_perms;
|
||||
allow local_login_t sbin_t:notdevfile_class_set r_file_perms;
|
||||
if (read_default_t) {
|
||||
allow local_login_t default_t:dir r_dir_perms;
|
||||
allow local_login_t default_t:notdevfile_class_set r_file_perms;
|
||||
}
|
||||
|
||||
# Read directories and files with the readable_t type.
|
||||
# This type is a general type for "world"-readable files.
|
||||
|
|
@ -76,9 +103,6 @@ allow local_login_t { var_t var_spool_t }:dir search;
|
|||
# for when /var/mail is a sym-link
|
||||
allow local_login_t var_t:lnk_file read;
|
||||
|
||||
# Read executable types.
|
||||
allow local_login_t exec_type:{ file lnk_file } r_file_perms;
|
||||
|
||||
# Read /dev directories and any symbolic links.
|
||||
allow local_login_t device_t:lnk_file r_file_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -27,6 +27,8 @@ allow $1 syslogd_t:unix_dgram_socket sendto;
|
|||
allow $1 syslogd_t:unix_stream_socket connectto;
|
||||
allow $1 self:unix_dgram_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
allow $1 self:unix_stream_socket { create read getattr write setattr append bind connect getopt setopt shutdown };
|
||||
# cjp: this should most likely be removed:
|
||||
terminal_use_console($1)
|
||||
')
|
||||
|
||||
define(`logging_send_system_log_message_depend',`
|
||||
|
|
|
|||
|
|
@ -195,7 +195,9 @@ files_create_private_config(update_modules_t,modules_conf_t)
|
|||
|
||||
# transition to depmod
|
||||
allow update_modules_t depmod_exec_t:file { getattr read execute };
|
||||
allow update_modules_t depmod_t:process transition;
|
||||
type_transition update_modules_t depmod_exec_t:process depmod_t;
|
||||
dontaudit update_modules_t depmod_t : process { noatsecure siginh rlimitinh };
|
||||
|
||||
allow update_modules_t update_modules_tmp_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir };
|
||||
allow update_modules_t update_modules_tmp_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
|
|
|
|||
|
|
@ -77,6 +77,8 @@ kernel_transition_from(udev_t,udev_exec_t)
|
|||
|
||||
devices_manage_device_nodes(udev_t)
|
||||
|
||||
filesystem_get_all_filesystems_attributes(udev_t)
|
||||
|
||||
init_script_read_runtime_data(udev_t)
|
||||
|
||||
files_read_runtime_system_config(udev_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue