165 lines
4.9 KiB
Plaintext
165 lines
4.9 KiB
Plaintext
policy_module(userhelper)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute consolehelper_type;
|
|
attribute userhelper_type;
|
|
|
|
attribute_role consolehelper_roles;
|
|
attribute_role userhelper_roles;
|
|
|
|
type userhelper_conf_t;
|
|
files_config_file(userhelper_conf_t)
|
|
|
|
type userhelper_exec_t;
|
|
application_executable_file(userhelper_exec_t)
|
|
|
|
type consolehelper_exec_t;
|
|
application_executable_file(consolehelper_exec_t)
|
|
|
|
########################################
|
|
#
|
|
# Common consolehelper domain local policy
|
|
#
|
|
|
|
allow consolehelper_type self:capability { dac_override setgid setuid };
|
|
allow consolehelper_type self:process signal;
|
|
allow consolehelper_type self:fifo_file rw_fifo_file_perms;
|
|
allow consolehelper_type self:unix_stream_socket create_stream_socket_perms;
|
|
allow consolehelper_type self:shm create_shm_perms;
|
|
|
|
dontaudit consolehelper_type userhelper_conf_t:file audit_access;
|
|
read_files_pattern(consolehelper_type, userhelper_conf_t, userhelper_conf_t)
|
|
|
|
domain_use_interactive_fds(consolehelper_type)
|
|
|
|
kernel_read_system_state(consolehelper_type)
|
|
kernel_read_kernel_sysctls(consolehelper_type)
|
|
|
|
corecmd_exec_bin(consolehelper_type)
|
|
|
|
dev_getattr_all_chr_files(consolehelper_type)
|
|
dev_dontaudit_list_all_dev_nodes(consolehelper_type)
|
|
|
|
files_read_config_files(consolehelper_type)
|
|
files_read_usr_files(consolehelper_type)
|
|
|
|
fs_getattr_all_dirs(consolehelper_type)
|
|
fs_getattr_all_fs(consolehelper_type)
|
|
fs_search_auto_mountpoints(consolehelper_type)
|
|
files_search_mnt(consolehelper_type)
|
|
|
|
term_list_ptys(consolehelper_type)
|
|
|
|
auth_search_pam_console_data(consolehelper_type)
|
|
auth_read_pam_runtime_files(consolehelper_type)
|
|
|
|
miscfiles_read_localization(consolehelper_type)
|
|
miscfiles_read_fonts(consolehelper_type)
|
|
|
|
userhelper_exec(consolehelper_type)
|
|
|
|
userdom_use_user_terminals(consolehelper_type)
|
|
|
|
# might want to make this consolehelper_tmp_t
|
|
userdom_manage_user_tmp_dirs(consolehelper_type)
|
|
userdom_manage_user_tmp_files(consolehelper_type)
|
|
userdom_tmp_filetrans_user_tmp(consolehelper_type, { dir file })
|
|
userdom_user_runtime_filetrans_user_tmp(consolehelper_type, { dir file })
|
|
|
|
tunable_policy(`use_nfs_home_dirs',`
|
|
fs_search_nfs(consolehelper_type)
|
|
')
|
|
|
|
tunable_policy(`use_samba_home_dirs',`
|
|
fs_search_cifs(consolehelper_type)
|
|
')
|
|
|
|
optional_policy(`
|
|
shutdown_run(consolehelper_type, consolehelper_roles)
|
|
shutdown_signal(consolehelper_type)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_domtrans_xauth(consolehelper_type)
|
|
xserver_read_xdm_runtime_files(consolehelper_type)
|
|
xserver_stream_connect(consolehelper_type)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Common userhelper domain local policy
|
|
#
|
|
|
|
allow userhelper_type self:capability { chown dac_override net_bind_service setgid setuid sys_tty_config };
|
|
allow userhelper_type self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
|
|
allow userhelper_type self:fd use;
|
|
allow userhelper_type self:fifo_file rw_fifo_file_perms;
|
|
allow userhelper_type self:shm create_shm_perms;
|
|
allow userhelper_type self:sem create_sem_perms;
|
|
allow userhelper_type self:msgq create_msgq_perms;
|
|
allow userhelper_type self:msg { send receive };
|
|
allow userhelper_type self:unix_dgram_socket sendto;
|
|
allow userhelper_type self:unix_stream_socket { accept connectto listen };
|
|
|
|
dontaudit userhelper_type userhelper_conf_t:file audit_access;
|
|
read_files_pattern(userhelper_type, userhelper_conf_t, userhelper_conf_t)
|
|
|
|
can_exec(userhelper_type, userhelper_exec_t)
|
|
|
|
kernel_read_all_sysctls(userhelper_type)
|
|
kernel_getattr_debugfs(userhelper_type)
|
|
kernel_read_system_state(userhelper_type)
|
|
|
|
corecmd_exec_shell(userhelper_type)
|
|
|
|
domain_use_interactive_fds(userhelper_type)
|
|
domain_sigchld_interactive_fds(userhelper_type)
|
|
|
|
dev_read_urand(userhelper_type)
|
|
dev_list_all_dev_nodes(userhelper_type)
|
|
|
|
files_list_var_lib(userhelper_type)
|
|
files_read_var_files(userhelper_type)
|
|
files_read_var_symlinks(userhelper_type)
|
|
files_search_home(userhelper_type)
|
|
|
|
fs_getattr_all_fs(userhelper_type)
|
|
fs_search_auto_mountpoints(userhelper_type)
|
|
|
|
selinux_get_fs_mount(userhelper_type)
|
|
selinux_validate_context(userhelper_type)
|
|
selinux_compute_access_vector(userhelper_type)
|
|
selinux_compute_create_context(userhelper_type)
|
|
selinux_compute_relabel_context(userhelper_type)
|
|
selinux_compute_user_contexts(userhelper_type)
|
|
|
|
term_list_ptys(userhelper_type)
|
|
term_relabel_all_ttys(userhelper_type)
|
|
term_relabel_all_ptys(userhelper_type)
|
|
term_use_all_ttys(userhelper_type)
|
|
term_use_all_ptys(userhelper_type)
|
|
|
|
auth_manage_pam_runtime_dirs(userhelper_type)
|
|
auth_manage_pam_runtime_files(userhelper_type)
|
|
auth_manage_var_auth(userhelper_type)
|
|
auth_search_pam_console_data(userhelper_type)
|
|
|
|
init_use_fds(userhelper_type)
|
|
init_manage_utmp(userhelper_type)
|
|
init_runtime_filetrans_utmp(userhelper_type)
|
|
|
|
logging_send_syslog_msg(userhelper_type)
|
|
|
|
miscfiles_read_localization(userhelper_type)
|
|
|
|
seutil_read_config(userhelper_type)
|
|
seutil_read_default_contexts(userhelper_type)
|
|
|
|
optional_policy(`
|
|
rpm_domtrans(userhelper_type)
|
|
')
|