Chris PeBenito
GitHub
commit
5d6f436800
@ -2,7 +2,7 @@
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Dontaudit acces to the swap file.
|
||||
## Dontaudit access to the swap file.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
||||
@ -120,7 +120,7 @@ interface(`firstboot_rw_pipes',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attemps to read and
|
||||
## Do not audit attempts to read and
|
||||
## write firstboot unnamed pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@ -139,7 +139,7 @@ interface(`firstboot_dontaudit_rw_pipes',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attemps to read and
|
||||
## Do not audit attempts to read and
|
||||
## write firstboot unix domain
|
||||
## stream sockets.
|
||||
## </summary>
|
||||
|
||||
@ -21,7 +21,7 @@ allow cryfs_t self:capability { dac_read_search sys_admin };
|
||||
allow cryfs_t self:process { getsched signal };
|
||||
allow cryfs_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
# CryFS 0.9.10 can check for updates everytime it runs, if it is not compiled with CRYFS_NO_UPDATE_CHECKS (option -DCRYFS_UPDATE_CHECKS=off).
|
||||
# CryFS 0.9.10 can check for updates every time it runs, if it is not compiled with CRYFS_NO_UPDATE_CHECKS (option -DCRYFS_UPDATE_CHECKS=off).
|
||||
# When update checks are disabled (for example with Debian package), libcurl is nonetheless initialized.
|
||||
# curl_global_init() calls Curl_ipv6works(), which uses socket(PF_INET6, SOCK_DGRAM, 0) to check for IPv6 support.
|
||||
# Hide this useless access.
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type usable for files
|
||||
## that are exectuables, such as binary programs.
|
||||
## that are executables, such as binary programs.
|
||||
## This does not include shared libraries.
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
@ -32,7 +32,7 @@ interface(`corecmd_executable_file',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Make general progams in bin an entrypoint for
|
||||
## Make general programs in bin an entrypoint for
|
||||
## the specified domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@ -303,7 +303,7 @@ interface(`corecmd_read_bin_sockets',`
|
||||
## </p>
|
||||
## <p>
|
||||
## Typically, this interface should be used when the domain
|
||||
## executes general system progams within the privileges
|
||||
## executes general system programs within the privileges
|
||||
## of the source domain. Some examples of these programs
|
||||
## are ls, cp, sed, python, and tar. This does not include
|
||||
## shells, such as bash.
|
||||
|
||||
@ -2738,7 +2738,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
|
||||
## Allow the specified domain to receive packets from an
|
||||
## unlabeled connection. On machines that do not utilize
|
||||
## labeled networking, this will be required on all
|
||||
## networking domains. On machines tha do utilize
|
||||
## networking domains. On machines that do utilize
|
||||
## labeled networking, this will be required for any
|
||||
## networking domain that is allowed to receive
|
||||
## network traffic that does not have a label.
|
||||
|
||||
@ -211,7 +211,7 @@ ifdef(`distro_debian',`
|
||||
|
||||
/etc/udev/devices -d gen_context(system_u:object_r:device_t,s0)
|
||||
|
||||
# used by init scripts to initally populate udev /dev
|
||||
# used by init scripts to initially populate udev /dev
|
||||
/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
|
||||
/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||
|
||||
@ -185,7 +185,7 @@ interface(`domain_dyntrans_type',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Makes caller and execption to the constraint
|
||||
## Makes caller and exception to the constraint
|
||||
## preventing changing to the system user
|
||||
## identity and system role.
|
||||
## </summary>
|
||||
@ -1040,7 +1040,7 @@ interface(`domain_dontaudit_rw_all_udp_sockets',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get attribues of
|
||||
## Do not audit attempts to get attributes of
|
||||
## all domains IPSEC key management sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@ -1059,7 +1059,7 @@ interface(`domain_dontaudit_getattr_all_key_sockets',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get attribues of
|
||||
## Do not audit attempts to get attributes of
|
||||
## all domains packet sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
@ -1078,7 +1078,7 @@ interface(`domain_dontaudit_getattr_all_packet_sockets',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get attribues of
|
||||
## Do not audit attempts to get attributes of
|
||||
## all domains raw sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
|
||||
@ -5908,7 +5908,7 @@ interface(`files_read_var_lib_symlinks',`
|
||||
')
|
||||
|
||||
# cjp: the next two interfaces really need to be fixed
|
||||
# in some way. They really neeed their own types.
|
||||
# in some way. They really need their own types.
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@ -7030,7 +7030,7 @@ interface(`files_manage_all_runtime_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain alloed access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -7151,7 +7151,7 @@ interface(`files_delete_all_runtime_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain alloed access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -7207,7 +7207,7 @@ interface(`files_delete_all_runtime_symlinks',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain alloed access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -7225,7 +7225,7 @@ interface(`files_manage_all_runtime_symlinks',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain alloed access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -7317,7 +7317,7 @@ interface(`files_delete_all_runtime_sockets',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain alloed access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -7472,7 +7472,7 @@ interface(`files_delete_all_pid_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain alloed access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -7489,7 +7489,7 @@ interface(`files_manage_all_pids',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain alloed access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -7504,7 +7504,7 @@ interface(`files_relabel_all_pid_dirs',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain alloed access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
@ -7519,7 +7519,7 @@ interface(`files_relabel_all_pid_sock_files',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain alloed access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
||||
@ -168,7 +168,7 @@ type var_lib_t;
|
||||
files_mountpoint(var_lib_t)
|
||||
|
||||
#
|
||||
# var_lock_t is tye type of /var/lock
|
||||
# var_lock_t is the type of /var/lock
|
||||
#
|
||||
type var_lock_t;
|
||||
files_lock_file(var_lock_t)
|
||||
|
||||
@ -1529,7 +1529,7 @@ interface(`fs_manage_noxattr_fs_symlinks',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel all objets from filesystems that
|
||||
## Relabel all objects from filesystems that
|
||||
## do not support extended attributes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
|
||||
@ -1251,7 +1251,7 @@ interface(`kernel_rw_software_raid_state',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allows caller to get attribues of core kernel interface.
|
||||
## Allows caller to get attributes of core kernel interface.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -2270,7 +2270,7 @@ interface(`kernel_read_fs_sysctls',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write fileystem sysctls.
|
||||
## Read and write filesystem sysctls.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -3258,7 +3258,7 @@ interface(`kernel_relabelfrom_unlabeled_chr_devs',`
|
||||
## unlabeled IPSEC association. Network
|
||||
## connections that are not protected
|
||||
## by IPSEC have use an unlabeled
|
||||
## assocation.
|
||||
## association.
|
||||
## </p>
|
||||
## <p>
|
||||
## The corenetwork interface
|
||||
@ -3291,7 +3291,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
|
||||
## from an unlabeled IPSEC association. Network
|
||||
## connections that are not protected
|
||||
## by IPSEC have use an unlabeled
|
||||
## assocation.
|
||||
## association.
|
||||
## </p>
|
||||
## <p>
|
||||
## The corenetwork interface
|
||||
|
||||
@ -517,7 +517,7 @@ if( ! secure_mode_insmod ) {
|
||||
|
||||
########################################
|
||||
#
|
||||
# Rules for unconfined acccess to this module
|
||||
# Rules for unconfined access to this module
|
||||
#
|
||||
|
||||
allow kern_unconfined proc_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton audit_access execmod watch };
|
||||
|
||||
@ -828,7 +828,7 @@ interface(`mls_fd_use_all_levels',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the file descriptors from the
|
||||
## specifed domain inheritable by
|
||||
## specified domain inheritable by
|
||||
## all levels.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
|
||||
@ -534,7 +534,7 @@ interface(`storage_write_scsi_generic',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Set attributes of the device nodes
|
||||
## for the SCSI generic inerface.
|
||||
## for the SCSI generic interface.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
||||
@ -323,7 +323,7 @@ interface(`term_use_console',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attemtps to read from
|
||||
## Do not audit attempts to read from
|
||||
## or write to the console.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
## <summary>Least privledge terminal user role.</summary>
|
||||
## <summary>Least privilege terminal user role.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
## <summary>Least privledge xwindows user role.</summary>
|
||||
## <summary>Least privilege xwindows user role.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
||||
@ -108,7 +108,7 @@ gen_tunable(httpd_dbus_avahi, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Determine wether httpd can use support.
|
||||
## Determine whether httpd can use support.
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_enable_cgi, false)
|
||||
|
||||
@ -104,7 +104,7 @@ miscfiles_read_localization(couchdb_t)
|
||||
#
|
||||
|
||||
# this is a complete policy. It processes the javascript
|
||||
# ouside the main process, passing data via FIFO.
|
||||
# outside the main process, passing data via FIFO.
|
||||
allow couchdb_js_t self:process { execmem getsched setsched };
|
||||
|
||||
files_read_usr_files(couchdb_js_t)
|
||||
|
||||
@ -296,7 +296,7 @@ interface(`cron_admin_role',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified program domain
|
||||
## accessable from the system cron jobs.
|
||||
## accessible from the system cron jobs.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
||||
@ -113,7 +113,7 @@ interface(`mailman_domtrans_cgi',`
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowd access.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
|
||||
@ -69,7 +69,7 @@ interface(`nis_use_ypbind_uncond',`
|
||||
## <p>
|
||||
## Allow the specified domain to use the ypbind service
|
||||
## to access Network Information Service (NIS) services.
|
||||
## Information that can be retreived from NIS includes
|
||||
## Information that can be retrieved from NIS includes
|
||||
## usernames, passwords, home directories, and groups.
|
||||
## If the network is configured to have a single sign-on
|
||||
## using NIS, it is likely that any program that does
|
||||
|
||||
@ -22,7 +22,7 @@ interface(`oddjob_domtrans',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified program domain
|
||||
## accessable from the oddjob.
|
||||
## accessible from the oddjob.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
||||
@ -179,7 +179,7 @@ interface(`rhsmcertd_manage_lib_dirs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read rhsmcertd pid files. (Deprectated)
|
||||
## Read rhsmcertd pid files. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
||||
@ -61,7 +61,7 @@ interface(`ricci_dontaudit_use_modcluster_fds',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read write
|
||||
## ricci modcluster unamed pipes.
|
||||
## ricci modcluster unnamed pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
## <summary>Shibboleth authentication deamon</summary>
|
||||
## <summary>Shibboleth authentication daemon</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
|
||||
@ -24,7 +24,7 @@ interface(`application_type',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Make the specified type usable for files
|
||||
## that are exectuables, such as binary programs.
|
||||
## that are executables, such as binary programs.
|
||||
## This does not include shared libraries.
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
|
||||
@ -1098,7 +1098,7 @@ interface(`auth_read_pam_pid',`
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attemps to read PAM PID files. (Deprecated)
|
||||
## Do not audit attempts to read PAM PID files. (Deprecated)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -1241,7 +1241,7 @@ interface(`auth_read_pam_runtime_files',`
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attemps to read PAM runtime files.
|
||||
## Do not audit attempts to read PAM runtime files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
@ -1554,7 +1554,7 @@ interface(`auth_run_utempter',`
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attemps to execute utempter executable.
|
||||
## Do not audit attempts to execute utempter executable.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
||||
@ -146,6 +146,6 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
udev_read_db(iptables_t)
|
||||
# this is for iptables_t to inherit a file hande from xen vif-bridge
|
||||
# this is for iptables_t to inherit a file handle from xen vif-bridge
|
||||
udev_manage_runtime_files(iptables_t)
|
||||
')
|
||||
|
||||
@ -997,7 +997,7 @@ interface(`logging_dontaudit_getattr_all_logs',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the atttributes of any log file
|
||||
## Read the attributes of any log file
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
||||
@ -51,7 +51,7 @@ template(`systemd_role_template',`
|
||||
allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
|
||||
|
||||
# This domain is per-role because of the below transitions.
|
||||
# See the sytemd --user section of systemd.te for the
|
||||
# See the systemd --user section of systemd.te for the
|
||||
# remainder of the rules.
|
||||
allow $1_systemd_t $3:process { setsched rlimitinh };
|
||||
corecmd_shell_domtrans($1_systemd_t, $3)
|
||||
|
||||
@ -480,7 +480,7 @@ optional_policy(`
|
||||
|
||||
######################################
|
||||
#
|
||||
# systemd log parse enviroment
|
||||
# systemd log parse environment
|
||||
#
|
||||
|
||||
# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
|
||||
|
||||
@ -78,7 +78,7 @@ def getModuleXML(file_name):
|
||||
module_te = "%s/%s.te" % (module_dir, module_name)
|
||||
module_if = "%s/%s.if" % (module_dir, module_name)
|
||||
|
||||
# Try to open the file, if it cant, just ignore it.
|
||||
# Try to open the file, if it can't, just ignore it.
|
||||
try:
|
||||
module_file = open(module_if, "r")
|
||||
module_code = module_file.readlines()
|
||||
@ -201,7 +201,7 @@ def getTunableXML(file_name, kind):
|
||||
Return all the XML for the tunables/bools in the file specified.
|
||||
'''
|
||||
|
||||
# Try to open the file, if it cant, just ignore it.
|
||||
# Try to open the file, if it can't, just ignore it.
|
||||
try:
|
||||
tunable_file = open(file_name, "r")
|
||||
tunable_code = tunable_file.readlines()
|
||||
|
||||
Loading…
Reference in New Issue
Block a user