fixes
This commit is contained in:
parent
9bbc757a76
commit
30705b6bc0
|
@ -53,7 +53,7 @@ template(`su_restricted_domain_template', `
|
||||||
auth_dontaudit_read_shadow($1_su_t)
|
auth_dontaudit_read_shadow($1_su_t)
|
||||||
auth_use_nsswitch($1_su_t)
|
auth_use_nsswitch($1_su_t)
|
||||||
|
|
||||||
domain_wide_inherit_fd($1_su_t)
|
domain_use_wide_inherit_fd($1_su_t)
|
||||||
|
|
||||||
files_read_etc_files($1_su_t)
|
files_read_etc_files($1_su_t)
|
||||||
|
|
||||||
|
@ -177,11 +177,11 @@ template(`su_per_userdomain_template',`
|
||||||
term_use_all_user_ttys($1_su_t)
|
term_use_all_user_ttys($1_su_t)
|
||||||
term_use_all_user_ptys($1_su_t)
|
term_use_all_user_ptys($1_su_t)
|
||||||
|
|
||||||
auth_domtrans_user_chk_passwd($1_su_t,$1)
|
auth_domtrans_user_chk_passwd($1,$1_su_t)
|
||||||
auth_dontaudit_read_shadow($1_su_t)
|
auth_dontaudit_read_shadow($1_su_t)
|
||||||
auth_use_nsswitch($1_su_t)
|
auth_use_nsswitch($1_su_t)
|
||||||
|
|
||||||
domain_wide_inherit_fd($1_su_t)
|
domain_use_wide_inherit_fd($1_su_t)
|
||||||
|
|
||||||
files_read_etc_files($1_su_t)
|
files_read_etc_files($1_su_t)
|
||||||
files_search_var_lib($1_su_t)
|
files_search_var_lib($1_su_t)
|
||||||
|
@ -218,7 +218,7 @@ template(`su_per_userdomain_template',`
|
||||||
fs_search_cifs($1_su_t)
|
fs_search_cifs($1_su_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`crond.te',`
|
optional_policy(`cron.te',`
|
||||||
cron_read_pipe($1_su_t)
|
cron_read_pipe($1_su_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
|
@ -45,6 +45,7 @@ interface(`dev_node',`
|
||||||
|
|
||||||
fs_associate($1)
|
fs_associate($1)
|
||||||
fs_associate_tmpfs($1)
|
fs_associate_tmpfs($1)
|
||||||
|
files_associate_tmp($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -68,6 +68,24 @@ interface(`selinux_dontaudit_search_fs',`
|
||||||
dontaudit $1 security_t:dir search;
|
dontaudit $1 security_t:dir search;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read
|
||||||
|
## generic selinuxfs entries
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain to not audit.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`selinux_dontaudit_read_fs',`
|
||||||
|
gen_require(`
|
||||||
|
type security_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 security_t:dir search;
|
||||||
|
dontaudit $1 security_t:file { getattr read };
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allows the caller to get the mode of policy enforcement
|
## Allows the caller to get the mode of policy enforcement
|
||||||
|
|
|
@ -80,6 +80,8 @@ interface(`term_tty',`
|
||||||
typeattribute $2 ttynode, serial_device;
|
typeattribute $2 ttynode, serial_device;
|
||||||
type_change $1 tty_device_t:chr_file $2;
|
type_change $1 tty_device_t:chr_file $2;
|
||||||
|
|
||||||
|
files_associate_tmp($1)
|
||||||
|
|
||||||
# Debian login is from shadow utils and does not allow resetting the perms.
|
# Debian login is from shadow utils and does not allow resetting the perms.
|
||||||
# have to fix this!
|
# have to fix this!
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
|
|
|
@ -349,8 +349,9 @@ interface(`mta_read_config',`
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow spamd_t etc_mail_t:dir list_dir_perms;
|
allow $1 etc_mail_t:dir list_dir_perms;
|
||||||
allow spamd_t etc_mail_t:file r_file_perms;
|
allow $1 etc_mail_t:file r_file_perms;
|
||||||
|
allow $1 etc_mail_t:lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
|
@ -88,6 +88,10 @@ template(`postfix_domain_template',`
|
||||||
files_dontaudit_read_root_file(postfix_$1_t)
|
files_dontaudit_read_root_file(postfix_$1_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`nscd.te',`
|
||||||
|
nscd_use_socket(postfix_$1_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`udev.te',`
|
optional_policy(`udev.te',`
|
||||||
udev_read_db(postfix_$1_t)
|
udev_read_db(postfix_$1_t)
|
||||||
')
|
')
|
||||||
|
@ -102,6 +106,10 @@ template(`postfix_server_domain_template',`
|
||||||
allow postfix_$1_t self:udp_socket create_socket_perms;
|
allow postfix_$1_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
|
domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
|
||||||
|
allow postfix_master_t postfix_$1_t:fd use;
|
||||||
|
allow postfix_$1_t postfix_master_t:fd use;
|
||||||
|
allow postfix_$1_t postfix_master_t:fifo_file rw_file_perms;
|
||||||
|
allow postfix_$1_t postfix_master_t:process sigchld;
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if(postfix_$1_t)
|
corenet_tcp_sendrecv_all_if(postfix_$1_t)
|
||||||
corenet_udp_sendrecv_all_if(postfix_$1_t)
|
corenet_udp_sendrecv_all_if(postfix_$1_t)
|
||||||
|
@ -128,6 +136,10 @@ template(`postfix_user_domain_template',`
|
||||||
allow postfix_$1_t self:capability dac_override;
|
allow postfix_$1_t self:capability dac_override;
|
||||||
|
|
||||||
domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
|
domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
|
||||||
|
allow user_mail_domain postfix_$1_t:fd use;
|
||||||
|
allow postfix_$1_t user_mail_domain:fd use;
|
||||||
|
allow postfix_$1_t user_mail_domain:fifo_file rw_file_perms;
|
||||||
|
allow postfix_$1_t user_mail_domain:process sigchld;
|
||||||
|
|
||||||
# this is replaced by run interfaces
|
# this is replaced by run interfaces
|
||||||
role sysadm_r types postfix_$1_t;
|
role sysadm_r types postfix_$1_t;
|
||||||
|
|
|
@ -109,6 +109,9 @@ allow postfix_master_t postfix_public_t:dir rw_dir_perms;
|
||||||
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
|
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
|
||||||
allow postfix_master_t postfix_spool_t:file create_file_perms;
|
allow postfix_master_t postfix_spool_t:file create_file_perms;
|
||||||
|
|
||||||
|
allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms;
|
||||||
|
allow postfix_master_t postfix_spool_bounce_t:file getattr;
|
||||||
|
|
||||||
allow postfix_master_t postfix_spool_flush_t:dir create_dir_perms;
|
allow postfix_master_t postfix_spool_flush_t:dir create_dir_perms;
|
||||||
allow postfix_master_t postfix_spool_flush_t:file create_file_perms;
|
allow postfix_master_t postfix_spool_flush_t:file create_file_perms;
|
||||||
allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms;
|
allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms;
|
||||||
|
@ -357,6 +360,8 @@ files_dontaudit_search_var(postfix_map_t)
|
||||||
libs_use_ld_so(postfix_map_t)
|
libs_use_ld_so(postfix_map_t)
|
||||||
libs_use_shared_libs(postfix_map_t)
|
libs_use_shared_libs(postfix_map_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(postfix_map_t)
|
||||||
|
|
||||||
miscfiles_read_localization(postfix_map_t)
|
miscfiles_read_localization(postfix_map_t)
|
||||||
|
|
||||||
seutil_read_config(postfix_map_t)
|
seutil_read_config(postfix_map_t)
|
||||||
|
@ -464,10 +469,16 @@ allow postfix_postqueue_t postfix_public_t:dir search;
|
||||||
allow postfix_postqueue_t postfix_public_t:fifo_file { getattr write };
|
allow postfix_postqueue_t postfix_public_t:fifo_file { getattr write };
|
||||||
|
|
||||||
domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
|
domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
|
||||||
|
allow postfix_master_t postfix_postqueue_t:fd use;
|
||||||
|
allow postfix_postqueue_t postfix_master_t:fd use;
|
||||||
|
allow postfix_postqueue_t postfix_master_t:fifo_file rw_file_perms;
|
||||||
|
allow postfix_postqueue_t postfix_master_t:process sigchld;
|
||||||
|
|
||||||
# to write the mailq output, it really should not need read access!
|
domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
|
||||||
term_use_all_user_ptys(postfix_showq_t)
|
allow postfix_postqueue_t postfix_showq_t:fd use;
|
||||||
term_use_all_user_ttys(postfix_showq_t)
|
allow postfix_showq_t postfix_postqueue_t:fd use;
|
||||||
|
allow postfix_showq_t postfix_postqueue_t:fifo_file rw_file_perms;
|
||||||
|
allow postfix_showq_t postfix_postqueue_t:process sigchld;
|
||||||
|
|
||||||
init_sigchld_script(postfix_postqueue_t)
|
init_sigchld_script(postfix_postqueue_t)
|
||||||
init_use_script_fd(postfix_postqueue_t)
|
init_use_script_fd(postfix_postqueue_t)
|
||||||
|
@ -508,9 +519,12 @@ allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
|
||||||
allow postfix_showq_t self:capability { setuid setgid };
|
allow postfix_showq_t self:capability { setuid setgid };
|
||||||
allow postfix_showq_t self:tcp_socket create_socket_perms;
|
allow postfix_showq_t self:tcp_socket create_socket_perms;
|
||||||
|
|
||||||
domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
|
|
||||||
# the following auto_trans is usually in postfix server domain
|
# the following auto_trans is usually in postfix server domain
|
||||||
domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
|
domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
|
||||||
|
allow postfix_master_t postfix_showq_t:fd use;
|
||||||
|
allow postfix_showq_t postfix_master_t:fd use;
|
||||||
|
allow postfix_showq_t postfix_master_t:fifo_file rw_file_perms;
|
||||||
|
allow postfix_showq_t postfix_master_t:process sigchld;
|
||||||
|
|
||||||
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
|
allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
|
||||||
|
|
||||||
|
@ -520,6 +534,7 @@ allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
|
||||||
allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
|
allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
|
||||||
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
|
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
|
||||||
|
|
||||||
|
# to write the mailq output, it really should not need read access!
|
||||||
term_use_all_user_ptys(postfix_showq_t)
|
term_use_all_user_ptys(postfix_showq_t)
|
||||||
term_use_all_user_ttys(postfix_showq_t)
|
term_use_all_user_ttys(postfix_showq_t)
|
||||||
|
|
||||||
|
|
|
@ -304,3 +304,22 @@ interface(`samba_read_winbind_pid',`
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
allow $1 winbind_var_run_t:file r_file_perms;
|
allow $1 winbind_var_run_t:file r_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Connect to winbind.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## Domain allowed access.
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`samba_connect_winbind',`
|
||||||
|
gen_require(`
|
||||||
|
type winbind_t, winbind_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
|
allow $1 winbind_var_run_t:dir search_dir_perms;
|
||||||
|
allow $1 winbind_var_run_t:file { getattr read write };
|
||||||
|
allow $1 winbind_t:unix_stream_socket connectto;
|
||||||
|
')
|
||||||
|
|
|
@ -103,12 +103,12 @@ template(`authlogin_per_userdomain_template',`
|
||||||
nscd_use_socket($1_chkpwd_t)
|
nscd_use_socket($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinuxutil.te',`
|
optional_policy(`samba.te',`
|
||||||
seutil_use_newrole_fd($1_chkpwd_t)
|
samba_connect_winbind($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
optional_policy(`selinuxutil.te',`
|
||||||
can_winbind($1)
|
seutil_use_newrole_fd($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -141,13 +141,13 @@ template(`auth_domtrans_user_chk_passwd',`
|
||||||
type chkpwd_exec_t;
|
type chkpwd_exec_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
corecmd_search_bin($1)
|
corecmd_search_bin($2)
|
||||||
domain_auto_trans($1,chkpwd_exec_t,$2_chkpwd_t)
|
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
|
||||||
|
|
||||||
allow $1 $2_chkpwd_t:fd use;
|
allow $2 $1_chkpwd_t:fd use;
|
||||||
allow $2_chkpwd_t $1:fd use;
|
allow $1_chkpwd_t $2:fd use;
|
||||||
allow $2_chkpwd_t $1:fifo_file rw_file_perms;
|
allow $1_chkpwd_t $2:fifo_file rw_file_perms;
|
||||||
allow $2_chkpwd_t $1:process sigchld;
|
allow $1_chkpwd_t $2:process sigchld;
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -241,9 +241,8 @@ interface(`auth_domtrans_chk_passwd',`
|
||||||
nis_use_ypbind($1)
|
nis_use_ypbind($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
optional_policy(`samba.te',`
|
||||||
can_winbind($1)
|
samba_connect_winbind($1)
|
||||||
dontaudit $1 shadow_t:file { getattr read };
|
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -919,8 +918,8 @@ interface(`auth_use_nsswitch',`
|
||||||
nis_use_ypbind($1)
|
nis_use_ypbind($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
optional_policy(`samba.te',`
|
||||||
can_winbind($1)
|
samba_connect_winbind($1)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
|
|
@ -93,7 +93,7 @@ interface(`domain_type',`
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinux.te',`
|
optional_policy(`selinux.te',`
|
||||||
selinux_dontaudit_search_fs($1)
|
selinux_dontaudit_read_fs($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`selinuxutil.te',`
|
optional_policy(`selinuxutil.te',`
|
||||||
|
|
|
@ -499,13 +499,12 @@ interface(`seutil_dontaudit_read_config',`
|
||||||
interface(`seutil_read_config',`
|
interface(`seutil_read_config',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type selinux_config_t;
|
type selinux_config_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 selinux_config_t:dir r_dir_perms;
|
allow $1 selinux_config_t:dir r_dir_perms;
|
||||||
allow $1 selinux_config_t:file r_file_perms;
|
allow $1 selinux_config_t:file r_file_perms;
|
||||||
|
allow $1 selinux_config_t:lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -534,14 +533,13 @@ interface(`seutil_search_default_contexts',`
|
||||||
interface(`seutil_read_default_contexts',`
|
interface(`seutil_read_default_contexts',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type selinux_config_t, default_context_t;
|
type selinux_config_t, default_context_t;
|
||||||
class dir r_dir_perms;
|
|
||||||
class file r_file_perms;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
files_search_etc($1)
|
files_search_etc($1)
|
||||||
allow $1 selinux_config_t:dir search;
|
allow $1 selinux_config_t:dir search;
|
||||||
allow $1 default_context_t:dir r_dir_perms;
|
allow $1 default_context_t:dir r_dir_perms;
|
||||||
allow $1 default_context_t:file r_file_perms;
|
allow $1 default_context_t:file r_file_perms;
|
||||||
|
allow $1 default_context_t:lnk_file { getattr read };
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
|
Loading…
Reference in New Issue