* break up files_getattr_all_files into correct interfaces
* move stuff out of pcmcia into the appropriate modules
This commit is contained in:
parent
f136a944c5
commit
50f6503452
|
@ -812,6 +812,24 @@ interface(`dev_rw_apm_bios',`
|
|||
allow $1 apm_bios_t:chr_file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and
|
||||
## write the PCMCIA card manager device.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_dontaudit_rw_cardmgr',`
|
||||
gen_require(`
|
||||
type cardmgr_dev_t;
|
||||
class chr_file { read write };
|
||||
')
|
||||
|
||||
dontaudit $1 cardmgr_dev_t:chr_file { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the CPU identity.
|
||||
|
|
|
@ -259,7 +259,11 @@ files_exec_etc_files(system_crond_t)
|
|||
files_read_etc_files(system_crond_t)
|
||||
files_read_etc_runtime_files(system_crond_t)
|
||||
files_list_all_dirs(system_crond_t)
|
||||
files_getattr_all_dirs(system_crond_t)
|
||||
files_getattr_all_files(system_crond_t)
|
||||
files_getattr_all_symlinks(system_crond_t)
|
||||
files_getattr_all_pipes(system_crond_t)
|
||||
files_getattr_all_sockets(system_crond_t)
|
||||
files_read_usr_files(system_crond_t)
|
||||
files_read_var_files(system_crond_t)
|
||||
# for nscd:
|
||||
|
|
|
@ -104,27 +104,185 @@ interface(`files_tmpfs_file',`
|
|||
typeattribute $1 tmpfsfile;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_all_dirs',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class dir { getattr search };
|
||||
')
|
||||
|
||||
allow $1 file_type:dir { getattr search };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_all_dirs',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class dir getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 file_type:dir getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# files_getattr_all_files(domain)
|
||||
|
||||
#
|
||||
interface(`files_getattr_all_files',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class dir { search getattr };
|
||||
class dir search;
|
||||
class file getattr;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_all_files',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 file_type:file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all symbolic links.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_all_symlinks',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class dir search;
|
||||
class lnk_file getattr;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:lnk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all symbolic links.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_all_symlinks',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class lnk_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 file_type:lnk_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all named pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_all_pipes',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class dir search;
|
||||
class fifo_file getattr;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:fifo_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all named pipes.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_all_pipes',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class fifo_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 file_type:fifo_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of all named sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_getattr_all_sockets',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class dir search;
|
||||
class sock_file getattr;
|
||||
')
|
||||
|
||||
allow $1 file_type:dir { search getattr };
|
||||
allow $1 file_type:file getattr;
|
||||
allow $1 file_type:lnk_file getattr;
|
||||
allow $1 file_type:fifo_file getattr;
|
||||
allow $1 file_type:dir search;
|
||||
allow $1 file_type:sock_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of all named sockets.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`files_dontaudit_getattr_all_sockets',`
|
||||
gen_require(`
|
||||
attribute file_type;
|
||||
class sock_file getattr;
|
||||
')
|
||||
|
||||
dontaudit $1 file_type:sock_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel all files on the filesystem, except
|
||||
|
|
|
@ -264,7 +264,11 @@ domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
|
|||
domain_dontaudit_getattr_all_unix_dgram_sockets(initrc_t)
|
||||
domain_dontaudit_getattr_all_unnamed_pipes(initrc_t)
|
||||
|
||||
files_getattr_all_dirs(initrc_t)
|
||||
files_getattr_all_files(initrc_t)
|
||||
files_getattr_all_symlinks(initrc_t)
|
||||
files_getattr_all_pipes(initrc_t)
|
||||
files_getattr_all_sockets(initrc_t)
|
||||
files_delete_all_tmp_files(initrc_t)
|
||||
files_delete_all_locks(initrc_t)
|
||||
files_read_all_pids(initrc_t)
|
||||
|
|
|
@ -103,6 +103,10 @@ logging_search_logs(insmod_t)
|
|||
|
||||
miscfiles_read_localization(insmod_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dev_dontaudit_rw_cardmgr(insmod_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_domtrans(insmod_t)
|
||||
')
|
||||
|
|
|
@ -1,5 +1,29 @@
|
|||
## <summary>PCMCIA card management services</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute cardmgr in the cardmgr domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`pcmcia_domtrans_cardmgr',`
|
||||
gen_require(`
|
||||
type cardmgr_t, cardmgr_exec_t;
|
||||
class process sigchld;
|
||||
class fd use;
|
||||
class fifo_file rw_file_perms;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,cardmgr_exec_t,cardmgr_t)
|
||||
|
||||
allow $1 cardmgr_t:fd use;
|
||||
allow cardmgr_t $1:fd use;
|
||||
allow cardmgr_t $1:fifo_file rw_file_perms;
|
||||
allow cardmgr_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute cardctl in the cardmgr domain.
|
||||
|
|
|
@ -43,8 +43,11 @@ kernel_read_system_state(cardmgr_t)
|
|||
kernel_read_kernel_sysctl(cardmgr_t)
|
||||
kernel_list_proc(cardmgr_t)
|
||||
kernel_read_proc_symlinks(cardmgr_t)
|
||||
kernel_dontaudit_getattr_message_if(cardmgr_t)
|
||||
|
||||
dev_read_sysfs(cardmgr_t)
|
||||
dev_getattr_all_chr_files(cardmgr_t)
|
||||
dev_getattr_all_blk_files(cardmgr_t)
|
||||
# for SSP
|
||||
dev_read_urand(cardmgr_t)
|
||||
|
||||
|
@ -52,6 +55,7 @@ fs_getattr_all_fs(cardmgr_t)
|
|||
fs_search_auto_mountpoints(cardmgr_t)
|
||||
|
||||
term_use_unallocated_tty(cardmgr_t)
|
||||
term_getattr_all_user_ttys(cardmgr_t)
|
||||
term_dontaudit_use_console(cardmgr_t)
|
||||
|
||||
corecmd_exec_bin(cardmgr_t)
|
||||
|
@ -59,10 +63,18 @@ corecmd_exec_sbin(cardmgr_t)
|
|||
|
||||
domain_use_wide_inherit_fd(cardmgr_t)
|
||||
domain_exec_all_entry_files(cardmgr_t)
|
||||
# cjp: these look excessive:
|
||||
domain_dontaudit_getattr_all_unnamed_pipes(cardmgr_t)
|
||||
|
||||
files_search_home(cardmgr_t)
|
||||
files_read_etc_runtime_files(cardmgr_t)
|
||||
files_exec_etc_files(cardmgr_t)
|
||||
# cjp: these look excessive:
|
||||
files_dontaudit_getattr_all_dirs(cardmgr_t)
|
||||
files_dontaudit_getattr_all_files(cardmgr_t)
|
||||
files_dontaudit_getattr_all_symlinks(cardmgr_t)
|
||||
files_dontaudit_getattr_all_pipes(cardmgr_t)
|
||||
files_dontaudit_getattr_all_sockets(cardmgr_t)
|
||||
|
||||
init_use_fd(cardmgr_t)
|
||||
init_use_script_pty(cardmgr_t)
|
||||
|
@ -116,21 +128,17 @@ file_type_auto_trans(cardmgr_t, { var_run_t cardmgr_var_run_t device_t tmp_t },
|
|||
|
||||
# Read /proc/PID directories for all domains (for fuser).
|
||||
can_ps(cardmgr_t, domain)
|
||||
allow cardmgr_t device_type:{ chr_file blk_file } getattr;
|
||||
allow cardmgr_t ttyfile:chr_file getattr;
|
||||
|
||||
dontaudit cardmgr_t ptyfile:chr_file getattr;
|
||||
dontaudit cardmgr_t file_type:{ dir notdevfile_class_set } getattr;
|
||||
dontaudit cardmgr_t domain:{ fifo_file socket_class_set } getattr;
|
||||
dontaudit cardmgr_t proc_kmsg_t:file getattr;
|
||||
# cjp: these look excessive:
|
||||
dontaudit cardmgr_t domain:socket_class_set getattr;
|
||||
|
||||
ifdef(`apmd.te', `
|
||||
domain_auto_trans(apmd_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
|
||||
# this goes to apm
|
||||
optional_policy(`pcmcia.te',`
|
||||
pcmcia_domtrans_cardmgr(apmd_t)
|
||||
pcmcia_domtrans_cardctl(apmd_t)
|
||||
')
|
||||
|
||||
ifdef(`hide_broken_symptoms', `
|
||||
dontaudit insmod_t cardmgr_dev_t:chr_file { read write };
|
||||
dontaudit ifconfig_t cardmgr_dev_t:chr_file { read write };
|
||||
')
|
||||
ifdef(`hald.te', `
|
||||
rw_dir_file(hald_t, cardmgr_var_run_t)
|
||||
allow hald_t cardmgr_var_run_t:chr_file create_file_perms;
|
||||
|
|
|
@ -285,7 +285,13 @@ seutil_use_runinit_fd(ifconfig_t)
|
|||
userdom_use_all_user_fd(ifconfig_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
|
||||
optional_policy(`pcmcia.te',`
|
||||
dev_dontaudit_rw_cardmgr(ifconfig_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te',`
|
||||
udev_donaudit_rw_unix_dgram_socket(ifconfig_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
|
|
Loading…
Reference in New Issue