corecommands patch from Dan Walsh: "Lots of bin_t files"
This commit is contained in:
Jeremy Solt
Chris PeBenito
parent
2341eb2d45
commit
c60f75ad0f
|
|
@ -9,8 +9,11 @@
|
|||
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
#
|
||||
|
|
@ -71,6 +74,8 @@ ifdef(`distro_redhat',`
|
|||
|
||||
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/PackageKit/events(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/pm/power\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/pm/sleep\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
|
|
@ -101,6 +106,9 @@ ifdef(`distro_redhat',`
|
|||
/etc/X11/xdm/Xsetup_0 -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/X11/xinit(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/pki/tls/certs/make-dummy-cert -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/pki/tls/misc(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/profile.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/xen/qemu-ifup -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/xen/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -109,6 +117,8 @@ ifdef(`distro_debian',`
|
|||
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
/etc/vmware-tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
#
|
||||
# /lib
|
||||
#
|
||||
|
|
@ -126,6 +136,8 @@ ifdef(`distro_gentoo',`
|
|||
/lib/rcscripts/net\.modules\.d/helpers\.d/dhclient-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/rcscripts/net\.modules\.d/helpers\.d/udhcpc-.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
/lib/readahead(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
#
|
||||
# /sbin
|
||||
|
|
@ -145,6 +157,12 @@ ifdef(`distro_gentoo',`
|
|||
|
||||
/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/opt/google/talkplugin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/opt/gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/opt/OpenPrinting-Gutenprint/cups/lib/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo',`
|
||||
/opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -169,6 +187,7 @@ ifdef(`distro_gentoo',`
|
|||
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -205,7 +224,8 @@ ifdef(`distro_gentoo',`
|
|||
/usr/lib(64)?/xen/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/libsexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
|
|
@ -218,16 +238,21 @@ ifdef(`distro_gentoo',`
|
|||
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
|
||||
|
||||
/usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/dayplanner/dayplanner -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/.*\.sh gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/ocf-shellfuncs -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/cluster/svclib_nfslock -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/e16/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gedit-2/plugins/externaltools/tools(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gitolite/hooks/common/update -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gitolite/hooks/gitolite-admin/post-update -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
@ -314,6 +339,7 @@ ifdef(`distro_redhat', `
|
|||
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
|
||||
ifdef(`distro_suse', `
|
||||
|
|
@ -340,3 +366,27 @@ ifdef(`distro_suse', `
|
|||
ifdef(`distro_suse',`
|
||||
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
')
|
||||
/var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib/oracle/xe/apps(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib(64)?/pm-utils(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0)
|
||||
|
||||
/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
|
|
|||
|
|
@ -163,7 +163,7 @@ interface(`corecmd_list_bin',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not auidt attempts to write bin directories.
|
||||
## Do not audit attempts to write bin directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
|
|
@ -179,6 +179,24 @@ interface(`corecmd_dontaudit_write_bin_dirs',`
|
|||
dontaudit $1 bin_t:dir write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to write bin files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`corecmd_dontaudit_write_bin_files',`
|
||||
gen_require(`
|
||||
type bin_t;
|
||||
')
|
||||
|
||||
dontaudit $1 bin_t:file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of files in bin directories.
|
||||
|
|
@ -931,6 +949,7 @@ interface(`corecmd_exec_chroot',`
|
|||
|
||||
read_lnk_files_pattern($1, bin_t, bin_t)
|
||||
can_exec($1, chroot_exec_t)
|
||||
allow $1 self:capability sys_chroot;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -1030,6 +1049,7 @@ interface(`corecmd_manage_all_executables',`
|
|||
type bin_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, bin_t, exec_type)
|
||||
manage_files_pattern($1, bin_t, exec_type)
|
||||
manage_lnk_files_pattern($1, bin_t, bin_t)
|
||||
')
|
||||
|
|
|
|||
Loading…
Reference in New Issue