add finger and bluetooth
This commit is contained in:
parent
9d3e339e82
commit
d4dca58511
|
@ -13,7 +13,9 @@
|
|||
- Fix errors uncovered by sediff.
|
||||
- Added policies:
|
||||
anaconda
|
||||
bluetooth
|
||||
dmidecode
|
||||
finger
|
||||
ftp
|
||||
kudzu
|
||||
radvd
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
#
|
||||
# /etc
|
||||
#
|
||||
/etc/bluetooth(/.*)? gen_context(system_u:object_r:bluetooth_conf_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/rfcomm -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
|
||||
/usr/sbin/hciattach -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
/usr/sbin/hcid -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
/usr/sbin/hid2hci -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
/usr/sbin/sdpd -- gen_context(system_u:object_r:bluetooth_exec_t,s0)
|
||||
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/run/sdp -s gen_context(system_u:object_r:bluetooth_var_run_t,s0)
|
|
@ -0,0 +1 @@
|
|||
## <summary>Bluetooth tools and system services.</summary>
|
|
@ -0,0 +1,122 @@
|
|||
|
||||
policy_module(bluetooth,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
type bluetooth_t;
|
||||
type bluetooth_exec_t;
|
||||
init_daemon_domain(bluetooth_t,bluetooth_exec_t)
|
||||
|
||||
type bluetooth_conf_t;
|
||||
files_type(bluetooth_conf_t)
|
||||
|
||||
type bluetooth_lock_t;
|
||||
files_lock_file(bluetooth_lock_t)
|
||||
|
||||
type bluetooth_tmp_t;
|
||||
files_tmp_file(bluetooth_tmp_t)
|
||||
|
||||
type bluetooth_var_run_t;
|
||||
files_pid_file(bluetooth_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
|
||||
dontaudit bluetooth_t self:capability sys_tty_config;
|
||||
allow bluetooth_t self:process signal_perms;
|
||||
allow bluetooth_t self:socket create_stream_socket_perms;
|
||||
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
|
||||
allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow bluetooth_t self:tcp_socket { create_stream_socket_perms connect };
|
||||
allow bluetooth_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow bluetooth_t bluetooth_conf_t:dir search;
|
||||
allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
|
||||
|
||||
allow bluetooth_t bluetooth_lock_t:file create_file_perms;
|
||||
files_create_lock(bluetooth_t,bluetooth_lock_t)
|
||||
|
||||
allow bluetooth_t bluetooth_tmp_t:dir create_dir_perms;
|
||||
allow bluetooth_t bluetooth_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(bluetooth_t, bluetooth_tmp_t, { file dir })
|
||||
|
||||
allow bluetooth_t bluetooth_var_run_t:dir rw_dir_perms;
|
||||
allow bluetooth_t bluetooth_var_run_t:file create_file_perms;
|
||||
allow bluetooth_t bluetooth_var_run_t:sock_file create_file_perms;
|
||||
files_create_pid(bluetooth_t, bluetooth_var_run_t, { file sock_file })
|
||||
|
||||
kernel_read_kernel_sysctl(bluetooth_t)
|
||||
kernel_list_proc(bluetooth_t)
|
||||
kernel_read_proc_symlinks(bluetooth_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(bluetooth_t)
|
||||
corenet_udp_sendrecv_all_if(bluetooth_t)
|
||||
corenet_raw_sendrecv_all_if(bluetooth_t)
|
||||
corenet_tcp_sendrecv_all_nodes(bluetooth_t)
|
||||
corenet_udp_sendrecv_all_nodes(bluetooth_t)
|
||||
corenet_raw_sendrecv_all_nodes(bluetooth_t)
|
||||
corenet_tcp_bind_all_nodes(bluetooth_t)
|
||||
corenet_udp_bind_all_nodes(bluetooth_t)
|
||||
corenet_tcp_sendrecv_all_ports(bluetooth_t)
|
||||
corenet_udp_sendrecv_all_ports(bluetooth_t)
|
||||
|
||||
dev_read_sysfs(bluetooth_t)
|
||||
dev_rw_usbfs(bluetooth_t)
|
||||
|
||||
fs_getattr_all_fs(bluetooth_t)
|
||||
fs_search_auto_mountpoints(bluetooth_t)
|
||||
|
||||
term_dontaudit_use_console(bluetooth_t)
|
||||
|
||||
corecmd_exec_bin(bluetooth_t)
|
||||
|
||||
domain_use_wide_inherit_fd(bluetooth_t)
|
||||
|
||||
init_use_fd(bluetooth_t)
|
||||
init_use_script_pty(bluetooth_t)
|
||||
|
||||
libs_use_ld_so(bluetooth_t)
|
||||
libs_use_shared_libs(bluetooth_t)
|
||||
|
||||
logging_send_syslog_msg(bluetooth_t)
|
||||
|
||||
miscfiles_read_localization(bluetooth_t)
|
||||
|
||||
sysnet_read_config(bluetooth_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(bluetooth_t)
|
||||
userdom_dontaudit_use_sysadm_pty(bluetooth_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(bluetooth_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(bluetooth_t)
|
||||
term_dontaudit_use_generic_pty(bluetooth_t)
|
||||
files_dontaudit_read_root_file(bluetooth_t)
|
||||
')
|
||||
|
||||
optional_policy(`dbus.te',`
|
||||
dbus_system_bus_client_template(bluetooth,bluetooth_t)
|
||||
dbus_send_system_bus_msg(bluetooth_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(bluetooth_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(bluetooth_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te',`
|
||||
udev_read_db(bluetooth_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(bluetooth_t)
|
||||
')
|
||||
')
|
|
@ -0,0 +1,19 @@
|
|||
# fingerd
|
||||
|
||||
#
|
||||
# /etc
|
||||
#
|
||||
/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0)
|
||||
|
||||
/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/sbin/in\.fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
|
||||
/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
|
||||
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
|
|
@ -0,0 +1,40 @@
|
|||
## <summary>Finger user information service.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute fingerd in the fingerd domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`finger_domtrans',`
|
||||
gen_require(`
|
||||
type fingerd_t, fingerd_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,fingerd_exec_t,fingerd_t)
|
||||
|
||||
allow $1 fingerd_t:fd use;
|
||||
allow fingerd_t $1:fd use;
|
||||
allow fingerd_t $1:fifo_file rw_file_perms;
|
||||
allow fingerd_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to connect to fingerd with a tcp socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`finger_tcp_connect',`
|
||||
gen_require(`
|
||||
type fingerd_t;
|
||||
')
|
||||
|
||||
kernel_tcp_recvfrom($1)
|
||||
allow $1 fingerd_t:tcp_socket { connectto recvfrom };
|
||||
allow fingerd_t $1:tcp_socket { acceptfrom recvfrom };
|
||||
')
|
|
@ -0,0 +1,134 @@
|
|||
|
||||
policy_module(finger,1.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
type fingerd_t;
|
||||
type fingerd_exec_t;
|
||||
init_daemon_domain(fingerd_t,fingerd_exec_t)
|
||||
inetd_tcp_service_domain(fingerd_t,fingerd_exec_t)
|
||||
|
||||
type fingerd_etc_t; #, usercanread;
|
||||
files_type(fingerd_etc_t)
|
||||
|
||||
type fingerd_log_t;
|
||||
logging_log_file(fingerd_log_t)
|
||||
|
||||
type fingerd_var_run_t;
|
||||
files_pid_file(fingerd_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
allow fingerd_t self:capability { setgid setuid };
|
||||
dontaudit fingerd_t self:capability { sys_tty_config fsetid };
|
||||
allow fingerd_t self:process signal_perms;
|
||||
allow fingerd_t self:fifo_file { read write getattr };
|
||||
allow fingerd_t self:tcp_socket connected_stream_socket_perms;
|
||||
allow fingerd_t self:udp_socket create_socket_perms;
|
||||
allow fingerd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow fingerd_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
allow fingerd_t fingerd_var_run_t:file create_file_perms;
|
||||
allow fingerd_t fingerd_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(fingerd_t,fingerd_var_run_t)
|
||||
|
||||
allow fingerd_t fingerd_etc_t:file r_file_perms;
|
||||
allow fingerd_t fingerd_etc_t:dir r_dir_perms;
|
||||
allow fingerd_t fingerd_etc_t:lnk_file { getattr read };
|
||||
|
||||
allow fingerd_t fingerd_log_t:file create_file_perms;
|
||||
logging_create_log(fingerd_t,fingerd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctl(fingerd_t)
|
||||
kernel_read_system_state(fingerd_t)
|
||||
kernel_tcp_recvfrom(fingerd_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(fingerd_t)
|
||||
corenet_udp_sendrecv_all_if(fingerd_t)
|
||||
corenet_raw_sendrecv_all_if(fingerd_t)
|
||||
corenet_tcp_sendrecv_all_nodes(fingerd_t)
|
||||
corenet_udp_sendrecv_all_nodes(fingerd_t)
|
||||
corenet_raw_sendrecv_all_nodes(fingerd_t)
|
||||
corenet_tcp_sendrecv_all_ports(fingerd_t)
|
||||
corenet_udp_sendrecv_all_ports(fingerd_t)
|
||||
corenet_tcp_bind_all_nodes(fingerd_t)
|
||||
corenet_udp_bind_all_nodes(fingerd_t)
|
||||
corenet_tcp_bind_fingerd_port(fingerd_t)
|
||||
|
||||
dev_read_sysfs(fingerd_t)
|
||||
|
||||
fs_getattr_all_fs(fingerd_t)
|
||||
fs_search_auto_mountpoints(fingerd_t)
|
||||
|
||||
term_search_ptys(fingerd_t)
|
||||
term_dontaudit_use_console(fingerd_t)
|
||||
term_getattr_all_user_ttys(fingerd_t)
|
||||
term_getattr_all_user_ptys(fingerd_t)
|
||||
|
||||
auth_read_lastlog(fingerd_t)
|
||||
|
||||
corecmd_exec_bin(fingerd_t)
|
||||
corecmd_exec_sbin(fingerd_t)
|
||||
corecmd_exec_shell(fingerd_t)
|
||||
|
||||
domain_use_wide_inherit_fd(fingerd_t)
|
||||
|
||||
files_getattr_home_dir(fingerd_t)
|
||||
files_read_etc_files(fingerd_t)
|
||||
files_read_etc_runtime_files(fingerd_t)
|
||||
|
||||
init_read_script_pid(fingerd_t)
|
||||
init_dontaudit_write_script_pid(fingerd_t)
|
||||
init_use_fd(fingerd_t)
|
||||
init_use_script_pty(fingerd_t)
|
||||
|
||||
libs_use_ld_so(fingerd_t)
|
||||
libs_use_shared_libs(fingerd_t)
|
||||
|
||||
logging_send_syslog_msg(fingerd_t)
|
||||
|
||||
mta_getattr_spool(fingerd_t)
|
||||
|
||||
sysnet_read_config(fingerd_t)
|
||||
|
||||
miscfiles_read_localization(fingerd_t)
|
||||
|
||||
userdom_read_unpriv_user_home_files(fingerd_t)
|
||||
userdom_dontaudit_use_unpriv_user_fd(fingerd_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(fingerd_t)
|
||||
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_unallocated_tty(fingerd_t)
|
||||
term_dontaudit_use_generic_pty(fingerd_t)
|
||||
files_dontaudit_read_root_file(fingerd_t)
|
||||
')
|
||||
|
||||
optional_policy(`cron.te',`
|
||||
cron_system_entry(fingerd_t,fingerd_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`logrotate.te',`
|
||||
logrotate_exec(fingerd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(fingerd_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(fingerd_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te',`
|
||||
udev_read_db(fingerd_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(fingerd_t)
|
||||
')
|
||||
')
|
|
@ -51,6 +51,10 @@ sysnet_read_config(tcpd_t)
|
|||
|
||||
inetd_domtrans_child(tcpd_t)
|
||||
|
||||
optional_policy(`finger.te',`
|
||||
finger_domtrans(tcpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`nis.te',`
|
||||
nis_use_ypbind(tcpd_t)
|
||||
')
|
||||
|
|
|
@ -407,13 +407,33 @@ interface(`auth_rw_faillog',`
|
|||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read the last logins log.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
# auth_rw_lastlog(domain)
|
||||
interface(`auth_read_lastlog',`
|
||||
gen_require(`
|
||||
type lastlog_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 lastlog_t:file { getattr read };
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Read and write to the last logins log.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_rw_lastlog',`
|
||||
gen_require(`
|
||||
type lastlog_t;
|
||||
class file { getattr read write setattr };
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
|
|
|
@ -429,6 +429,10 @@ optional_policy(`bind.te',`
|
|||
|
||||
')
|
||||
|
||||
optional_policy(`bluetooth.te',`
|
||||
dev_read_usbfs(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`cpucontrol.te',`
|
||||
cpucontrol_stub()
|
||||
dev_getattr_cpu(initrc_t)
|
||||
|
|
|
@ -318,6 +318,10 @@ template(`base_user_template',`
|
|||
')
|
||||
')
|
||||
|
||||
optional_policy(`finger.te',`
|
||||
finger_tcp_connect($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`inetd.te',`
|
||||
inetd_tcp_connect($1_t)
|
||||
')
|
||||
|
@ -1642,6 +1646,26 @@ interface(`userdom_use_sysadm_pty',`
|
|||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Dont audit attempts to read and write sysadm ptys.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_use_sysadm_pty',`
|
||||
ifdef(`targeted_policy',`
|
||||
term_dontaudit_use_generic_pty($1)
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_devpts_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sysadm_devpts_t:chr_file { read write };
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write sysadm ttys and ptys.
|
||||
|
@ -2020,6 +2044,23 @@ interface(`userdom_create_user_home',`
|
|||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Don't audit search on the user home subdirectory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_search_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_t;
|
||||
class dir search;
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
|
@ -2119,6 +2160,24 @@ interface(`userdom_manage_user_home_sockets',`
|
|||
allow $1 user_home_t:sock_file create_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read all unprivileged users home directory
|
||||
## files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_read_unpriv_user_home_files',`
|
||||
gen_require(`
|
||||
type user_home_dir_type, user_home_type;
|
||||
')
|
||||
|
||||
allow $1 user_home_dir_type:dir search;
|
||||
allow $1 user_home_type:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write all unprivileged users files in /tmp
|
||||
|
|
Loading…
Reference in New Issue