rpms / selinux-policy

Clone
Source Code
GIT

Files

  1.   2705f9a0f3e3764b0256a63ffefdf84e76cfe1cf
  2.   strict
  3.   domains
  4.   program
  5.   slocate.te
Blob Blame History Raw 
#DESC LOCATE - Security Enhanced version of the GNU Locate
#
# Author:  Dan Walsh <dwalsh@redhat.com>
#

#################################
#
# Rules for the locate_t domain.
#
# locate_exec_t is the type of the locate executable.
#
daemon_base_domain(locate)

allow locate_t fs_t:filesystem getattr;

ifdef(`crond.te', `
system_crond_entry(locate_exec_t, locate_t)
allow system_crond_t locate_log_t:dir rw_dir_perms;
allow system_crond_t locate_log_t:file { create append getattr };
allow system_crond_t locate_etc_t:file { getattr read };
')

allow locate_t { userpty_type admin_tty_type }:chr_file rw_file_perms;

allow locate_t { fs_type file_type }:dir r_dir_perms;
allow locate_t file_type:lnk_file r_file_perms;
allow locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } getattr;
dontaudit locate_t { file_type -shadow_t }:{ lnk_file sock_file fifo_file file } read;
dontaudit locate_t security_t:dir getattr;
dontaudit locate_t shadow_t:file getattr;

allow locate_t { ttyfile device_type device_t }:{ chr_file blk_file } getattr;
allow locate_t unlabeled_t:dir_file_class_set getattr;
allow locate_t unlabeled_t:dir read;

logdir_domain(locate)
etcdir_domain(locate)

type locate_var_lib_t, file_type, sysadmfile;
typealias locate_var_lib_t alias var_lib_locate_t;

create_dir_file(locate_t, locate_var_lib_t)
dontaudit locate_t sysadmfile:file getattr;

allow locate_t proc_t:file { getattr read };
allow locate_t self:unix_stream_socket create_socket_perms;
#
# Need to be able to exec renice
#
can_exec(locate_t, bin_t)

dontaudit locate_t rpc_pipefs_t:dir r_dir_perms;
dontaudit locate_t rpc_pipefs_t:file getattr;

#
# Read Mtab file
#
allow locate_t etc_runtime_t:file { getattr read };

#
# Read nsswitch file
#
allow locate_t etc_t:file { getattr read };
dontaudit locate_t self:capability dac_override;
allow locate_t self:capability dac_read_search;

# sysadm_t runs locate in his own domain.
# We use a type alias to simplify the rest of the policy,
# which often refers to $1_locate_t for the user domains.
typealias sysadm_t alias sysadm_locate_t;

allow locate_t userdomain:fd use;
ifdef(`cardmgr.te', `
allow locate_t cardmgr_var_run_t:chr_file getattr;
')
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.